Annotation of /trunk/xpdf/patches/xpdf-3.01pl2.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 12097 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 12097 byte(s)
-import
1 | niro | 153 | diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c |
2 | *** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005 | ||
3 | --- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006 | ||
4 | *************** | ||
5 | *** 11,16 **** | ||
6 | --- 11,17 ---- | ||
7 | #include <stdlib.h> | ||
8 | #include <stddef.h> | ||
9 | #include <string.h> | ||
10 | + #include <limits.h> | ||
11 | #include "gmem.h" | ||
12 | |||
13 | #ifdef DEBUG_MEM | ||
14 | *************** | ||
15 | *** 63,69 **** | ||
16 | int lst; | ||
17 | unsigned long *trl, *p; | ||
18 | |||
19 | ! if (size == 0) | ||
20 | return NULL; | ||
21 | size1 = gMemDataSize(size); | ||
22 | if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { | ||
23 | --- 64,70 ---- | ||
24 | int lst; | ||
25 | unsigned long *trl, *p; | ||
26 | |||
27 | ! if (size <= 0) | ||
28 | return NULL; | ||
29 | size1 = gMemDataSize(size); | ||
30 | if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { | ||
31 | *************** | ||
32 | *** 86,92 **** | ||
33 | #else | ||
34 | void *p; | ||
35 | |||
36 | ! if (size == 0) | ||
37 | return NULL; | ||
38 | if (!(p = malloc(size))) { | ||
39 | fprintf(stderr, "Out of memory\n"); | ||
40 | --- 87,93 ---- | ||
41 | #else | ||
42 | void *p; | ||
43 | |||
44 | ! if (size <= 0) | ||
45 | return NULL; | ||
46 | if (!(p = malloc(size))) { | ||
47 | fprintf(stderr, "Out of memory\n"); | ||
48 | *************** | ||
49 | *** 102,108 **** | ||
50 | void *q; | ||
51 | int oldSize; | ||
52 | |||
53 | ! if (size == 0) { | ||
54 | if (p) | ||
55 | gfree(p); | ||
56 | return NULL; | ||
57 | --- 103,109 ---- | ||
58 | void *q; | ||
59 | int oldSize; | ||
60 | |||
61 | ! if (size <= 0) { | ||
62 | if (p) | ||
63 | gfree(p); | ||
64 | return NULL; | ||
65 | *************** | ||
66 | *** 120,126 **** | ||
67 | #else | ||
68 | void *q; | ||
69 | |||
70 | ! if (size == 0) { | ||
71 | if (p) | ||
72 | free(p); | ||
73 | return NULL; | ||
74 | --- 121,127 ---- | ||
75 | #else | ||
76 | void *q; | ||
77 | |||
78 | ! if (size <= 0) { | ||
79 | if (p) | ||
80 | free(p); | ||
81 | return NULL; | ||
82 | *************** | ||
83 | *** 140,147 **** | ||
84 | void *gmallocn(int nObjs, int objSize) { | ||
85 | int n; | ||
86 | |||
87 | n = nObjs * objSize; | ||
88 | ! if (objSize == 0 || n / objSize != nObjs) { | ||
89 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
90 | exit(1); | ||
91 | } | ||
92 | --- 141,151 ---- | ||
93 | void *gmallocn(int nObjs, int objSize) { | ||
94 | int n; | ||
95 | |||
96 | + if (nObjs == 0) { | ||
97 | + return NULL; | ||
98 | + } | ||
99 | n = nObjs * objSize; | ||
100 | ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { | ||
101 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
102 | exit(1); | ||
103 | } | ||
104 | *************** | ||
105 | *** 151,158 **** | ||
106 | void *greallocn(void *p, int nObjs, int objSize) { | ||
107 | int n; | ||
108 | |||
109 | n = nObjs * objSize; | ||
110 | ! if (objSize == 0 || n / objSize != nObjs) { | ||
111 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
112 | exit(1); | ||
113 | } | ||
114 | --- 155,168 ---- | ||
115 | void *greallocn(void *p, int nObjs, int objSize) { | ||
116 | int n; | ||
117 | |||
118 | + if (nObjs == 0) { | ||
119 | + if (p) { | ||
120 | + gfree(p); | ||
121 | + } | ||
122 | + return NULL; | ||
123 | + } | ||
124 | n = nObjs * objSize; | ||
125 | ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { | ||
126 | fprintf(stderr, "Bogus memory allocation size\n"); | ||
127 | exit(1); | ||
128 | } | ||
129 | diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc | ||
130 | *** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005 | ||
131 | --- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006 | ||
132 | *************** | ||
133 | *** 13,18 **** | ||
134 | --- 13,19 ---- | ||
135 | #endif | ||
136 | |||
137 | #include <stdlib.h> | ||
138 | + #include <limits.h> | ||
139 | #include "GList.h" | ||
140 | #include "Error.h" | ||
141 | #include "JArithmeticDecoder.h" | ||
142 | *************** | ||
143 | *** 681,686 **** | ||
144 | --- 682,691 ---- | ||
145 | w = wA; | ||
146 | h = hA; | ||
147 | line = (wA + 7) >> 3; | ||
148 | + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { | ||
149 | + data = NULL; | ||
150 | + return; | ||
151 | + } | ||
152 | // need to allocate one extra guard byte for use in combine() | ||
153 | data = (Guchar *)gmalloc(h * line + 1); | ||
154 | data[h * line] = 0; | ||
155 | *************** | ||
156 | *** 692,697 **** | ||
157 | --- 697,706 ---- | ||
158 | w = bitmap->w; | ||
159 | h = bitmap->h; | ||
160 | line = bitmap->line; | ||
161 | + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { | ||
162 | + data = NULL; | ||
163 | + return; | ||
164 | + } | ||
165 | // need to allocate one extra guard byte for use in combine() | ||
166 | data = (Guchar *)gmalloc(h * line + 1); | ||
167 | memcpy(data, bitmap->data, h * line); | ||
168 | *************** | ||
169 | *** 720,726 **** | ||
170 | } | ||
171 | |||
172 | void JBIG2Bitmap::expand(int newH, Guint pixel) { | ||
173 | ! if (newH <= h) { | ||
174 | return; | ||
175 | } | ||
176 | // need to allocate one extra guard byte for use in combine() | ||
177 | --- 729,735 ---- | ||
178 | } | ||
179 | |||
180 | void JBIG2Bitmap::expand(int newH, Guint pixel) { | ||
181 | ! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { | ||
182 | return; | ||
183 | } | ||
184 | // need to allocate one extra guard byte for use in combine() | ||
185 | *************** | ||
186 | *** 2294,2299 **** | ||
187 | --- 2303,2316 ---- | ||
188 | !readUWord(&stepX) || !readUWord(&stepY)) { | ||
189 | goto eofError; | ||
190 | } | ||
191 | + if (w == 0 || h == 0 || w >= INT_MAX / h) { | ||
192 | + error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); | ||
193 | + return; | ||
194 | + } | ||
195 | + if (gridH == 0 || gridW >= INT_MAX / gridH) { | ||
196 | + error(getPos(), "Bad grid size in JBIG2 halftone segment"); | ||
197 | + return; | ||
198 | + } | ||
199 | |||
200 | // get pattern dictionary | ||
201 | if (nRefSegs != 1) { | ||
202 | diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc | ||
203 | *** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 | ||
204 | --- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006 | ||
205 | *************** | ||
206 | *** 12,17 **** | ||
207 | --- 12,18 ---- | ||
208 | #pragma implementation | ||
209 | #endif | ||
210 | |||
211 | + #include <limits.h> | ||
212 | #include "gmem.h" | ||
213 | #include "Error.h" | ||
214 | #include "JArithmeticDecoder.h" | ||
215 | *************** | ||
216 | *** 818,823 **** | ||
217 | --- 819,830 ---- | ||
218 | / img.xTileSize; | ||
219 | img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) | ||
220 | / img.yTileSize; | ||
221 | + // check for overflow before allocating memory | ||
222 | + if (img.nXTiles <= 0 || img.nYTiles <= 0 || | ||
223 | + img.nXTiles >= INT_MAX / img.nYTiles) { | ||
224 | + error(getPos(), "Bad tile count in JPX SIZ marker segment"); | ||
225 | + return gFalse; | ||
226 | + } | ||
227 | img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, | ||
228 | sizeof(JPXTile)); | ||
229 | for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { | ||
230 | diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc | ||
231 | *** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 | ||
232 | --- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006 | ||
233 | *************** | ||
234 | *** 15,20 **** | ||
235 | --- 15,21 ---- | ||
236 | #include <stdio.h> | ||
237 | #include <stdlib.h> | ||
238 | #include <stddef.h> | ||
239 | + #include <limits.h> | ||
240 | #ifndef WIN32 | ||
241 | #include <unistd.h> | ||
242 | #endif | ||
243 | *************** | ||
244 | *** 406,418 **** | ||
245 | --- 407,432 ---- | ||
246 | width = widthA; | ||
247 | nComps = nCompsA; | ||
248 | nBits = nBitsA; | ||
249 | + predLine = NULL; | ||
250 | + ok = gFalse; | ||
251 | |||
252 | nVals = width * nComps; | ||
253 | + if (width <= 0 || nComps <= 0 || nBits <= 0 || | ||
254 | + nComps >= INT_MAX / nBits || | ||
255 | + width >= INT_MAX / nComps / nBits || | ||
256 | + nVals * nBits + 7 < 0) { | ||
257 | + return; | ||
258 | + } | ||
259 | pixBytes = (nComps * nBits + 7) >> 3; | ||
260 | rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; | ||
261 | + if (rowBytes <= 0) { | ||
262 | + return; | ||
263 | + } | ||
264 | predLine = (Guchar *)gmalloc(rowBytes); | ||
265 | memset(predLine, 0, rowBytes); | ||
266 | predIdx = rowBytes; | ||
267 | + | ||
268 | + ok = gTrue; | ||
269 | } | ||
270 | |||
271 | StreamPredictor::~StreamPredictor() { | ||
272 | *************** | ||
273 | *** 1004,1009 **** | ||
274 | --- 1018,1027 ---- | ||
275 | FilterStream(strA) { | ||
276 | if (predictor != 1) { | ||
277 | pred = new StreamPredictor(this, predictor, columns, colors, bits); | ||
278 | + if (!pred->isOk()) { | ||
279 | + delete pred; | ||
280 | + pred = NULL; | ||
281 | + } | ||
282 | } else { | ||
283 | pred = NULL; | ||
284 | } | ||
285 | *************** | ||
286 | *** 1259,1264 **** | ||
287 | --- 1277,1285 ---- | ||
288 | if (columns < 1) { | ||
289 | columns = 1; | ||
290 | } | ||
291 | + if (columns + 4 <= 0) { | ||
292 | + columns = INT_MAX - 4; | ||
293 | + } | ||
294 | rows = rowsA; | ||
295 | endOfBlock = endOfBlockA; | ||
296 | black = blackA; | ||
297 | *************** | ||
298 | *** 2899,2904 **** | ||
299 | --- 2920,2930 ---- | ||
300 | height = read16(); | ||
301 | width = read16(); | ||
302 | numComps = str->getChar(); | ||
303 | + if (numComps <= 0 || numComps > 4) { | ||
304 | + error(getPos(), "Bad number of components in DCT stream"); | ||
305 | + numComps = 0; | ||
306 | + return gFalse; | ||
307 | + } | ||
308 | if (prec != 8) { | ||
309 | error(getPos(), "Bad DCT precision %d", prec); | ||
310 | return gFalse; | ||
311 | *************** | ||
312 | *** 2925,2930 **** | ||
313 | --- 2951,2961 ---- | ||
314 | height = read16(); | ||
315 | width = read16(); | ||
316 | numComps = str->getChar(); | ||
317 | + if (numComps <= 0 || numComps > 4) { | ||
318 | + error(getPos(), "Bad number of components in DCT stream"); | ||
319 | + numComps = 0; | ||
320 | + return gFalse; | ||
321 | + } | ||
322 | if (prec != 8) { | ||
323 | error(getPos(), "Bad DCT precision %d", prec); | ||
324 | return gFalse; | ||
325 | *************** | ||
326 | *** 2947,2952 **** | ||
327 | --- 2978,2988 ---- | ||
328 | |||
329 | length = read16() - 2; | ||
330 | scanInfo.numComps = str->getChar(); | ||
331 | + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { | ||
332 | + error(getPos(), "Bad number of components in DCT stream"); | ||
333 | + scanInfo.numComps = 0; | ||
334 | + return gFalse; | ||
335 | + } | ||
336 | --length; | ||
337 | if (length != 2 * scanInfo.numComps + 3) { | ||
338 | error(getPos(), "Bad DCT scan info block"); | ||
339 | *************** | ||
340 | *** 3041,3046 **** | ||
341 | --- 3077,3083 ---- | ||
342 | numACHuffTables = index+1; | ||
343 | tbl = &acHuffTables[index]; | ||
344 | } else { | ||
345 | + index &= 0x0f; | ||
346 | if (index >= numDCHuffTables) | ||
347 | numDCHuffTables = index+1; | ||
348 | tbl = &dcHuffTables[index]; | ||
349 | *************** | ||
350 | *** 3827,3832 **** | ||
351 | --- 3864,3873 ---- | ||
352 | FilterStream(strA) { | ||
353 | if (predictor != 1) { | ||
354 | pred = new StreamPredictor(this, predictor, columns, colors, bits); | ||
355 | + if (!pred->isOk()) { | ||
356 | + delete pred; | ||
357 | + pred = NULL; | ||
358 | + } | ||
359 | } else { | ||
360 | pred = NULL; | ||
361 | } | ||
362 | diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h | ||
363 | *** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 | ||
364 | --- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006 | ||
365 | *************** | ||
366 | *** 232,237 **** | ||
367 | --- 232,239 ---- | ||
368 | |||
369 | ~StreamPredictor(); | ||
370 | |||
371 | + GBool isOk() { return ok; } | ||
372 | + | ||
373 | int lookChar(); | ||
374 | int getChar(); | ||
375 | |||
376 | *************** | ||
377 | *** 249,254 **** | ||
378 | --- 251,257 ---- | ||
379 | int rowBytes; // bytes per line | ||
380 | Guchar *predLine; // line buffer | ||
381 | int predIdx; // current index in predLine | ||
382 | + GBool ok; | ||
383 | }; | ||
384 | |||
385 | //------------------------------------------------------------------------ | ||
386 | *************** | ||
387 | *** 527,533 **** | ||
388 | short getWhiteCode(); | ||
389 | short getBlackCode(); | ||
390 | short lookBits(int n); | ||
391 | ! void eatBits(int n) { inputBits -= n; } | ||
392 | }; | ||
393 | |||
394 | //------------------------------------------------------------------------ | ||
395 | --- 530,536 ---- | ||
396 | short getWhiteCode(); | ||
397 | short getBlackCode(); | ||
398 | short lookBits(int n); | ||
399 | ! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } | ||
400 | }; | ||
401 | |||
402 | //------------------------------------------------------------------------ | ||
403 | diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc | ||
404 | *** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005 | ||
405 | --- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006 | ||
406 | *************** | ||
407 | *** 186,192 **** | ||
408 | } | ||
409 | |||
410 | void SplashXPathScanner::computeIntersections(int y) { | ||
411 | ! SplashCoord ySegMin, ySegMax, xx0, xx1; | ||
412 | SplashXPathSeg *seg; | ||
413 | int i, j; | ||
414 | |||
415 | --- 186,192 ---- | ||
416 | } | ||
417 | |||
418 | void SplashXPathScanner::computeIntersections(int y) { | ||
419 | ! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; | ||
420 | SplashXPathSeg *seg; | ||
421 | int i, j; | ||
422 | |||
423 | *************** | ||
424 | *** 236,254 **** | ||
425 | } else if (seg->flags & splashXPathVert) { | ||
426 | xx0 = xx1 = seg->x0; | ||
427 | } else { | ||
428 | ! if (ySegMin <= y) { | ||
429 | ! // intersection with top edge | ||
430 | ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; | ||
431 | } else { | ||
432 | ! // x coord of segment endpoint with min y coord | ||
433 | ! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; | ||
434 | } | ||
435 | ! if (ySegMax >= y + 1) { | ||
436 | ! // intersection with bottom edge | ||
437 | ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; | ||
438 | ! } else { | ||
439 | ! // x coord of segment endpoint with max y coord | ||
440 | ! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; | ||
441 | } | ||
442 | } | ||
443 | if (xx0 < xx1) { | ||
444 | --- 236,262 ---- | ||
445 | } else if (seg->flags & splashXPathVert) { | ||
446 | xx0 = xx1 = seg->x0; | ||
447 | } else { | ||
448 | ! if (seg->x0 < seg->x1) { | ||
449 | ! xSegMin = seg->x0; | ||
450 | ! xSegMax = seg->x1; | ||
451 | } else { | ||
452 | ! xSegMin = seg->x1; | ||
453 | ! xSegMax = seg->x0; | ||
454 | } | ||
455 | ! // intersection with top edge | ||
456 | ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; | ||
457 | ! // intersection with bottom edge | ||
458 | ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; | ||
459 | ! // the segment may not actually extend to the top and/or bottom edges | ||
460 | ! if (xx0 < xSegMin) { | ||
461 | ! xx0 = xSegMin; | ||
462 | ! } else if (xx0 > xSegMax) { | ||
463 | ! xx0 = xSegMax; | ||
464 | ! } | ||
465 | ! if (xx1 < xSegMin) { | ||
466 | ! xx1 = xSegMin; | ||
467 | ! } else if (xx1 > xSegMax) { | ||
468 | ! xx1 = xSegMax; | ||
469 | } | ||
470 | } | ||
471 | if (xx0 < xx1) { |