Contents of /trunk/xpdf/patches/xpdf-3.02pl2.patch
Parent Directory | Revision Log
Revision 521 -
(show annotations)
(download)
Sun Mar 23 21:28:15 2008 UTC (16 years, 6 months ago) by niro
File size: 20843 byte(s)
Sun Mar 23 21:28:15 2008 UTC (16 years, 6 months ago) by niro
File size: 20843 byte(s)
-securtiy fix
1 | diff -c -r xpdf-3.02pl1.orig/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc |
2 | *** xpdf-3.02pl1.orig/xpdf/Stream.cc Thu Oct 25 15:47:38 2007 |
3 | --- xpdf-3.02/xpdf/Stream.cc Thu Oct 25 15:48:19 2007 |
4 | *************** |
5 | *** 1243,1265 **** |
6 | columns = columnsA; |
7 | if (columns < 1) { |
8 | columns = 1; |
9 | ! } |
10 | ! if (columns + 4 <= 0) { |
11 | ! columns = INT_MAX - 4; |
12 | } |
13 | rows = rowsA; |
14 | endOfBlock = endOfBlockA; |
15 | black = blackA; |
16 | ! refLine = (short *)gmallocn(columns + 3, sizeof(short)); |
17 | ! codingLine = (short *)gmallocn(columns + 2, sizeof(short)); |
18 | |
19 | eof = gFalse; |
20 | row = 0; |
21 | nextLine2D = encoding < 0; |
22 | inputBits = 0; |
23 | ! codingLine[0] = 0; |
24 | ! codingLine[1] = refLine[2] = columns; |
25 | ! a0 = 1; |
26 | |
27 | buf = EOF; |
28 | } |
29 | --- 1243,1268 ---- |
30 | columns = columnsA; |
31 | if (columns < 1) { |
32 | columns = 1; |
33 | ! } else if (columns > INT_MAX - 2) { |
34 | ! columns = INT_MAX - 2; |
35 | } |
36 | rows = rowsA; |
37 | endOfBlock = endOfBlockA; |
38 | black = blackA; |
39 | ! // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns |
40 | ! // ---> max codingLine size = columns + 1 |
41 | ! // refLine has one extra guard entry at the end |
42 | ! // ---> max refLine size = columns + 2 |
43 | ! codingLine = (int *)gmallocn(columns + 1, sizeof(int)); |
44 | ! refLine = (int *)gmallocn(columns + 2, sizeof(int)); |
45 | |
46 | eof = gFalse; |
47 | row = 0; |
48 | nextLine2D = encoding < 0; |
49 | inputBits = 0; |
50 | ! codingLine[0] = columns; |
51 | ! a0i = 0; |
52 | ! outputBits = 0; |
53 | |
54 | buf = EOF; |
55 | } |
56 | *************** |
57 | *** 1278,1286 **** |
58 | row = 0; |
59 | nextLine2D = encoding < 0; |
60 | inputBits = 0; |
61 | ! codingLine[0] = 0; |
62 | ! codingLine[1] = columns; |
63 | ! a0 = 1; |
64 | buf = EOF; |
65 | |
66 | // skip any initial zero bits and end-of-line marker, and get the 2D |
67 | --- 1281,1289 ---- |
68 | row = 0; |
69 | nextLine2D = encoding < 0; |
70 | inputBits = 0; |
71 | ! codingLine[0] = columns; |
72 | ! a0i = 0; |
73 | ! outputBits = 0; |
74 | buf = EOF; |
75 | |
76 | // skip any initial zero bits and end-of-line marker, and get the 2D |
77 | *************** |
78 | *** 1297,1507 **** |
79 | } |
80 | } |
81 | |
82 | int CCITTFaxStream::lookChar() { |
83 | short code1, code2, code3; |
84 | ! int a0New; |
85 | ! GBool err, gotEOL; |
86 | ! int ret; |
87 | ! int bits, i; |
88 | |
89 | ! // if at eof just return EOF |
90 | ! if (eof && codingLine[a0] >= columns) { |
91 | ! return EOF; |
92 | } |
93 | |
94 | // read the next row |
95 | ! err = gFalse; |
96 | ! if (codingLine[a0] >= columns) { |
97 | |
98 | // 2-D encoding |
99 | if (nextLine2D) { |
100 | - // state: |
101 | - // a0New = current position in coding line (0 <= a0New <= columns) |
102 | - // codingLine[a0] = last change in coding line |
103 | - // (black-to-white if a0 is even, |
104 | - // white-to-black if a0 is odd) |
105 | - // refLine[b1] = next change in reference line of opposite color |
106 | - // to a0 |
107 | - // invariants: |
108 | - // 0 <= codingLine[a0] <= a0New |
109 | - // <= refLine[b1] <= refLine[b1+1] <= columns |
110 | - // 0 <= a0 <= columns+1 |
111 | - // refLine[0] = 0 |
112 | - // refLine[n] = refLine[n+1] = columns |
113 | - // -- for some 1 <= n <= columns+1 |
114 | - // end condition: |
115 | - // 0 = codingLine[0] <= codingLine[1] < codingLine[2] < ... |
116 | - // < codingLine[n-1] < codingLine[n] = columns |
117 | - // -- where 1 <= n <= columns+1 |
118 | for (i = 0; codingLine[i] < columns; ++i) { |
119 | refLine[i] = codingLine[i]; |
120 | } |
121 | ! refLine[i] = refLine[i + 1] = columns; |
122 | ! b1 = 1; |
123 | ! a0New = codingLine[a0 = 0] = 0; |
124 | ! do { |
125 | code1 = getTwoDimCode(); |
126 | switch (code1) { |
127 | case twoDimPass: |
128 | ! if (refLine[b1] < columns) { |
129 | ! a0New = refLine[b1 + 1]; |
130 | ! b1 += 2; |
131 | } |
132 | break; |
133 | case twoDimHoriz: |
134 | ! if ((a0 & 1) == 0) { |
135 | ! code1 = code2 = 0; |
136 | do { |
137 | ! code1 += code3 = getWhiteCode(); |
138 | } while (code3 >= 64); |
139 | do { |
140 | ! code2 += code3 = getBlackCode(); |
141 | } while (code3 >= 64); |
142 | } else { |
143 | - code1 = code2 = 0; |
144 | do { |
145 | ! code1 += code3 = getBlackCode(); |
146 | } while (code3 >= 64); |
147 | do { |
148 | ! code2 += code3 = getWhiteCode(); |
149 | } while (code3 >= 64); |
150 | } |
151 | ! if (code1 > 0 || code2 > 0) { |
152 | ! if (a0New + code1 <= columns) { |
153 | ! codingLine[a0 + 1] = a0New + code1; |
154 | ! } else { |
155 | ! codingLine[a0 + 1] = columns; |
156 | ! } |
157 | ! ++a0; |
158 | ! if (codingLine[a0] + code2 <= columns) { |
159 | ! codingLine[a0 + 1] = codingLine[a0] + code2; |
160 | ! } else { |
161 | ! codingLine[a0 + 1] = columns; |
162 | ! } |
163 | ! ++a0; |
164 | ! a0New = codingLine[a0]; |
165 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
166 | ! b1 += 2; |
167 | } |
168 | } |
169 | break; |
170 | ! case twoDimVert0: |
171 | ! if (refLine[b1] < columns) { |
172 | ! a0New = codingLine[++a0] = refLine[b1]; |
173 | ! ++b1; |
174 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
175 | ! b1 += 2; |
176 | } |
177 | - } else { |
178 | - a0New = codingLine[++a0] = columns; |
179 | } |
180 | break; |
181 | case twoDimVertR1: |
182 | ! if (refLine[b1] + 1 < columns) { |
183 | ! a0New = codingLine[++a0] = refLine[b1] + 1; |
184 | ! ++b1; |
185 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
186 | ! b1 += 2; |
187 | } |
188 | - } else { |
189 | - a0New = codingLine[++a0] = columns; |
190 | } |
191 | break; |
192 | ! case twoDimVertL1: |
193 | ! if (refLine[b1] - 1 > a0New || (a0 == 0 && refLine[b1] == 1)) { |
194 | ! a0New = codingLine[++a0] = refLine[b1] - 1; |
195 | ! --b1; |
196 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
197 | ! b1 += 2; |
198 | } |
199 | } |
200 | break; |
201 | ! case twoDimVertR2: |
202 | ! if (refLine[b1] + 2 < columns) { |
203 | ! a0New = codingLine[++a0] = refLine[b1] + 2; |
204 | ! ++b1; |
205 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
206 | ! b1 += 2; |
207 | } |
208 | - } else { |
209 | - a0New = codingLine[++a0] = columns; |
210 | } |
211 | break; |
212 | case twoDimVertL2: |
213 | ! if (refLine[b1] - 2 > a0New || (a0 == 0 && refLine[b1] == 2)) { |
214 | ! a0New = codingLine[++a0] = refLine[b1] - 2; |
215 | ! --b1; |
216 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
217 | ! b1 += 2; |
218 | } |
219 | ! } |
220 | ! break; |
221 | ! case twoDimVertR3: |
222 | ! if (refLine[b1] + 3 < columns) { |
223 | ! a0New = codingLine[++a0] = refLine[b1] + 3; |
224 | ! ++b1; |
225 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
226 | ! b1 += 2; |
227 | } |
228 | - } else { |
229 | - a0New = codingLine[++a0] = columns; |
230 | } |
231 | break; |
232 | ! case twoDimVertL3: |
233 | ! if (refLine[b1] - 3 > a0New || (a0 == 0 && refLine[b1] == 3)) { |
234 | ! a0New = codingLine[++a0] = refLine[b1] - 3; |
235 | ! --b1; |
236 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
237 | ! b1 += 2; |
238 | } |
239 | } |
240 | break; |
241 | case EOF: |
242 | eof = gTrue; |
243 | ! codingLine[a0 = 0] = columns; |
244 | ! return EOF; |
245 | default: |
246 | error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); |
247 | err = gTrue; |
248 | break; |
249 | } |
250 | ! } while (codingLine[a0] < columns); |
251 | |
252 | // 1-D encoding |
253 | } else { |
254 | ! codingLine[a0 = 0] = 0; |
255 | ! while (1) { |
256 | code1 = 0; |
257 | ! do { |
258 | ! code1 += code3 = getWhiteCode(); |
259 | ! } while (code3 >= 64); |
260 | ! codingLine[a0+1] = codingLine[a0] + code1; |
261 | ! ++a0; |
262 | ! if (codingLine[a0] >= columns) { |
263 | ! break; |
264 | ! } |
265 | ! code2 = 0; |
266 | ! do { |
267 | ! code2 += code3 = getBlackCode(); |
268 | ! } while (code3 >= 64); |
269 | ! codingLine[a0+1] = codingLine[a0] + code2; |
270 | ! ++a0; |
271 | ! if (codingLine[a0] >= columns) { |
272 | ! break; |
273 | } |
274 | } |
275 | } |
276 | |
277 | - if (codingLine[a0] != columns) { |
278 | - error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]); |
279 | - // force the row to be the correct length |
280 | - while (codingLine[a0] > columns) { |
281 | - --a0; |
282 | - } |
283 | - codingLine[++a0] = columns; |
284 | - err = gTrue; |
285 | - } |
286 | - |
287 | // byte-align the row |
288 | if (byteAlign) { |
289 | inputBits &= ~7; |
290 | --- 1300,1529 ---- |
291 | } |
292 | } |
293 | |
294 | + inline void CCITTFaxStream::addPixels(int a1, int blackPixels) { |
295 | + if (a1 > codingLine[a0i]) { |
296 | + if (a1 > columns) { |
297 | + error(getPos(), "CCITTFax row is wrong length (%d)", a1); |
298 | + err = gTrue; |
299 | + a1 = columns; |
300 | + } |
301 | + if ((a0i & 1) ^ blackPixels) { |
302 | + ++a0i; |
303 | + } |
304 | + codingLine[a0i] = a1; |
305 | + } |
306 | + } |
307 | + |
308 | + inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) { |
309 | + if (a1 > codingLine[a0i]) { |
310 | + if (a1 > columns) { |
311 | + error(getPos(), "CCITTFax row is wrong length (%d)", a1); |
312 | + err = gTrue; |
313 | + a1 = columns; |
314 | + } |
315 | + if ((a0i & 1) ^ blackPixels) { |
316 | + ++a0i; |
317 | + } |
318 | + codingLine[a0i] = a1; |
319 | + } else if (a1 < codingLine[a0i]) { |
320 | + if (a1 < 0) { |
321 | + error(getPos(), "Invalid CCITTFax code"); |
322 | + err = gTrue; |
323 | + a1 = 0; |
324 | + } |
325 | + while (a0i > 0 && a1 <= codingLine[a0i - 1]) { |
326 | + --a0i; |
327 | + } |
328 | + codingLine[a0i] = a1; |
329 | + } |
330 | + } |
331 | + |
332 | int CCITTFaxStream::lookChar() { |
333 | short code1, code2, code3; |
334 | ! int b1i, blackPixels, i, bits; |
335 | ! GBool gotEOL; |
336 | |
337 | ! if (buf != EOF) { |
338 | ! return buf; |
339 | } |
340 | |
341 | // read the next row |
342 | ! if (outputBits == 0) { |
343 | ! |
344 | ! // if at eof just return EOF |
345 | ! if (eof) { |
346 | ! return EOF; |
347 | ! } |
348 | ! |
349 | ! err = gFalse; |
350 | |
351 | // 2-D encoding |
352 | if (nextLine2D) { |
353 | for (i = 0; codingLine[i] < columns; ++i) { |
354 | refLine[i] = codingLine[i]; |
355 | } |
356 | ! refLine[i++] = columns; |
357 | ! refLine[i] = columns; |
358 | ! codingLine[0] = 0; |
359 | ! a0i = 0; |
360 | ! b1i = 0; |
361 | ! blackPixels = 0; |
362 | ! // invariant: |
363 | ! // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] |
364 | ! // <= columns |
365 | ! // exception at left edge: |
366 | ! // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible |
367 | ! // exception at right edge: |
368 | ! // refLine[b1i] = refLine[b1i+1] = columns is possible |
369 | ! while (codingLine[a0i] < columns) { |
370 | code1 = getTwoDimCode(); |
371 | switch (code1) { |
372 | case twoDimPass: |
373 | ! addPixels(refLine[b1i + 1], blackPixels); |
374 | ! if (refLine[b1i + 1] < columns) { |
375 | ! b1i += 2; |
376 | } |
377 | break; |
378 | case twoDimHoriz: |
379 | ! code1 = code2 = 0; |
380 | ! if (blackPixels) { |
381 | do { |
382 | ! code1 += code3 = getBlackCode(); |
383 | } while (code3 >= 64); |
384 | do { |
385 | ! code2 += code3 = getWhiteCode(); |
386 | } while (code3 >= 64); |
387 | } else { |
388 | do { |
389 | ! code1 += code3 = getWhiteCode(); |
390 | } while (code3 >= 64); |
391 | do { |
392 | ! code2 += code3 = getBlackCode(); |
393 | } while (code3 >= 64); |
394 | } |
395 | ! addPixels(codingLine[a0i] + code1, blackPixels); |
396 | ! if (codingLine[a0i] < columns) { |
397 | ! addPixels(codingLine[a0i] + code2, blackPixels ^ 1); |
398 | ! } |
399 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
400 | ! b1i += 2; |
401 | ! } |
402 | ! break; |
403 | ! case twoDimVertR3: |
404 | ! addPixels(refLine[b1i] + 3, blackPixels); |
405 | ! blackPixels ^= 1; |
406 | ! if (codingLine[a0i] < columns) { |
407 | ! ++b1i; |
408 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
409 | ! b1i += 2; |
410 | } |
411 | } |
412 | break; |
413 | ! case twoDimVertR2: |
414 | ! addPixels(refLine[b1i] + 2, blackPixels); |
415 | ! blackPixels ^= 1; |
416 | ! if (codingLine[a0i] < columns) { |
417 | ! ++b1i; |
418 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
419 | ! b1i += 2; |
420 | } |
421 | } |
422 | break; |
423 | case twoDimVertR1: |
424 | ! addPixels(refLine[b1i] + 1, blackPixels); |
425 | ! blackPixels ^= 1; |
426 | ! if (codingLine[a0i] < columns) { |
427 | ! ++b1i; |
428 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
429 | ! b1i += 2; |
430 | } |
431 | } |
432 | break; |
433 | ! case twoDimVert0: |
434 | ! addPixels(refLine[b1i], blackPixels); |
435 | ! blackPixels ^= 1; |
436 | ! if (codingLine[a0i] < columns) { |
437 | ! ++b1i; |
438 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
439 | ! b1i += 2; |
440 | } |
441 | } |
442 | break; |
443 | ! case twoDimVertL3: |
444 | ! addPixelsNeg(refLine[b1i] - 3, blackPixels); |
445 | ! blackPixels ^= 1; |
446 | ! if (codingLine[a0i] < columns) { |
447 | ! if (b1i > 0) { |
448 | ! --b1i; |
449 | ! } else { |
450 | ! ++b1i; |
451 | ! } |
452 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
453 | ! b1i += 2; |
454 | } |
455 | } |
456 | break; |
457 | case twoDimVertL2: |
458 | ! addPixelsNeg(refLine[b1i] - 2, blackPixels); |
459 | ! blackPixels ^= 1; |
460 | ! if (codingLine[a0i] < columns) { |
461 | ! if (b1i > 0) { |
462 | ! --b1i; |
463 | ! } else { |
464 | ! ++b1i; |
465 | } |
466 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
467 | ! b1i += 2; |
468 | } |
469 | } |
470 | break; |
471 | ! case twoDimVertL1: |
472 | ! addPixelsNeg(refLine[b1i] - 1, blackPixels); |
473 | ! blackPixels ^= 1; |
474 | ! if (codingLine[a0i] < columns) { |
475 | ! if (b1i > 0) { |
476 | ! --b1i; |
477 | ! } else { |
478 | ! ++b1i; |
479 | ! } |
480 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
481 | ! b1i += 2; |
482 | } |
483 | } |
484 | break; |
485 | case EOF: |
486 | + addPixels(columns, 0); |
487 | eof = gTrue; |
488 | ! break; |
489 | default: |
490 | error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); |
491 | + addPixels(columns, 0); |
492 | err = gTrue; |
493 | break; |
494 | } |
495 | ! } |
496 | |
497 | // 1-D encoding |
498 | } else { |
499 | ! codingLine[0] = 0; |
500 | ! a0i = 0; |
501 | ! blackPixels = 0; |
502 | ! while (codingLine[a0i] < columns) { |
503 | code1 = 0; |
504 | ! if (blackPixels) { |
505 | ! do { |
506 | ! code1 += code3 = getBlackCode(); |
507 | ! } while (code3 >= 64); |
508 | ! } else { |
509 | ! do { |
510 | ! code1 += code3 = getWhiteCode(); |
511 | ! } while (code3 >= 64); |
512 | } |
513 | + addPixels(codingLine[a0i] + code1, blackPixels); |
514 | + blackPixels ^= 1; |
515 | } |
516 | } |
517 | |
518 | // byte-align the row |
519 | if (byteAlign) { |
520 | inputBits &= ~7; |
521 | *************** |
522 | *** 1560,1573 **** |
523 | // this if we know the stream contains end-of-line markers because |
524 | // the "just plow on" technique tends to work better otherwise |
525 | } else if (err && endOfLine) { |
526 | ! do { |
527 | if (code1 == EOF) { |
528 | eof = gTrue; |
529 | return EOF; |
530 | } |
531 | eatBits(1); |
532 | ! code1 = lookBits(13); |
533 | ! } while ((code1 >> 1) != 0x001); |
534 | eatBits(12); |
535 | if (encoding > 0) { |
536 | eatBits(1); |
537 | --- 1582,1598 ---- |
538 | // this if we know the stream contains end-of-line markers because |
539 | // the "just plow on" technique tends to work better otherwise |
540 | } else if (err && endOfLine) { |
541 | ! while (1) { |
542 | ! code1 = lookBits(13); |
543 | if (code1 == EOF) { |
544 | eof = gTrue; |
545 | return EOF; |
546 | } |
547 | + if ((code1 >> 1) == 0x001) { |
548 | + break; |
549 | + } |
550 | eatBits(1); |
551 | ! } |
552 | eatBits(12); |
553 | if (encoding > 0) { |
554 | eatBits(1); |
555 | *************** |
556 | *** 1575,1585 **** |
557 | } |
558 | } |
559 | |
560 | ! a0 = 0; |
561 | ! outputBits = codingLine[1] - codingLine[0]; |
562 | ! if (outputBits == 0) { |
563 | ! a0 = 1; |
564 | ! outputBits = codingLine[2] - codingLine[1]; |
565 | } |
566 | |
567 | ++row; |
568 | --- 1600,1610 ---- |
569 | } |
570 | } |
571 | |
572 | ! // set up for output |
573 | ! if (codingLine[0] > 0) { |
574 | ! outputBits = codingLine[a0i = 0]; |
575 | ! } else { |
576 | ! outputBits = codingLine[a0i = 1]; |
577 | } |
578 | |
579 | ++row; |
580 | *************** |
581 | *** 1587,1625 **** |
582 | |
583 | // get a byte |
584 | if (outputBits >= 8) { |
585 | ! ret = ((a0 & 1) == 0) ? 0xff : 0x00; |
586 | ! if ((outputBits -= 8) == 0) { |
587 | ! ++a0; |
588 | ! if (codingLine[a0] < columns) { |
589 | ! outputBits = codingLine[a0 + 1] - codingLine[a0]; |
590 | ! } |
591 | } |
592 | } else { |
593 | bits = 8; |
594 | ! ret = 0; |
595 | do { |
596 | if (outputBits > bits) { |
597 | ! i = bits; |
598 | ! bits = 0; |
599 | ! if ((a0 & 1) == 0) { |
600 | ! ret |= 0xff >> (8 - i); |
601 | } |
602 | ! outputBits -= i; |
603 | } else { |
604 | ! i = outputBits; |
605 | ! bits -= outputBits; |
606 | ! if ((a0 & 1) == 0) { |
607 | ! ret |= (0xff >> (8 - i)) << bits; |
608 | } |
609 | outputBits = 0; |
610 | ! ++a0; |
611 | ! if (codingLine[a0] < columns) { |
612 | ! outputBits = codingLine[a0 + 1] - codingLine[a0]; |
613 | } |
614 | } |
615 | ! } while (bits > 0 && codingLine[a0] < columns); |
616 | } |
617 | - buf = black ? (ret ^ 0xff) : ret; |
618 | return buf; |
619 | } |
620 | |
621 | --- 1612,1654 ---- |
622 | |
623 | // get a byte |
624 | if (outputBits >= 8) { |
625 | ! buf = (a0i & 1) ? 0x00 : 0xff; |
626 | ! outputBits -= 8; |
627 | ! if (outputBits == 0 && codingLine[a0i] < columns) { |
628 | ! ++a0i; |
629 | ! outputBits = codingLine[a0i] - codingLine[a0i - 1]; |
630 | } |
631 | } else { |
632 | bits = 8; |
633 | ! buf = 0; |
634 | do { |
635 | if (outputBits > bits) { |
636 | ! buf <<= bits; |
637 | ! if (!(a0i & 1)) { |
638 | ! buf |= 0xff >> (8 - bits); |
639 | } |
640 | ! outputBits -= bits; |
641 | ! bits = 0; |
642 | } else { |
643 | ! buf <<= outputBits; |
644 | ! if (!(a0i & 1)) { |
645 | ! buf |= 0xff >> (8 - outputBits); |
646 | } |
647 | + bits -= outputBits; |
648 | outputBits = 0; |
649 | ! if (codingLine[a0i] < columns) { |
650 | ! ++a0i; |
651 | ! outputBits = codingLine[a0i] - codingLine[a0i - 1]; |
652 | ! } else if (bits > 0) { |
653 | ! buf <<= bits; |
654 | ! bits = 0; |
655 | } |
656 | } |
657 | ! } while (bits); |
658 | ! } |
659 | ! if (black) { |
660 | ! buf ^= 0xff; |
661 | } |
662 | return buf; |
663 | } |
664 | |
665 | *************** |
666 | *** 1661,1666 **** |
667 | --- 1690,1698 ---- |
668 | code = 0; // make gcc happy |
669 | if (endOfBlock) { |
670 | code = lookBits(12); |
671 | + if (code == EOF) { |
672 | + return 1; |
673 | + } |
674 | if ((code >> 5) == 0) { |
675 | p = &whiteTab1[code]; |
676 | } else { |
677 | *************** |
678 | *** 1673,1678 **** |
679 | --- 1705,1713 ---- |
680 | } else { |
681 | for (n = 1; n <= 9; ++n) { |
682 | code = lookBits(n); |
683 | + if (code == EOF) { |
684 | + return 1; |
685 | + } |
686 | if (n < 9) { |
687 | code <<= 9 - n; |
688 | } |
689 | *************** |
690 | *** 1684,1689 **** |
691 | --- 1719,1727 ---- |
692 | } |
693 | for (n = 11; n <= 12; ++n) { |
694 | code = lookBits(n); |
695 | + if (code == EOF) { |
696 | + return 1; |
697 | + } |
698 | if (n < 12) { |
699 | code <<= 12 - n; |
700 | } |
701 | *************** |
702 | *** 1709,1717 **** |
703 | code = 0; // make gcc happy |
704 | if (endOfBlock) { |
705 | code = lookBits(13); |
706 | if ((code >> 7) == 0) { |
707 | p = &blackTab1[code]; |
708 | ! } else if ((code >> 9) == 0) { |
709 | p = &blackTab2[(code >> 1) - 64]; |
710 | } else { |
711 | p = &blackTab3[code >> 7]; |
712 | --- 1747,1758 ---- |
713 | code = 0; // make gcc happy |
714 | if (endOfBlock) { |
715 | code = lookBits(13); |
716 | + if (code == EOF) { |
717 | + return 1; |
718 | + } |
719 | if ((code >> 7) == 0) { |
720 | p = &blackTab1[code]; |
721 | ! } else if ((code >> 9) == 0 && (code >> 7) != 0) { |
722 | p = &blackTab2[(code >> 1) - 64]; |
723 | } else { |
724 | p = &blackTab3[code >> 7]; |
725 | *************** |
726 | *** 1723,1728 **** |
727 | --- 1764,1772 ---- |
728 | } else { |
729 | for (n = 2; n <= 6; ++n) { |
730 | code = lookBits(n); |
731 | + if (code == EOF) { |
732 | + return 1; |
733 | + } |
734 | if (n < 6) { |
735 | code <<= 6 - n; |
736 | } |
737 | *************** |
738 | *** 1734,1739 **** |
739 | --- 1778,1786 ---- |
740 | } |
741 | for (n = 7; n <= 12; ++n) { |
742 | code = lookBits(n); |
743 | + if (code == EOF) { |
744 | + return 1; |
745 | + } |
746 | if (n < 12) { |
747 | code <<= 12 - n; |
748 | } |
749 | *************** |
750 | *** 1747,1752 **** |
751 | --- 1794,1802 ---- |
752 | } |
753 | for (n = 10; n <= 13; ++n) { |
754 | code = lookBits(n); |
755 | + if (code == EOF) { |
756 | + return 1; |
757 | + } |
758 | if (n < 13) { |
759 | code <<= 13 - n; |
760 | } |
761 | *************** |
762 | *** 1961,1966 **** |
763 | --- 2011,2022 ---- |
764 | // allocate a buffer for the whole image |
765 | bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth; |
766 | bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight; |
767 | + if (bufWidth <= 0 || bufHeight <= 0 || |
768 | + bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) { |
769 | + error(getPos(), "Invalid image size in DCT stream"); |
770 | + y = height; |
771 | + return; |
772 | + } |
773 | for (i = 0; i < numComps; ++i) { |
774 | frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int)); |
775 | memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int)); |
776 | *************** |
777 | *** 3036,3041 **** |
778 | --- 3092,3102 ---- |
779 | } |
780 | scanInfo.firstCoeff = str->getChar(); |
781 | scanInfo.lastCoeff = str->getChar(); |
782 | + if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 || |
783 | + scanInfo.firstCoeff > scanInfo.lastCoeff) { |
784 | + error(getPos(), "Bad DCT coefficient numbers in scan info block"); |
785 | + return gFalse; |
786 | + } |
787 | c = str->getChar(); |
788 | scanInfo.ah = (c >> 4) & 0x0f; |
789 | scanInfo.al = c & 0x0f; |
790 | diff -c -r xpdf-3.02pl1.orig/xpdf/Stream.h xpdf-3.02/xpdf/Stream.h |
791 | *** xpdf-3.02pl1.orig/xpdf/Stream.h Tue Feb 27 14:05:52 2007 |
792 | --- xpdf-3.02/xpdf/Stream.h Thu Oct 25 15:48:15 2007 |
793 | *************** |
794 | *** 528,540 **** |
795 | int row; // current row |
796 | int inputBuf; // input buffer |
797 | int inputBits; // number of bits in input buffer |
798 | ! short *refLine; // reference line changing elements |
799 | ! int b1; // index into refLine |
800 | ! short *codingLine; // coding line changing elements |
801 | ! int a0; // index into codingLine |
802 | int outputBits; // remaining ouput bits |
803 | int buf; // character buffer |
804 | |
805 | short getTwoDimCode(); |
806 | short getWhiteCode(); |
807 | short getBlackCode(); |
808 | --- 528,542 ---- |
809 | int row; // current row |
810 | int inputBuf; // input buffer |
811 | int inputBits; // number of bits in input buffer |
812 | ! int *codingLine; // coding line changing elements |
813 | ! int *refLine; // reference line changing elements |
814 | ! int a0i; // index into codingLine |
815 | ! GBool err; // error on current line |
816 | int outputBits; // remaining ouput bits |
817 | int buf; // character buffer |
818 | |
819 | + void addPixels(int a1, int black); |
820 | + void addPixelsNeg(int a1, int black); |
821 | short getTwoDimCode(); |
822 | short getWhiteCode(); |
823 | short getBlackCode(); |