Annotation of /trunk/xpdf/patches/xpdf-3.01pl2.patch
Parent Directory
| 
Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 1 month ago) by niro
File size: 12097 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 1 month ago) by niro
File size: 12097 byte(s)
-import
| 1 | niro | 153 | diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c |
| 2 | *** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005 | ||
| 3 | --- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006 | ||
| 4 | *************** | ||
| 5 | *** 11,16 **** | ||
| 6 | --- 11,17 ---- | ||
| 7 | #include <stdlib.h> | ||
| 8 | #include <stddef.h> | ||
| 9 | #include <string.h> | ||
| 10 | + #include <limits.h> | ||
| 11 | #include "gmem.h" | ||
| 12 | |||
| 13 | #ifdef DEBUG_MEM | ||
| 14 | *************** | ||
| 15 | *** 63,69 **** | ||
| 16 | int lst; | ||
| 17 | unsigned long *trl, *p; | ||
| 18 | |||
| 19 | ! if (size == 0) | ||
| 20 | return NULL; | ||
| 21 | size1 = gMemDataSize(size); | ||
| 22 | if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { | ||
| 23 | --- 64,70 ---- | ||
| 24 | int lst; | ||
| 25 | unsigned long *trl, *p; | ||
| 26 | |||
| 27 | ! if (size <= 0) | ||
| 28 | return NULL; | ||
| 29 | size1 = gMemDataSize(size); | ||
| 30 | if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { | ||
| 31 | *************** | ||
| 32 | *** 86,92 **** | ||
| 33 | #else | ||
| 34 | void *p; | ||
| 35 | |||
| 36 | ! if (size == 0) | ||
| 37 | return NULL; | ||
| 38 | if (!(p = malloc(size))) { | ||
| 39 | fprintf(stderr, "Out of memory\n"); | ||
| 40 | --- 87,93 ---- | ||
| 41 | #else | ||
| 42 | void *p; | ||
| 43 | |||
| 44 | ! if (size <= 0) | ||
| 45 | return NULL; | ||
| 46 | if (!(p = malloc(size))) { | ||
| 47 | fprintf(stderr, "Out of memory\n"); | ||
| 48 | *************** | ||
| 49 | *** 102,108 **** | ||
| 50 | void *q; | ||
| 51 | int oldSize; | ||
| 52 | |||
| 53 | ! if (size == 0) { | ||
| 54 | if (p) | ||
| 55 | gfree(p); | ||
| 56 | return NULL; | ||
| 57 | --- 103,109 ---- | ||
| 58 | void *q; | ||
| 59 | int oldSize; | ||
| 60 | |||
| 61 | ! if (size <= 0) { | ||
| 62 | if (p) | ||
| 63 | gfree(p); | ||
| 64 | return NULL; | ||
| 65 | *************** | ||
| 66 | *** 120,126 **** | ||
| 67 | #else | ||
| 68 | void *q; | ||
| 69 | |||
| 70 | ! if (size == 0) { | ||
| 71 | if (p) | ||
| 72 | free(p); | ||
| 73 | return NULL; | ||
| 74 | --- 121,127 ---- | ||
| 75 | #else | ||
| 76 | void *q; | ||
| 77 | |||
| 78 | ! if (size <= 0) { | ||
| 79 | if (p) | ||
| 80 | free(p); | ||
| 81 | return NULL; | ||
| 82 | *************** | ||
| 83 | *** 140,147 **** | ||
| 84 | void *gmallocn(int nObjs, int objSize) { | ||
| 85 | int n; | ||
| 86 | |||
| 87 | n = nObjs * objSize; | ||
| 88 | ! if (objSize == 0 || n / objSize != nObjs) { | ||
| 89 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
| 90 | exit(1); | ||
| 91 | } | ||
| 92 | --- 141,151 ---- | ||
| 93 | void *gmallocn(int nObjs, int objSize) { | ||
| 94 | int n; | ||
| 95 | |||
| 96 | + if (nObjs == 0) { | ||
| 97 | + return NULL; | ||
| 98 | + } | ||
| 99 | n = nObjs * objSize; | ||
| 100 | ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { | ||
| 101 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
| 102 | exit(1); | ||
| 103 | } | ||
| 104 | *************** | ||
| 105 | *** 151,158 **** | ||
| 106 | void *greallocn(void *p, int nObjs, int objSize) { | ||
| 107 | int n; | ||
| 108 | |||
| 109 | n = nObjs * objSize; | ||
| 110 | ! if (objSize == 0 || n / objSize != nObjs) { | ||
| 111 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
| 112 | exit(1); | ||
| 113 | } | ||
| 114 | --- 155,168 ---- | ||
| 115 | void *greallocn(void *p, int nObjs, int objSize) { | ||
| 116 | int n; | ||
| 117 | |||
| 118 | + if (nObjs == 0) { | ||
| 119 | + if (p) { | ||
| 120 | + gfree(p); | ||
| 121 | + } | ||
| 122 | + return NULL; | ||
| 123 | + } | ||
| 124 | n = nObjs * objSize; | ||
| 125 | ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { | ||
| 126 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
| 127 | exit(1); | ||
| 128 | } | ||
| 129 | diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc | ||
| 130 | *** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005 | ||
| 131 | --- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006 | ||
| 132 | *************** | ||
| 133 | *** 13,18 **** | ||
| 134 | --- 13,19 ---- | ||
| 135 | #endif | ||
| 136 | |||
| 137 | #include <stdlib.h> | ||
| 138 | + #include <limits.h> | ||
| 139 | #include "GList.h" | ||
| 140 | #include "Error.h" | ||
| 141 | #include "JArithmeticDecoder.h" | ||
| 142 | *************** | ||
| 143 | *** 681,686 **** | ||
| 144 | --- 682,691 ---- | ||
| 145 | w = wA; | ||
| 146 | h = hA; | ||
| 147 | line = (wA + 7) >> 3; | ||
| 148 | + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { | ||
| 149 | + data = NULL; | ||
| 150 | + return; | ||
| 151 | + } | ||
| 152 | // need to allocate one extra guard byte for use in combine() | ||
| 153 | data = (Guchar *)gmalloc(h * line + 1); | ||
| 154 | data[h * line] = 0; | ||
| 155 | *************** | ||
| 156 | *** 692,697 **** | ||
| 157 | --- 697,706 ---- | ||
| 158 | w = bitmap->w; | ||
| 159 | h = bitmap->h; | ||
| 160 | line = bitmap->line; | ||
| 161 | + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { | ||
| 162 | + data = NULL; | ||
| 163 | + return; | ||
| 164 | + } | ||
| 165 | // need to allocate one extra guard byte for use in combine() | ||
| 166 | data = (Guchar *)gmalloc(h * line + 1); | ||
| 167 | memcpy(data, bitmap->data, h * line); | ||
| 168 | *************** | ||
| 169 | *** 720,726 **** | ||
| 170 | } | ||
| 171 | |||
| 172 | void JBIG2Bitmap::expand(int newH, Guint pixel) { | ||
| 173 | ! if (newH <= h) { | ||
| 174 | return; | ||
| 175 | } | ||
| 176 | // need to allocate one extra guard byte for use in combine() | ||
| 177 | --- 729,735 ---- | ||
| 178 | } | ||
| 179 | |||
| 180 | void JBIG2Bitmap::expand(int newH, Guint pixel) { | ||
| 181 | ! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { | ||
| 182 | return; | ||
| 183 | } | ||
| 184 | // need to allocate one extra guard byte for use in combine() | ||
| 185 | *************** | ||
| 186 | *** 2294,2299 **** | ||
| 187 | --- 2303,2316 ---- | ||
| 188 | !readUWord(&stepX) || !readUWord(&stepY)) { | ||
| 189 | goto eofError; | ||
| 190 | } | ||
| 191 | + if (w == 0 || h == 0 || w >= INT_MAX / h) { | ||
| 192 | + error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); | ||
| 193 | + return; | ||
| 194 | + } | ||
| 195 | + if (gridH == 0 || gridW >= INT_MAX / gridH) { | ||
| 196 | + error(getPos(), "Bad grid size in JBIG2 halftone segment"); | ||
| 197 | + return; | ||
| 198 | + } | ||
| 199 | |||
| 200 | // get pattern dictionary | ||
| 201 | if (nRefSegs != 1) { | ||
| 202 | diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc | ||
| 203 | *** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 | ||
| 204 | --- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006 | ||
| 205 | *************** | ||
| 206 | *** 12,17 **** | ||
| 207 | --- 12,18 ---- | ||
| 208 | #pragma implementation | ||
| 209 | #endif | ||
| 210 | |||
| 211 | + #include <limits.h> | ||
| 212 | #include "gmem.h" | ||
| 213 | #include "Error.h" | ||
| 214 | #include "JArithmeticDecoder.h" | ||
| 215 | *************** | ||
| 216 | *** 818,823 **** | ||
| 217 | --- 819,830 ---- | ||
| 218 | / img.xTileSize; | ||
| 219 | img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) | ||
| 220 | / img.yTileSize; | ||
| 221 | + // check for overflow before allocating memory | ||
| 222 | + if (img.nXTiles <= 0 || img.nYTiles <= 0 || | ||
| 223 | + img.nXTiles >= INT_MAX / img.nYTiles) { | ||
| 224 | + error(getPos(), "Bad tile count in JPX SIZ marker segment"); | ||
| 225 | + return gFalse; | ||
| 226 | + } | ||
| 227 | img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, | ||
| 228 | sizeof(JPXTile)); | ||
| 229 | for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { | ||
| 230 | diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc | ||
| 231 | *** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 | ||
| 232 | --- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006 | ||
| 233 | *************** | ||
| 234 | *** 15,20 **** | ||
| 235 | --- 15,21 ---- | ||
| 236 | #include <stdio.h> | ||
| 237 | #include <stdlib.h> | ||
| 238 | #include <stddef.h> | ||
| 239 | + #include <limits.h> | ||
| 240 | #ifndef WIN32 | ||
| 241 | #include <unistd.h> | ||
| 242 | #endif | ||
| 243 | *************** | ||
| 244 | *** 406,418 **** | ||
| 245 | --- 407,432 ---- | ||
| 246 | width = widthA; | ||
| 247 | nComps = nCompsA; | ||
| 248 | nBits = nBitsA; | ||
| 249 | + predLine = NULL; | ||
| 250 | + ok = gFalse; | ||
| 251 | |||
| 252 | nVals = width * nComps; | ||
| 253 | + if (width <= 0 || nComps <= 0 || nBits <= 0 || | ||
| 254 | + nComps >= INT_MAX / nBits || | ||
| 255 | + width >= INT_MAX / nComps / nBits || | ||
| 256 | + nVals * nBits + 7 < 0) { | ||
| 257 | + return; | ||
| 258 | + } | ||
| 259 | pixBytes = (nComps * nBits + 7) >> 3; | ||
| 260 | rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; | ||
| 261 | + if (rowBytes <= 0) { | ||
| 262 | + return; | ||
| 263 | + } | ||
| 264 | predLine = (Guchar *)gmalloc(rowBytes); | ||
| 265 | memset(predLine, 0, rowBytes); | ||
| 266 | predIdx = rowBytes; | ||
| 267 | + | ||
| 268 | + ok = gTrue; | ||
| 269 | } | ||
| 270 | |||
| 271 | StreamPredictor::~StreamPredictor() { | ||
| 272 | *************** | ||
| 273 | *** 1004,1009 **** | ||
| 274 | --- 1018,1027 ---- | ||
| 275 | FilterStream(strA) { | ||
| 276 | if (predictor != 1) { | ||
| 277 | pred = new StreamPredictor(this, predictor, columns, colors, bits); | ||
| 278 | + if (!pred->isOk()) { | ||
| 279 | + delete pred; | ||
| 280 | + pred = NULL; | ||
| 281 | + } | ||
| 282 | } else { | ||
| 283 | pred = NULL; | ||
| 284 | } | ||
| 285 | *************** | ||
| 286 | *** 1259,1264 **** | ||
| 287 | --- 1277,1285 ---- | ||
| 288 | if (columns < 1) { | ||
| 289 | columns = 1; | ||
| 290 | } | ||
| 291 | + if (columns + 4 <= 0) { | ||
| 292 | + columns = INT_MAX - 4; | ||
| 293 | + } | ||
| 294 | rows = rowsA; | ||
| 295 | endOfBlock = endOfBlockA; | ||
| 296 | black = blackA; | ||
| 297 | *************** | ||
| 298 | *** 2899,2904 **** | ||
| 299 | --- 2920,2930 ---- | ||
| 300 | height = read16(); | ||
| 301 | width = read16(); | ||
| 302 | numComps = str->getChar(); | ||
| 303 | + if (numComps <= 0 || numComps > 4) { | ||
| 304 | + error(getPos(), "Bad number of components in DCT stream"); | ||
| 305 | + numComps = 0; | ||
| 306 | + return gFalse; | ||
| 307 | + } | ||
| 308 | if (prec != 8) { | ||
| 309 | error(getPos(), "Bad DCT precision %d", prec); | ||
| 310 | return gFalse; | ||
| 311 | *************** | ||
| 312 | *** 2925,2930 **** | ||
| 313 | --- 2951,2961 ---- | ||
| 314 | height = read16(); | ||
| 315 | width = read16(); | ||
| 316 | numComps = str->getChar(); | ||
| 317 | + if (numComps <= 0 || numComps > 4) { | ||
| 318 | + error(getPos(), "Bad number of components in DCT stream"); | ||
| 319 | + numComps = 0; | ||
| 320 | + return gFalse; | ||
| 321 | + } | ||
| 322 | if (prec != 8) { | ||
| 323 | error(getPos(), "Bad DCT precision %d", prec); | ||
| 324 | return gFalse; | ||
| 325 | *************** | ||
| 326 | *** 2947,2952 **** | ||
| 327 | --- 2978,2988 ---- | ||
| 328 | |||
| 329 | length = read16() - 2; | ||
| 330 | scanInfo.numComps = str->getChar(); | ||
| 331 | + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { | ||
| 332 | + error(getPos(), "Bad number of components in DCT stream"); | ||
| 333 | + scanInfo.numComps = 0; | ||
| 334 | + return gFalse; | ||
| 335 | + } | ||
| 336 | --length; | ||
| 337 | if (length != 2 * scanInfo.numComps + 3) { | ||
| 338 | error(getPos(), "Bad DCT scan info block"); | ||
| 339 | *************** | ||
| 340 | *** 3041,3046 **** | ||
| 341 | --- 3077,3083 ---- | ||
| 342 | numACHuffTables = index+1; | ||
| 343 | tbl = &acHuffTables[index]; | ||
| 344 | } else { | ||
| 345 | + index &= 0x0f; | ||
| 346 | if (index >= numDCHuffTables) | ||
| 347 | numDCHuffTables = index+1; | ||
| 348 | tbl = &dcHuffTables[index]; | ||
| 349 | *************** | ||
| 350 | *** 3827,3832 **** | ||
| 351 | --- 3864,3873 ---- | ||
| 352 | FilterStream(strA) { | ||
| 353 | if (predictor != 1) { | ||
| 354 | pred = new StreamPredictor(this, predictor, columns, colors, bits); | ||
| 355 | + if (!pred->isOk()) { | ||
| 356 | + delete pred; | ||
| 357 | + pred = NULL; | ||
| 358 | + } | ||
| 359 | } else { | ||
| 360 | pred = NULL; | ||
| 361 | } | ||
| 362 | diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h | ||
| 363 | *** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 | ||
| 364 | --- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006 | ||
| 365 | *************** | ||
| 366 | *** 232,237 **** | ||
| 367 | --- 232,239 ---- | ||
| 368 | |||
| 369 | ~StreamPredictor(); | ||
| 370 | |||
| 371 | + GBool isOk() { return ok; } | ||
| 372 | + | ||
| 373 | int lookChar(); | ||
| 374 | int getChar(); | ||
| 375 | |||
| 376 | *************** | ||
| 377 | *** 249,254 **** | ||
| 378 | --- 251,257 ---- | ||
| 379 | int rowBytes; // bytes per line | ||
| 380 | Guchar *predLine; // line buffer | ||
| 381 | int predIdx; // current index in predLine | ||
| 382 | + GBool ok; | ||
| 383 | }; | ||
| 384 | |||
| 385 | //------------------------------------------------------------------------ | ||
| 386 | *************** | ||
| 387 | *** 527,533 **** | ||
| 388 | short getWhiteCode(); | ||
| 389 | short getBlackCode(); | ||
| 390 | short lookBits(int n); | ||
| 391 | ! void eatBits(int n) { inputBits -= n; } | ||
| 392 | }; | ||
| 393 | |||
| 394 | //------------------------------------------------------------------------ | ||
| 395 | --- 530,536 ---- | ||
| 396 | short getWhiteCode(); | ||
| 397 | short getBlackCode(); | ||
| 398 | short lookBits(int n); | ||
| 399 | ! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } | ||
| 400 | }; | ||
| 401 | |||
| 402 | //------------------------------------------------------------------------ | ||
| 403 | diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc | ||
| 404 | *** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005 | ||
| 405 | --- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006 | ||
| 406 | *************** | ||
| 407 | *** 186,192 **** | ||
| 408 | } | ||
| 409 | |||
| 410 | void SplashXPathScanner::computeIntersections(int y) { | ||
| 411 | ! SplashCoord ySegMin, ySegMax, xx0, xx1; | ||
| 412 | SplashXPathSeg *seg; | ||
| 413 | int i, j; | ||
| 414 | |||
| 415 | --- 186,192 ---- | ||
| 416 | } | ||
| 417 | |||
| 418 | void SplashXPathScanner::computeIntersections(int y) { | ||
| 419 | ! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; | ||
| 420 | SplashXPathSeg *seg; | ||
| 421 | int i, j; | ||
| 422 | |||
| 423 | *************** | ||
| 424 | *** 236,254 **** | ||
| 425 | } else if (seg->flags & splashXPathVert) { | ||
| 426 | xx0 = xx1 = seg->x0; | ||
| 427 | } else { | ||
| 428 | ! if (ySegMin <= y) { | ||
| 429 | ! // intersection with top edge | ||
| 430 | ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; | ||
| 431 | } else { | ||
| 432 | ! // x coord of segment endpoint with min y coord | ||
| 433 | ! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; | ||
| 434 | } | ||
| 435 | ! if (ySegMax >= y + 1) { | ||
| 436 | ! // intersection with bottom edge | ||
| 437 | ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; | ||
| 438 | ! } else { | ||
| 439 | ! // x coord of segment endpoint with max y coord | ||
| 440 | ! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; | ||
| 441 | } | ||
| 442 | } | ||
| 443 | if (xx0 < xx1) { | ||
| 444 | --- 236,262 ---- | ||
| 445 | } else if (seg->flags & splashXPathVert) { | ||
| 446 | xx0 = xx1 = seg->x0; | ||
| 447 | } else { | ||
| 448 | ! if (seg->x0 < seg->x1) { | ||
| 449 | ! xSegMin = seg->x0; | ||
| 450 | ! xSegMax = seg->x1; | ||
| 451 | } else { | ||
| 452 | ! xSegMin = seg->x1; | ||
| 453 | ! xSegMax = seg->x0; | ||
| 454 | } | ||
| 455 | ! // intersection with top edge | ||
| 456 | ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; | ||
| 457 | ! // intersection with bottom edge | ||
| 458 | ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; | ||
| 459 | ! // the segment may not actually extend to the top and/or bottom edges | ||
| 460 | ! if (xx0 < xSegMin) { | ||
| 461 | ! xx0 = xSegMin; | ||
| 462 | ! } else if (xx0 > xSegMax) { | ||
| 463 | ! xx0 = xSegMax; | ||
| 464 | ! } | ||
| 465 | ! if (xx1 < xSegMin) { | ||
| 466 | ! xx1 = xSegMin; | ||
| 467 | ! } else if (xx1 > xSegMax) { | ||
| 468 | ! xx1 = xSegMax; | ||
| 469 | } | ||
| 470 | } | ||
| 471 | if (xx0 < xx1) { |