Contents of /trunk/xpdf/patches/xpdf-3.01pl2.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 12097 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 12097 byte(s)
-import
1 | diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c |
2 | *** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005 |
3 | --- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006 |
4 | *************** |
5 | *** 11,16 **** |
6 | --- 11,17 ---- |
7 | #include <stdlib.h> |
8 | #include <stddef.h> |
9 | #include <string.h> |
10 | + #include <limits.h> |
11 | #include "gmem.h" |
12 | |
13 | #ifdef DEBUG_MEM |
14 | *************** |
15 | *** 63,69 **** |
16 | int lst; |
17 | unsigned long *trl, *p; |
18 | |
19 | ! if (size == 0) |
20 | return NULL; |
21 | size1 = gMemDataSize(size); |
22 | if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { |
23 | --- 64,70 ---- |
24 | int lst; |
25 | unsigned long *trl, *p; |
26 | |
27 | ! if (size <= 0) |
28 | return NULL; |
29 | size1 = gMemDataSize(size); |
30 | if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { |
31 | *************** |
32 | *** 86,92 **** |
33 | #else |
34 | void *p; |
35 | |
36 | ! if (size == 0) |
37 | return NULL; |
38 | if (!(p = malloc(size))) { |
39 | fprintf(stderr, "Out of memory\n"); |
40 | --- 87,93 ---- |
41 | #else |
42 | void *p; |
43 | |
44 | ! if (size <= 0) |
45 | return NULL; |
46 | if (!(p = malloc(size))) { |
47 | fprintf(stderr, "Out of memory\n"); |
48 | *************** |
49 | *** 102,108 **** |
50 | void *q; |
51 | int oldSize; |
52 | |
53 | ! if (size == 0) { |
54 | if (p) |
55 | gfree(p); |
56 | return NULL; |
57 | --- 103,109 ---- |
58 | void *q; |
59 | int oldSize; |
60 | |
61 | ! if (size <= 0) { |
62 | if (p) |
63 | gfree(p); |
64 | return NULL; |
65 | *************** |
66 | *** 120,126 **** |
67 | #else |
68 | void *q; |
69 | |
70 | ! if (size == 0) { |
71 | if (p) |
72 | free(p); |
73 | return NULL; |
74 | --- 121,127 ---- |
75 | #else |
76 | void *q; |
77 | |
78 | ! if (size <= 0) { |
79 | if (p) |
80 | free(p); |
81 | return NULL; |
82 | *************** |
83 | *** 140,147 **** |
84 | void *gmallocn(int nObjs, int objSize) { |
85 | int n; |
86 | |
87 | n = nObjs * objSize; |
88 | ! if (objSize == 0 || n / objSize != nObjs) { |
89 | fprintf(stderr, "Bogus memory allocation size\n"); |
90 | exit(1); |
91 | } |
92 | --- 141,151 ---- |
93 | void *gmallocn(int nObjs, int objSize) { |
94 | int n; |
95 | |
96 | + if (nObjs == 0) { |
97 | + return NULL; |
98 | + } |
99 | n = nObjs * objSize; |
100 | ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { |
101 | fprintf(stderr, "Bogus memory allocation size\n"); |
102 | exit(1); |
103 | } |
104 | *************** |
105 | *** 151,158 **** |
106 | void *greallocn(void *p, int nObjs, int objSize) { |
107 | int n; |
108 | |
109 | n = nObjs * objSize; |
110 | ! if (objSize == 0 || n / objSize != nObjs) { |
111 | fprintf(stderr, "Bogus memory allocation size\n"); |
112 | exit(1); |
113 | } |
114 | --- 155,168 ---- |
115 | void *greallocn(void *p, int nObjs, int objSize) { |
116 | int n; |
117 | |
118 | + if (nObjs == 0) { |
119 | + if (p) { |
120 | + gfree(p); |
121 | + } |
122 | + return NULL; |
123 | + } |
124 | n = nObjs * objSize; |
125 | ! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { |
126 | fprintf(stderr, "Bogus memory allocation size\n"); |
127 | exit(1); |
128 | } |
129 | diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc |
130 | *** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005 |
131 | --- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006 |
132 | *************** |
133 | *** 13,18 **** |
134 | --- 13,19 ---- |
135 | #endif |
136 | |
137 | #include <stdlib.h> |
138 | + #include <limits.h> |
139 | #include "GList.h" |
140 | #include "Error.h" |
141 | #include "JArithmeticDecoder.h" |
142 | *************** |
143 | *** 681,686 **** |
144 | --- 682,691 ---- |
145 | w = wA; |
146 | h = hA; |
147 | line = (wA + 7) >> 3; |
148 | + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { |
149 | + data = NULL; |
150 | + return; |
151 | + } |
152 | // need to allocate one extra guard byte for use in combine() |
153 | data = (Guchar *)gmalloc(h * line + 1); |
154 | data[h * line] = 0; |
155 | *************** |
156 | *** 692,697 **** |
157 | --- 697,706 ---- |
158 | w = bitmap->w; |
159 | h = bitmap->h; |
160 | line = bitmap->line; |
161 | + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { |
162 | + data = NULL; |
163 | + return; |
164 | + } |
165 | // need to allocate one extra guard byte for use in combine() |
166 | data = (Guchar *)gmalloc(h * line + 1); |
167 | memcpy(data, bitmap->data, h * line); |
168 | *************** |
169 | *** 720,726 **** |
170 | } |
171 | |
172 | void JBIG2Bitmap::expand(int newH, Guint pixel) { |
173 | ! if (newH <= h) { |
174 | return; |
175 | } |
176 | // need to allocate one extra guard byte for use in combine() |
177 | --- 729,735 ---- |
178 | } |
179 | |
180 | void JBIG2Bitmap::expand(int newH, Guint pixel) { |
181 | ! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { |
182 | return; |
183 | } |
184 | // need to allocate one extra guard byte for use in combine() |
185 | *************** |
186 | *** 2294,2299 **** |
187 | --- 2303,2316 ---- |
188 | !readUWord(&stepX) || !readUWord(&stepY)) { |
189 | goto eofError; |
190 | } |
191 | + if (w == 0 || h == 0 || w >= INT_MAX / h) { |
192 | + error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); |
193 | + return; |
194 | + } |
195 | + if (gridH == 0 || gridW >= INT_MAX / gridH) { |
196 | + error(getPos(), "Bad grid size in JBIG2 halftone segment"); |
197 | + return; |
198 | + } |
199 | |
200 | // get pattern dictionary |
201 | if (nRefSegs != 1) { |
202 | diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc |
203 | *** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 |
204 | --- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006 |
205 | *************** |
206 | *** 12,17 **** |
207 | --- 12,18 ---- |
208 | #pragma implementation |
209 | #endif |
210 | |
211 | + #include <limits.h> |
212 | #include "gmem.h" |
213 | #include "Error.h" |
214 | #include "JArithmeticDecoder.h" |
215 | *************** |
216 | *** 818,823 **** |
217 | --- 819,830 ---- |
218 | / img.xTileSize; |
219 | img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) |
220 | / img.yTileSize; |
221 | + // check for overflow before allocating memory |
222 | + if (img.nXTiles <= 0 || img.nYTiles <= 0 || |
223 | + img.nXTiles >= INT_MAX / img.nYTiles) { |
224 | + error(getPos(), "Bad tile count in JPX SIZ marker segment"); |
225 | + return gFalse; |
226 | + } |
227 | img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, |
228 | sizeof(JPXTile)); |
229 | for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { |
230 | diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc |
231 | *** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 |
232 | --- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006 |
233 | *************** |
234 | *** 15,20 **** |
235 | --- 15,21 ---- |
236 | #include <stdio.h> |
237 | #include <stdlib.h> |
238 | #include <stddef.h> |
239 | + #include <limits.h> |
240 | #ifndef WIN32 |
241 | #include <unistd.h> |
242 | #endif |
243 | *************** |
244 | *** 406,418 **** |
245 | --- 407,432 ---- |
246 | width = widthA; |
247 | nComps = nCompsA; |
248 | nBits = nBitsA; |
249 | + predLine = NULL; |
250 | + ok = gFalse; |
251 | |
252 | nVals = width * nComps; |
253 | + if (width <= 0 || nComps <= 0 || nBits <= 0 || |
254 | + nComps >= INT_MAX / nBits || |
255 | + width >= INT_MAX / nComps / nBits || |
256 | + nVals * nBits + 7 < 0) { |
257 | + return; |
258 | + } |
259 | pixBytes = (nComps * nBits + 7) >> 3; |
260 | rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; |
261 | + if (rowBytes <= 0) { |
262 | + return; |
263 | + } |
264 | predLine = (Guchar *)gmalloc(rowBytes); |
265 | memset(predLine, 0, rowBytes); |
266 | predIdx = rowBytes; |
267 | + |
268 | + ok = gTrue; |
269 | } |
270 | |
271 | StreamPredictor::~StreamPredictor() { |
272 | *************** |
273 | *** 1004,1009 **** |
274 | --- 1018,1027 ---- |
275 | FilterStream(strA) { |
276 | if (predictor != 1) { |
277 | pred = new StreamPredictor(this, predictor, columns, colors, bits); |
278 | + if (!pred->isOk()) { |
279 | + delete pred; |
280 | + pred = NULL; |
281 | + } |
282 | } else { |
283 | pred = NULL; |
284 | } |
285 | *************** |
286 | *** 1259,1264 **** |
287 | --- 1277,1285 ---- |
288 | if (columns < 1) { |
289 | columns = 1; |
290 | } |
291 | + if (columns + 4 <= 0) { |
292 | + columns = INT_MAX - 4; |
293 | + } |
294 | rows = rowsA; |
295 | endOfBlock = endOfBlockA; |
296 | black = blackA; |
297 | *************** |
298 | *** 2899,2904 **** |
299 | --- 2920,2930 ---- |
300 | height = read16(); |
301 | width = read16(); |
302 | numComps = str->getChar(); |
303 | + if (numComps <= 0 || numComps > 4) { |
304 | + error(getPos(), "Bad number of components in DCT stream"); |
305 | + numComps = 0; |
306 | + return gFalse; |
307 | + } |
308 | if (prec != 8) { |
309 | error(getPos(), "Bad DCT precision %d", prec); |
310 | return gFalse; |
311 | *************** |
312 | *** 2925,2930 **** |
313 | --- 2951,2961 ---- |
314 | height = read16(); |
315 | width = read16(); |
316 | numComps = str->getChar(); |
317 | + if (numComps <= 0 || numComps > 4) { |
318 | + error(getPos(), "Bad number of components in DCT stream"); |
319 | + numComps = 0; |
320 | + return gFalse; |
321 | + } |
322 | if (prec != 8) { |
323 | error(getPos(), "Bad DCT precision %d", prec); |
324 | return gFalse; |
325 | *************** |
326 | *** 2947,2952 **** |
327 | --- 2978,2988 ---- |
328 | |
329 | length = read16() - 2; |
330 | scanInfo.numComps = str->getChar(); |
331 | + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { |
332 | + error(getPos(), "Bad number of components in DCT stream"); |
333 | + scanInfo.numComps = 0; |
334 | + return gFalse; |
335 | + } |
336 | --length; |
337 | if (length != 2 * scanInfo.numComps + 3) { |
338 | error(getPos(), "Bad DCT scan info block"); |
339 | *************** |
340 | *** 3041,3046 **** |
341 | --- 3077,3083 ---- |
342 | numACHuffTables = index+1; |
343 | tbl = &acHuffTables[index]; |
344 | } else { |
345 | + index &= 0x0f; |
346 | if (index >= numDCHuffTables) |
347 | numDCHuffTables = index+1; |
348 | tbl = &dcHuffTables[index]; |
349 | *************** |
350 | *** 3827,3832 **** |
351 | --- 3864,3873 ---- |
352 | FilterStream(strA) { |
353 | if (predictor != 1) { |
354 | pred = new StreamPredictor(this, predictor, columns, colors, bits); |
355 | + if (!pred->isOk()) { |
356 | + delete pred; |
357 | + pred = NULL; |
358 | + } |
359 | } else { |
360 | pred = NULL; |
361 | } |
362 | diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h |
363 | *** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 |
364 | --- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006 |
365 | *************** |
366 | *** 232,237 **** |
367 | --- 232,239 ---- |
368 | |
369 | ~StreamPredictor(); |
370 | |
371 | + GBool isOk() { return ok; } |
372 | + |
373 | int lookChar(); |
374 | int getChar(); |
375 | |
376 | *************** |
377 | *** 249,254 **** |
378 | --- 251,257 ---- |
379 | int rowBytes; // bytes per line |
380 | Guchar *predLine; // line buffer |
381 | int predIdx; // current index in predLine |
382 | + GBool ok; |
383 | }; |
384 | |
385 | //------------------------------------------------------------------------ |
386 | *************** |
387 | *** 527,533 **** |
388 | short getWhiteCode(); |
389 | short getBlackCode(); |
390 | short lookBits(int n); |
391 | ! void eatBits(int n) { inputBits -= n; } |
392 | }; |
393 | |
394 | //------------------------------------------------------------------------ |
395 | --- 530,536 ---- |
396 | short getWhiteCode(); |
397 | short getBlackCode(); |
398 | short lookBits(int n); |
399 | ! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } |
400 | }; |
401 | |
402 | //------------------------------------------------------------------------ |
403 | diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc |
404 | *** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005 |
405 | --- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006 |
406 | *************** |
407 | *** 186,192 **** |
408 | } |
409 | |
410 | void SplashXPathScanner::computeIntersections(int y) { |
411 | ! SplashCoord ySegMin, ySegMax, xx0, xx1; |
412 | SplashXPathSeg *seg; |
413 | int i, j; |
414 | |
415 | --- 186,192 ---- |
416 | } |
417 | |
418 | void SplashXPathScanner::computeIntersections(int y) { |
419 | ! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; |
420 | SplashXPathSeg *seg; |
421 | int i, j; |
422 | |
423 | *************** |
424 | *** 236,254 **** |
425 | } else if (seg->flags & splashXPathVert) { |
426 | xx0 = xx1 = seg->x0; |
427 | } else { |
428 | ! if (ySegMin <= y) { |
429 | ! // intersection with top edge |
430 | ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; |
431 | } else { |
432 | ! // x coord of segment endpoint with min y coord |
433 | ! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; |
434 | } |
435 | ! if (ySegMax >= y + 1) { |
436 | ! // intersection with bottom edge |
437 | ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; |
438 | ! } else { |
439 | ! // x coord of segment endpoint with max y coord |
440 | ! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; |
441 | } |
442 | } |
443 | if (xx0 < xx1) { |
444 | --- 236,262 ---- |
445 | } else if (seg->flags & splashXPathVert) { |
446 | xx0 = xx1 = seg->x0; |
447 | } else { |
448 | ! if (seg->x0 < seg->x1) { |
449 | ! xSegMin = seg->x0; |
450 | ! xSegMax = seg->x1; |
451 | } else { |
452 | ! xSegMin = seg->x1; |
453 | ! xSegMax = seg->x0; |
454 | } |
455 | ! // intersection with top edge |
456 | ! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; |
457 | ! // intersection with bottom edge |
458 | ! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; |
459 | ! // the segment may not actually extend to the top and/or bottom edges |
460 | ! if (xx0 < xSegMin) { |
461 | ! xx0 = xSegMin; |
462 | ! } else if (xx0 > xSegMax) { |
463 | ! xx0 = xSegMax; |
464 | ! } |
465 | ! if (xx1 < xSegMin) { |
466 | ! xx1 = xSegMin; |
467 | ! } else if (xx1 > xSegMax) { |
468 | ! xx1 = xSegMax; |
469 | } |
470 | } |
471 | if (xx0 < xx1) { |