Annotation of /trunk/xpdf/patches/xpdf-3.02pl2.patch
Parent Directory
| 
Revision Log
Revision 521 -
(hide annotations)
(download)
Sun Mar 23 21:28:15 2008 UTC (16 years, 2 months ago) by niro
File size: 20843 byte(s)
Sun Mar 23 21:28:15 2008 UTC (16 years, 2 months ago) by niro
File size: 20843 byte(s)
-securtiy fix
| 1 | niro | 521 | diff -c -r xpdf-3.02pl1.orig/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc |
| 2 | *** xpdf-3.02pl1.orig/xpdf/Stream.cc Thu Oct 25 15:47:38 2007 | ||
| 3 | --- xpdf-3.02/xpdf/Stream.cc Thu Oct 25 15:48:19 2007 | ||
| 4 | *************** | ||
| 5 | *** 1243,1265 **** | ||
| 6 | columns = columnsA; | ||
| 7 | if (columns < 1) { | ||
| 8 | columns = 1; | ||
| 9 | ! } | ||
| 10 | ! if (columns + 4 <= 0) { | ||
| 11 | ! columns = INT_MAX - 4; | ||
| 12 | } | ||
| 13 | rows = rowsA; | ||
| 14 | endOfBlock = endOfBlockA; | ||
| 15 | black = blackA; | ||
| 16 | ! refLine = (short *)gmallocn(columns + 3, sizeof(short)); | ||
| 17 | ! codingLine = (short *)gmallocn(columns + 2, sizeof(short)); | ||
| 18 | |||
| 19 | eof = gFalse; | ||
| 20 | row = 0; | ||
| 21 | nextLine2D = encoding < 0; | ||
| 22 | inputBits = 0; | ||
| 23 | ! codingLine[0] = 0; | ||
| 24 | ! codingLine[1] = refLine[2] = columns; | ||
| 25 | ! a0 = 1; | ||
| 26 | |||
| 27 | buf = EOF; | ||
| 28 | } | ||
| 29 | --- 1243,1268 ---- | ||
| 30 | columns = columnsA; | ||
| 31 | if (columns < 1) { | ||
| 32 | columns = 1; | ||
| 33 | ! } else if (columns > INT_MAX - 2) { | ||
| 34 | ! columns = INT_MAX - 2; | ||
| 35 | } | ||
| 36 | rows = rowsA; | ||
| 37 | endOfBlock = endOfBlockA; | ||
| 38 | black = blackA; | ||
| 39 | ! // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns | ||
| 40 | ! // ---> max codingLine size = columns + 1 | ||
| 41 | ! // refLine has one extra guard entry at the end | ||
| 42 | ! // ---> max refLine size = columns + 2 | ||
| 43 | ! codingLine = (int *)gmallocn(columns + 1, sizeof(int)); | ||
| 44 | ! refLine = (int *)gmallocn(columns + 2, sizeof(int)); | ||
| 45 | |||
| 46 | eof = gFalse; | ||
| 47 | row = 0; | ||
| 48 | nextLine2D = encoding < 0; | ||
| 49 | inputBits = 0; | ||
| 50 | ! codingLine[0] = columns; | ||
| 51 | ! a0i = 0; | ||
| 52 | ! outputBits = 0; | ||
| 53 | |||
| 54 | buf = EOF; | ||
| 55 | } | ||
| 56 | *************** | ||
| 57 | *** 1278,1286 **** | ||
| 58 | row = 0; | ||
| 59 | nextLine2D = encoding < 0; | ||
| 60 | inputBits = 0; | ||
| 61 | ! codingLine[0] = 0; | ||
| 62 | ! codingLine[1] = columns; | ||
| 63 | ! a0 = 1; | ||
| 64 | buf = EOF; | ||
| 65 | |||
| 66 | // skip any initial zero bits and end-of-line marker, and get the 2D | ||
| 67 | --- 1281,1289 ---- | ||
| 68 | row = 0; | ||
| 69 | nextLine2D = encoding < 0; | ||
| 70 | inputBits = 0; | ||
| 71 | ! codingLine[0] = columns; | ||
| 72 | ! a0i = 0; | ||
| 73 | ! outputBits = 0; | ||
| 74 | buf = EOF; | ||
| 75 | |||
| 76 | // skip any initial zero bits and end-of-line marker, and get the 2D | ||
| 77 | *************** | ||
| 78 | *** 1297,1507 **** | ||
| 79 | } | ||
| 80 | } | ||
| 81 | |||
| 82 | int CCITTFaxStream::lookChar() { | ||
| 83 | short code1, code2, code3; | ||
| 84 | ! int a0New; | ||
| 85 | ! GBool err, gotEOL; | ||
| 86 | ! int ret; | ||
| 87 | ! int bits, i; | ||
| 88 | |||
| 89 | ! // if at eof just return EOF | ||
| 90 | ! if (eof && codingLine[a0] >= columns) { | ||
| 91 | ! return EOF; | ||
| 92 | } | ||
| 93 | |||
| 94 | // read the next row | ||
| 95 | ! err = gFalse; | ||
| 96 | ! if (codingLine[a0] >= columns) { | ||
| 97 | |||
| 98 | // 2-D encoding | ||
| 99 | if (nextLine2D) { | ||
| 100 | - // state: | ||
| 101 | - // a0New = current position in coding line (0 <= a0New <= columns) | ||
| 102 | - // codingLine[a0] = last change in coding line | ||
| 103 | - // (black-to-white if a0 is even, | ||
| 104 | - // white-to-black if a0 is odd) | ||
| 105 | - // refLine[b1] = next change in reference line of opposite color | ||
| 106 | - // to a0 | ||
| 107 | - // invariants: | ||
| 108 | - // 0 <= codingLine[a0] <= a0New | ||
| 109 | - // <= refLine[b1] <= refLine[b1+1] <= columns | ||
| 110 | - // 0 <= a0 <= columns+1 | ||
| 111 | - // refLine[0] = 0 | ||
| 112 | - // refLine[n] = refLine[n+1] = columns | ||
| 113 | - // -- for some 1 <= n <= columns+1 | ||
| 114 | - // end condition: | ||
| 115 | - // 0 = codingLine[0] <= codingLine[1] < codingLine[2] < ... | ||
| 116 | - // < codingLine[n-1] < codingLine[n] = columns | ||
| 117 | - // -- where 1 <= n <= columns+1 | ||
| 118 | for (i = 0; codingLine[i] < columns; ++i) { | ||
| 119 | refLine[i] = codingLine[i]; | ||
| 120 | } | ||
| 121 | ! refLine[i] = refLine[i + 1] = columns; | ||
| 122 | ! b1 = 1; | ||
| 123 | ! a0New = codingLine[a0 = 0] = 0; | ||
| 124 | ! do { | ||
| 125 | code1 = getTwoDimCode(); | ||
| 126 | switch (code1) { | ||
| 127 | case twoDimPass: | ||
| 128 | ! if (refLine[b1] < columns) { | ||
| 129 | ! a0New = refLine[b1 + 1]; | ||
| 130 | ! b1 += 2; | ||
| 131 | } | ||
| 132 | break; | ||
| 133 | case twoDimHoriz: | ||
| 134 | ! if ((a0 & 1) == 0) { | ||
| 135 | ! code1 = code2 = 0; | ||
| 136 | do { | ||
| 137 | ! code1 += code3 = getWhiteCode(); | ||
| 138 | } while (code3 >= 64); | ||
| 139 | do { | ||
| 140 | ! code2 += code3 = getBlackCode(); | ||
| 141 | } while (code3 >= 64); | ||
| 142 | } else { | ||
| 143 | - code1 = code2 = 0; | ||
| 144 | do { | ||
| 145 | ! code1 += code3 = getBlackCode(); | ||
| 146 | } while (code3 >= 64); | ||
| 147 | do { | ||
| 148 | ! code2 += code3 = getWhiteCode(); | ||
| 149 | } while (code3 >= 64); | ||
| 150 | } | ||
| 151 | ! if (code1 > 0 || code2 > 0) { | ||
| 152 | ! if (a0New + code1 <= columns) { | ||
| 153 | ! codingLine[a0 + 1] = a0New + code1; | ||
| 154 | ! } else { | ||
| 155 | ! codingLine[a0 + 1] = columns; | ||
| 156 | ! } | ||
| 157 | ! ++a0; | ||
| 158 | ! if (codingLine[a0] + code2 <= columns) { | ||
| 159 | ! codingLine[a0 + 1] = codingLine[a0] + code2; | ||
| 160 | ! } else { | ||
| 161 | ! codingLine[a0 + 1] = columns; | ||
| 162 | ! } | ||
| 163 | ! ++a0; | ||
| 164 | ! a0New = codingLine[a0]; | ||
| 165 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 166 | ! b1 += 2; | ||
| 167 | } | ||
| 168 | } | ||
| 169 | break; | ||
| 170 | ! case twoDimVert0: | ||
| 171 | ! if (refLine[b1] < columns) { | ||
| 172 | ! a0New = codingLine[++a0] = refLine[b1]; | ||
| 173 | ! ++b1; | ||
| 174 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 175 | ! b1 += 2; | ||
| 176 | } | ||
| 177 | - } else { | ||
| 178 | - a0New = codingLine[++a0] = columns; | ||
| 179 | } | ||
| 180 | break; | ||
| 181 | case twoDimVertR1: | ||
| 182 | ! if (refLine[b1] + 1 < columns) { | ||
| 183 | ! a0New = codingLine[++a0] = refLine[b1] + 1; | ||
| 184 | ! ++b1; | ||
| 185 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 186 | ! b1 += 2; | ||
| 187 | } | ||
| 188 | - } else { | ||
| 189 | - a0New = codingLine[++a0] = columns; | ||
| 190 | } | ||
| 191 | break; | ||
| 192 | ! case twoDimVertL1: | ||
| 193 | ! if (refLine[b1] - 1 > a0New || (a0 == 0 && refLine[b1] == 1)) { | ||
| 194 | ! a0New = codingLine[++a0] = refLine[b1] - 1; | ||
| 195 | ! --b1; | ||
| 196 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 197 | ! b1 += 2; | ||
| 198 | } | ||
| 199 | } | ||
| 200 | break; | ||
| 201 | ! case twoDimVertR2: | ||
| 202 | ! if (refLine[b1] + 2 < columns) { | ||
| 203 | ! a0New = codingLine[++a0] = refLine[b1] + 2; | ||
| 204 | ! ++b1; | ||
| 205 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 206 | ! b1 += 2; | ||
| 207 | } | ||
| 208 | - } else { | ||
| 209 | - a0New = codingLine[++a0] = columns; | ||
| 210 | } | ||
| 211 | break; | ||
| 212 | case twoDimVertL2: | ||
| 213 | ! if (refLine[b1] - 2 > a0New || (a0 == 0 && refLine[b1] == 2)) { | ||
| 214 | ! a0New = codingLine[++a0] = refLine[b1] - 2; | ||
| 215 | ! --b1; | ||
| 216 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 217 | ! b1 += 2; | ||
| 218 | } | ||
| 219 | ! } | ||
| 220 | ! break; | ||
| 221 | ! case twoDimVertR3: | ||
| 222 | ! if (refLine[b1] + 3 < columns) { | ||
| 223 | ! a0New = codingLine[++a0] = refLine[b1] + 3; | ||
| 224 | ! ++b1; | ||
| 225 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 226 | ! b1 += 2; | ||
| 227 | } | ||
| 228 | - } else { | ||
| 229 | - a0New = codingLine[++a0] = columns; | ||
| 230 | } | ||
| 231 | break; | ||
| 232 | ! case twoDimVertL3: | ||
| 233 | ! if (refLine[b1] - 3 > a0New || (a0 == 0 && refLine[b1] == 3)) { | ||
| 234 | ! a0New = codingLine[++a0] = refLine[b1] - 3; | ||
| 235 | ! --b1; | ||
| 236 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { | ||
| 237 | ! b1 += 2; | ||
| 238 | } | ||
| 239 | } | ||
| 240 | break; | ||
| 241 | case EOF: | ||
| 242 | eof = gTrue; | ||
| 243 | ! codingLine[a0 = 0] = columns; | ||
| 244 | ! return EOF; | ||
| 245 | default: | ||
| 246 | error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); | ||
| 247 | err = gTrue; | ||
| 248 | break; | ||
| 249 | } | ||
| 250 | ! } while (codingLine[a0] < columns); | ||
| 251 | |||
| 252 | // 1-D encoding | ||
| 253 | } else { | ||
| 254 | ! codingLine[a0 = 0] = 0; | ||
| 255 | ! while (1) { | ||
| 256 | code1 = 0; | ||
| 257 | ! do { | ||
| 258 | ! code1 += code3 = getWhiteCode(); | ||
| 259 | ! } while (code3 >= 64); | ||
| 260 | ! codingLine[a0+1] = codingLine[a0] + code1; | ||
| 261 | ! ++a0; | ||
| 262 | ! if (codingLine[a0] >= columns) { | ||
| 263 | ! break; | ||
| 264 | ! } | ||
| 265 | ! code2 = 0; | ||
| 266 | ! do { | ||
| 267 | ! code2 += code3 = getBlackCode(); | ||
| 268 | ! } while (code3 >= 64); | ||
| 269 | ! codingLine[a0+1] = codingLine[a0] + code2; | ||
| 270 | ! ++a0; | ||
| 271 | ! if (codingLine[a0] >= columns) { | ||
| 272 | ! break; | ||
| 273 | } | ||
| 274 | } | ||
| 275 | } | ||
| 276 | |||
| 277 | - if (codingLine[a0] != columns) { | ||
| 278 | - error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]); | ||
| 279 | - // force the row to be the correct length | ||
| 280 | - while (codingLine[a0] > columns) { | ||
| 281 | - --a0; | ||
| 282 | - } | ||
| 283 | - codingLine[++a0] = columns; | ||
| 284 | - err = gTrue; | ||
| 285 | - } | ||
| 286 | - | ||
| 287 | // byte-align the row | ||
| 288 | if (byteAlign) { | ||
| 289 | inputBits &= ~7; | ||
| 290 | --- 1300,1529 ---- | ||
| 291 | } | ||
| 292 | } | ||
| 293 | |||
| 294 | + inline void CCITTFaxStream::addPixels(int a1, int blackPixels) { | ||
| 295 | + if (a1 > codingLine[a0i]) { | ||
| 296 | + if (a1 > columns) { | ||
| 297 | + error(getPos(), "CCITTFax row is wrong length (%d)", a1); | ||
| 298 | + err = gTrue; | ||
| 299 | + a1 = columns; | ||
| 300 | + } | ||
| 301 | + if ((a0i & 1) ^ blackPixels) { | ||
| 302 | + ++a0i; | ||
| 303 | + } | ||
| 304 | + codingLine[a0i] = a1; | ||
| 305 | + } | ||
| 306 | + } | ||
| 307 | + | ||
| 308 | + inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) { | ||
| 309 | + if (a1 > codingLine[a0i]) { | ||
| 310 | + if (a1 > columns) { | ||
| 311 | + error(getPos(), "CCITTFax row is wrong length (%d)", a1); | ||
| 312 | + err = gTrue; | ||
| 313 | + a1 = columns; | ||
| 314 | + } | ||
| 315 | + if ((a0i & 1) ^ blackPixels) { | ||
| 316 | + ++a0i; | ||
| 317 | + } | ||
| 318 | + codingLine[a0i] = a1; | ||
| 319 | + } else if (a1 < codingLine[a0i]) { | ||
| 320 | + if (a1 < 0) { | ||
| 321 | + error(getPos(), "Invalid CCITTFax code"); | ||
| 322 | + err = gTrue; | ||
| 323 | + a1 = 0; | ||
| 324 | + } | ||
| 325 | + while (a0i > 0 && a1 <= codingLine[a0i - 1]) { | ||
| 326 | + --a0i; | ||
| 327 | + } | ||
| 328 | + codingLine[a0i] = a1; | ||
| 329 | + } | ||
| 330 | + } | ||
| 331 | + | ||
| 332 | int CCITTFaxStream::lookChar() { | ||
| 333 | short code1, code2, code3; | ||
| 334 | ! int b1i, blackPixels, i, bits; | ||
| 335 | ! GBool gotEOL; | ||
| 336 | |||
| 337 | ! if (buf != EOF) { | ||
| 338 | ! return buf; | ||
| 339 | } | ||
| 340 | |||
| 341 | // read the next row | ||
| 342 | ! if (outputBits == 0) { | ||
| 343 | ! | ||
| 344 | ! // if at eof just return EOF | ||
| 345 | ! if (eof) { | ||
| 346 | ! return EOF; | ||
| 347 | ! } | ||
| 348 | ! | ||
| 349 | ! err = gFalse; | ||
| 350 | |||
| 351 | // 2-D encoding | ||
| 352 | if (nextLine2D) { | ||
| 353 | for (i = 0; codingLine[i] < columns; ++i) { | ||
| 354 | refLine[i] = codingLine[i]; | ||
| 355 | } | ||
| 356 | ! refLine[i++] = columns; | ||
| 357 | ! refLine[i] = columns; | ||
| 358 | ! codingLine[0] = 0; | ||
| 359 | ! a0i = 0; | ||
| 360 | ! b1i = 0; | ||
| 361 | ! blackPixels = 0; | ||
| 362 | ! // invariant: | ||
| 363 | ! // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] | ||
| 364 | ! // <= columns | ||
| 365 | ! // exception at left edge: | ||
| 366 | ! // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible | ||
| 367 | ! // exception at right edge: | ||
| 368 | ! // refLine[b1i] = refLine[b1i+1] = columns is possible | ||
| 369 | ! while (codingLine[a0i] < columns) { | ||
| 370 | code1 = getTwoDimCode(); | ||
| 371 | switch (code1) { | ||
| 372 | case twoDimPass: | ||
| 373 | ! addPixels(refLine[b1i + 1], blackPixels); | ||
| 374 | ! if (refLine[b1i + 1] < columns) { | ||
| 375 | ! b1i += 2; | ||
| 376 | } | ||
| 377 | break; | ||
| 378 | case twoDimHoriz: | ||
| 379 | ! code1 = code2 = 0; | ||
| 380 | ! if (blackPixels) { | ||
| 381 | do { | ||
| 382 | ! code1 += code3 = getBlackCode(); | ||
| 383 | } while (code3 >= 64); | ||
| 384 | do { | ||
| 385 | ! code2 += code3 = getWhiteCode(); | ||
| 386 | } while (code3 >= 64); | ||
| 387 | } else { | ||
| 388 | do { | ||
| 389 | ! code1 += code3 = getWhiteCode(); | ||
| 390 | } while (code3 >= 64); | ||
| 391 | do { | ||
| 392 | ! code2 += code3 = getBlackCode(); | ||
| 393 | } while (code3 >= 64); | ||
| 394 | } | ||
| 395 | ! addPixels(codingLine[a0i] + code1, blackPixels); | ||
| 396 | ! if (codingLine[a0i] < columns) { | ||
| 397 | ! addPixels(codingLine[a0i] + code2, blackPixels ^ 1); | ||
| 398 | ! } | ||
| 399 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 400 | ! b1i += 2; | ||
| 401 | ! } | ||
| 402 | ! break; | ||
| 403 | ! case twoDimVertR3: | ||
| 404 | ! addPixels(refLine[b1i] + 3, blackPixels); | ||
| 405 | ! blackPixels ^= 1; | ||
| 406 | ! if (codingLine[a0i] < columns) { | ||
| 407 | ! ++b1i; | ||
| 408 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 409 | ! b1i += 2; | ||
| 410 | } | ||
| 411 | } | ||
| 412 | break; | ||
| 413 | ! case twoDimVertR2: | ||
| 414 | ! addPixels(refLine[b1i] + 2, blackPixels); | ||
| 415 | ! blackPixels ^= 1; | ||
| 416 | ! if (codingLine[a0i] < columns) { | ||
| 417 | ! ++b1i; | ||
| 418 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 419 | ! b1i += 2; | ||
| 420 | } | ||
| 421 | } | ||
| 422 | break; | ||
| 423 | case twoDimVertR1: | ||
| 424 | ! addPixels(refLine[b1i] + 1, blackPixels); | ||
| 425 | ! blackPixels ^= 1; | ||
| 426 | ! if (codingLine[a0i] < columns) { | ||
| 427 | ! ++b1i; | ||
| 428 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 429 | ! b1i += 2; | ||
| 430 | } | ||
| 431 | } | ||
| 432 | break; | ||
| 433 | ! case twoDimVert0: | ||
| 434 | ! addPixels(refLine[b1i], blackPixels); | ||
| 435 | ! blackPixels ^= 1; | ||
| 436 | ! if (codingLine[a0i] < columns) { | ||
| 437 | ! ++b1i; | ||
| 438 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 439 | ! b1i += 2; | ||
| 440 | } | ||
| 441 | } | ||
| 442 | break; | ||
| 443 | ! case twoDimVertL3: | ||
| 444 | ! addPixelsNeg(refLine[b1i] - 3, blackPixels); | ||
| 445 | ! blackPixels ^= 1; | ||
| 446 | ! if (codingLine[a0i] < columns) { | ||
| 447 | ! if (b1i > 0) { | ||
| 448 | ! --b1i; | ||
| 449 | ! } else { | ||
| 450 | ! ++b1i; | ||
| 451 | ! } | ||
| 452 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 453 | ! b1i += 2; | ||
| 454 | } | ||
| 455 | } | ||
| 456 | break; | ||
| 457 | case twoDimVertL2: | ||
| 458 | ! addPixelsNeg(refLine[b1i] - 2, blackPixels); | ||
| 459 | ! blackPixels ^= 1; | ||
| 460 | ! if (codingLine[a0i] < columns) { | ||
| 461 | ! if (b1i > 0) { | ||
| 462 | ! --b1i; | ||
| 463 | ! } else { | ||
| 464 | ! ++b1i; | ||
| 465 | } | ||
| 466 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 467 | ! b1i += 2; | ||
| 468 | } | ||
| 469 | } | ||
| 470 | break; | ||
| 471 | ! case twoDimVertL1: | ||
| 472 | ! addPixelsNeg(refLine[b1i] - 1, blackPixels); | ||
| 473 | ! blackPixels ^= 1; | ||
| 474 | ! if (codingLine[a0i] < columns) { | ||
| 475 | ! if (b1i > 0) { | ||
| 476 | ! --b1i; | ||
| 477 | ! } else { | ||
| 478 | ! ++b1i; | ||
| 479 | ! } | ||
| 480 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { | ||
| 481 | ! b1i += 2; | ||
| 482 | } | ||
| 483 | } | ||
| 484 | break; | ||
| 485 | case EOF: | ||
| 486 | + addPixels(columns, 0); | ||
| 487 | eof = gTrue; | ||
| 488 | ! break; | ||
| 489 | default: | ||
| 490 | error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); | ||
| 491 | + addPixels(columns, 0); | ||
| 492 | err = gTrue; | ||
| 493 | break; | ||
| 494 | } | ||
| 495 | ! } | ||
| 496 | |||
| 497 | // 1-D encoding | ||
| 498 | } else { | ||
| 499 | ! codingLine[0] = 0; | ||
| 500 | ! a0i = 0; | ||
| 501 | ! blackPixels = 0; | ||
| 502 | ! while (codingLine[a0i] < columns) { | ||
| 503 | code1 = 0; | ||
| 504 | ! if (blackPixels) { | ||
| 505 | ! do { | ||
| 506 | ! code1 += code3 = getBlackCode(); | ||
| 507 | ! } while (code3 >= 64); | ||
| 508 | ! } else { | ||
| 509 | ! do { | ||
| 510 | ! code1 += code3 = getWhiteCode(); | ||
| 511 | ! } while (code3 >= 64); | ||
| 512 | } | ||
| 513 | + addPixels(codingLine[a0i] + code1, blackPixels); | ||
| 514 | + blackPixels ^= 1; | ||
| 515 | } | ||
| 516 | } | ||
| 517 | |||
| 518 | // byte-align the row | ||
| 519 | if (byteAlign) { | ||
| 520 | inputBits &= ~7; | ||
| 521 | *************** | ||
| 522 | *** 1560,1573 **** | ||
| 523 | // this if we know the stream contains end-of-line markers because | ||
| 524 | // the "just plow on" technique tends to work better otherwise | ||
| 525 | } else if (err && endOfLine) { | ||
| 526 | ! do { | ||
| 527 | if (code1 == EOF) { | ||
| 528 | eof = gTrue; | ||
| 529 | return EOF; | ||
| 530 | } | ||
| 531 | eatBits(1); | ||
| 532 | ! code1 = lookBits(13); | ||
| 533 | ! } while ((code1 >> 1) != 0x001); | ||
| 534 | eatBits(12); | ||
| 535 | if (encoding > 0) { | ||
| 536 | eatBits(1); | ||
| 537 | --- 1582,1598 ---- | ||
| 538 | // this if we know the stream contains end-of-line markers because | ||
| 539 | // the "just plow on" technique tends to work better otherwise | ||
| 540 | } else if (err && endOfLine) { | ||
| 541 | ! while (1) { | ||
| 542 | ! code1 = lookBits(13); | ||
| 543 | if (code1 == EOF) { | ||
| 544 | eof = gTrue; | ||
| 545 | return EOF; | ||
| 546 | } | ||
| 547 | + if ((code1 >> 1) == 0x001) { | ||
| 548 | + break; | ||
| 549 | + } | ||
| 550 | eatBits(1); | ||
| 551 | ! } | ||
| 552 | eatBits(12); | ||
| 553 | if (encoding > 0) { | ||
| 554 | eatBits(1); | ||
| 555 | *************** | ||
| 556 | *** 1575,1585 **** | ||
| 557 | } | ||
| 558 | } | ||
| 559 | |||
| 560 | ! a0 = 0; | ||
| 561 | ! outputBits = codingLine[1] - codingLine[0]; | ||
| 562 | ! if (outputBits == 0) { | ||
| 563 | ! a0 = 1; | ||
| 564 | ! outputBits = codingLine[2] - codingLine[1]; | ||
| 565 | } | ||
| 566 | |||
| 567 | ++row; | ||
| 568 | --- 1600,1610 ---- | ||
| 569 | } | ||
| 570 | } | ||
| 571 | |||
| 572 | ! // set up for output | ||
| 573 | ! if (codingLine[0] > 0) { | ||
| 574 | ! outputBits = codingLine[a0i = 0]; | ||
| 575 | ! } else { | ||
| 576 | ! outputBits = codingLine[a0i = 1]; | ||
| 577 | } | ||
| 578 | |||
| 579 | ++row; | ||
| 580 | *************** | ||
| 581 | *** 1587,1625 **** | ||
| 582 | |||
| 583 | // get a byte | ||
| 584 | if (outputBits >= 8) { | ||
| 585 | ! ret = ((a0 & 1) == 0) ? 0xff : 0x00; | ||
| 586 | ! if ((outputBits -= 8) == 0) { | ||
| 587 | ! ++a0; | ||
| 588 | ! if (codingLine[a0] < columns) { | ||
| 589 | ! outputBits = codingLine[a0 + 1] - codingLine[a0]; | ||
| 590 | ! } | ||
| 591 | } | ||
| 592 | } else { | ||
| 593 | bits = 8; | ||
| 594 | ! ret = 0; | ||
| 595 | do { | ||
| 596 | if (outputBits > bits) { | ||
| 597 | ! i = bits; | ||
| 598 | ! bits = 0; | ||
| 599 | ! if ((a0 & 1) == 0) { | ||
| 600 | ! ret |= 0xff >> (8 - i); | ||
| 601 | } | ||
| 602 | ! outputBits -= i; | ||
| 603 | } else { | ||
| 604 | ! i = outputBits; | ||
| 605 | ! bits -= outputBits; | ||
| 606 | ! if ((a0 & 1) == 0) { | ||
| 607 | ! ret |= (0xff >> (8 - i)) << bits; | ||
| 608 | } | ||
| 609 | outputBits = 0; | ||
| 610 | ! ++a0; | ||
| 611 | ! if (codingLine[a0] < columns) { | ||
| 612 | ! outputBits = codingLine[a0 + 1] - codingLine[a0]; | ||
| 613 | } | ||
| 614 | } | ||
| 615 | ! } while (bits > 0 && codingLine[a0] < columns); | ||
| 616 | } | ||
| 617 | - buf = black ? (ret ^ 0xff) : ret; | ||
| 618 | return buf; | ||
| 619 | } | ||
| 620 | |||
| 621 | --- 1612,1654 ---- | ||
| 622 | |||
| 623 | // get a byte | ||
| 624 | if (outputBits >= 8) { | ||
| 625 | ! buf = (a0i & 1) ? 0x00 : 0xff; | ||
| 626 | ! outputBits -= 8; | ||
| 627 | ! if (outputBits == 0 && codingLine[a0i] < columns) { | ||
| 628 | ! ++a0i; | ||
| 629 | ! outputBits = codingLine[a0i] - codingLine[a0i - 1]; | ||
| 630 | } | ||
| 631 | } else { | ||
| 632 | bits = 8; | ||
| 633 | ! buf = 0; | ||
| 634 | do { | ||
| 635 | if (outputBits > bits) { | ||
| 636 | ! buf <<= bits; | ||
| 637 | ! if (!(a0i & 1)) { | ||
| 638 | ! buf |= 0xff >> (8 - bits); | ||
| 639 | } | ||
| 640 | ! outputBits -= bits; | ||
| 641 | ! bits = 0; | ||
| 642 | } else { | ||
| 643 | ! buf <<= outputBits; | ||
| 644 | ! if (!(a0i & 1)) { | ||
| 645 | ! buf |= 0xff >> (8 - outputBits); | ||
| 646 | } | ||
| 647 | + bits -= outputBits; | ||
| 648 | outputBits = 0; | ||
| 649 | ! if (codingLine[a0i] < columns) { | ||
| 650 | ! ++a0i; | ||
| 651 | ! outputBits = codingLine[a0i] - codingLine[a0i - 1]; | ||
| 652 | ! } else if (bits > 0) { | ||
| 653 | ! buf <<= bits; | ||
| 654 | ! bits = 0; | ||
| 655 | } | ||
| 656 | } | ||
| 657 | ! } while (bits); | ||
| 658 | ! } | ||
| 659 | ! if (black) { | ||
| 660 | ! buf ^= 0xff; | ||
| 661 | } | ||
| 662 | return buf; | ||
| 663 | } | ||
| 664 | |||
| 665 | *************** | ||
| 666 | *** 1661,1666 **** | ||
| 667 | --- 1690,1698 ---- | ||
| 668 | code = 0; // make gcc happy | ||
| 669 | if (endOfBlock) { | ||
| 670 | code = lookBits(12); | ||
| 671 | + if (code == EOF) { | ||
| 672 | + return 1; | ||
| 673 | + } | ||
| 674 | if ((code >> 5) == 0) { | ||
| 675 | p = &whiteTab1[code]; | ||
| 676 | } else { | ||
| 677 | *************** | ||
| 678 | *** 1673,1678 **** | ||
| 679 | --- 1705,1713 ---- | ||
| 680 | } else { | ||
| 681 | for (n = 1; n <= 9; ++n) { | ||
| 682 | code = lookBits(n); | ||
| 683 | + if (code == EOF) { | ||
| 684 | + return 1; | ||
| 685 | + } | ||
| 686 | if (n < 9) { | ||
| 687 | code <<= 9 - n; | ||
| 688 | } | ||
| 689 | *************** | ||
| 690 | *** 1684,1689 **** | ||
| 691 | --- 1719,1727 ---- | ||
| 692 | } | ||
| 693 | for (n = 11; n <= 12; ++n) { | ||
| 694 | code = lookBits(n); | ||
| 695 | + if (code == EOF) { | ||
| 696 | + return 1; | ||
| 697 | + } | ||
| 698 | if (n < 12) { | ||
| 699 | code <<= 12 - n; | ||
| 700 | } | ||
| 701 | *************** | ||
| 702 | *** 1709,1717 **** | ||
| 703 | code = 0; // make gcc happy | ||
| 704 | if (endOfBlock) { | ||
| 705 | code = lookBits(13); | ||
| 706 | if ((code >> 7) == 0) { | ||
| 707 | p = &blackTab1[code]; | ||
| 708 | ! } else if ((code >> 9) == 0) { | ||
| 709 | p = &blackTab2[(code >> 1) - 64]; | ||
| 710 | } else { | ||
| 711 | p = &blackTab3[code >> 7]; | ||
| 712 | --- 1747,1758 ---- | ||
| 713 | code = 0; // make gcc happy | ||
| 714 | if (endOfBlock) { | ||
| 715 | code = lookBits(13); | ||
| 716 | + if (code == EOF) { | ||
| 717 | + return 1; | ||
| 718 | + } | ||
| 719 | if ((code >> 7) == 0) { | ||
| 720 | p = &blackTab1[code]; | ||
| 721 | ! } else if ((code >> 9) == 0 && (code >> 7) != 0) { | ||
| 722 | p = &blackTab2[(code >> 1) - 64]; | ||
| 723 | } else { | ||
| 724 | p = &blackTab3[code >> 7]; | ||
| 725 | *************** | ||
| 726 | *** 1723,1728 **** | ||
| 727 | --- 1764,1772 ---- | ||
| 728 | } else { | ||
| 729 | for (n = 2; n <= 6; ++n) { | ||
| 730 | code = lookBits(n); | ||
| 731 | + if (code == EOF) { | ||
| 732 | + return 1; | ||
| 733 | + } | ||
| 734 | if (n < 6) { | ||
| 735 | code <<= 6 - n; | ||
| 736 | } | ||
| 737 | *************** | ||
| 738 | *** 1734,1739 **** | ||
| 739 | --- 1778,1786 ---- | ||
| 740 | } | ||
| 741 | for (n = 7; n <= 12; ++n) { | ||
| 742 | code = lookBits(n); | ||
| 743 | + if (code == EOF) { | ||
| 744 | + return 1; | ||
| 745 | + } | ||
| 746 | if (n < 12) { | ||
| 747 | code <<= 12 - n; | ||
| 748 | } | ||
| 749 | *************** | ||
| 750 | *** 1747,1752 **** | ||
| 751 | --- 1794,1802 ---- | ||
| 752 | } | ||
| 753 | for (n = 10; n <= 13; ++n) { | ||
| 754 | code = lookBits(n); | ||
| 755 | + if (code == EOF) { | ||
| 756 | + return 1; | ||
| 757 | + } | ||
| 758 | if (n < 13) { | ||
| 759 | code <<= 13 - n; | ||
| 760 | } | ||
| 761 | *************** | ||
| 762 | *** 1961,1966 **** | ||
| 763 | --- 2011,2022 ---- | ||
| 764 | // allocate a buffer for the whole image | ||
| 765 | bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth; | ||
| 766 | bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight; | ||
| 767 | + if (bufWidth <= 0 || bufHeight <= 0 || | ||
| 768 | + bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) { | ||
| 769 | + error(getPos(), "Invalid image size in DCT stream"); | ||
| 770 | + y = height; | ||
| 771 | + return; | ||
| 772 | + } | ||
| 773 | for (i = 0; i < numComps; ++i) { | ||
| 774 | frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int)); | ||
| 775 | memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int)); | ||
| 776 | *************** | ||
| 777 | *** 3036,3041 **** | ||
| 778 | --- 3092,3102 ---- | ||
| 779 | } | ||
| 780 | scanInfo.firstCoeff = str->getChar(); | ||
| 781 | scanInfo.lastCoeff = str->getChar(); | ||
| 782 | + if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 || | ||
| 783 | + scanInfo.firstCoeff > scanInfo.lastCoeff) { | ||
| 784 | + error(getPos(), "Bad DCT coefficient numbers in scan info block"); | ||
| 785 | + return gFalse; | ||
| 786 | + } | ||
| 787 | c = str->getChar(); | ||
| 788 | scanInfo.ah = (c >> 4) & 0x0f; | ||
| 789 | scanInfo.al = c & 0x0f; | ||
| 790 | diff -c -r xpdf-3.02pl1.orig/xpdf/Stream.h xpdf-3.02/xpdf/Stream.h | ||
| 791 | *** xpdf-3.02pl1.orig/xpdf/Stream.h Tue Feb 27 14:05:52 2007 | ||
| 792 | --- xpdf-3.02/xpdf/Stream.h Thu Oct 25 15:48:15 2007 | ||
| 793 | *************** | ||
| 794 | *** 528,540 **** | ||
| 795 | int row; // current row | ||
| 796 | int inputBuf; // input buffer | ||
| 797 | int inputBits; // number of bits in input buffer | ||
| 798 | ! short *refLine; // reference line changing elements | ||
| 799 | ! int b1; // index into refLine | ||
| 800 | ! short *codingLine; // coding line changing elements | ||
| 801 | ! int a0; // index into codingLine | ||
| 802 | int outputBits; // remaining ouput bits | ||
| 803 | int buf; // character buffer | ||
| 804 | |||
| 805 | short getTwoDimCode(); | ||
| 806 | short getWhiteCode(); | ||
| 807 | short getBlackCode(); | ||
| 808 | --- 528,542 ---- | ||
| 809 | int row; // current row | ||
| 810 | int inputBuf; // input buffer | ||
| 811 | int inputBits; // number of bits in input buffer | ||
| 812 | ! int *codingLine; // coding line changing elements | ||
| 813 | ! int *refLine; // reference line changing elements | ||
| 814 | ! int a0i; // index into codingLine | ||
| 815 | ! GBool err; // error on current line | ||
| 816 | int outputBits; // remaining ouput bits | ||
| 817 | int buf; // character buffer | ||
| 818 | |||
| 819 | + void addPixels(int a1, int black); | ||
| 820 | + void addPixelsNeg(int a1, int black); | ||
| 821 | short getTwoDimCode(); | ||
| 822 | short getWhiteCode(); | ||
| 823 | short getBlackCode(); |