Contents of /trunk/xpdf/patches/xpdf-3.02pl2.patch
Parent Directory
| 
Revision Log
Revision 521 -
(show annotations)
(download)
Sun Mar 23 21:28:15 2008 UTC (16 years, 1 month ago) by niro
File size: 20843 byte(s)
Sun Mar 23 21:28:15 2008 UTC (16 years, 1 month ago) by niro
File size: 20843 byte(s)
-securtiy fix
| 1 | diff -c -r xpdf-3.02pl1.orig/xpdf/Stream.cc xpdf-3.02/xpdf/Stream.cc |
| 2 | *** xpdf-3.02pl1.orig/xpdf/Stream.cc Thu Oct 25 15:47:38 2007 |
| 3 | --- xpdf-3.02/xpdf/Stream.cc Thu Oct 25 15:48:19 2007 |
| 4 | *************** |
| 5 | *** 1243,1265 **** |
| 6 | columns = columnsA; |
| 7 | if (columns < 1) { |
| 8 | columns = 1; |
| 9 | ! } |
| 10 | ! if (columns + 4 <= 0) { |
| 11 | ! columns = INT_MAX - 4; |
| 12 | } |
| 13 | rows = rowsA; |
| 14 | endOfBlock = endOfBlockA; |
| 15 | black = blackA; |
| 16 | ! refLine = (short *)gmallocn(columns + 3, sizeof(short)); |
| 17 | ! codingLine = (short *)gmallocn(columns + 2, sizeof(short)); |
| 18 | |
| 19 | eof = gFalse; |
| 20 | row = 0; |
| 21 | nextLine2D = encoding < 0; |
| 22 | inputBits = 0; |
| 23 | ! codingLine[0] = 0; |
| 24 | ! codingLine[1] = refLine[2] = columns; |
| 25 | ! a0 = 1; |
| 26 | |
| 27 | buf = EOF; |
| 28 | } |
| 29 | --- 1243,1268 ---- |
| 30 | columns = columnsA; |
| 31 | if (columns < 1) { |
| 32 | columns = 1; |
| 33 | ! } else if (columns > INT_MAX - 2) { |
| 34 | ! columns = INT_MAX - 2; |
| 35 | } |
| 36 | rows = rowsA; |
| 37 | endOfBlock = endOfBlockA; |
| 38 | black = blackA; |
| 39 | ! // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns |
| 40 | ! // ---> max codingLine size = columns + 1 |
| 41 | ! // refLine has one extra guard entry at the end |
| 42 | ! // ---> max refLine size = columns + 2 |
| 43 | ! codingLine = (int *)gmallocn(columns + 1, sizeof(int)); |
| 44 | ! refLine = (int *)gmallocn(columns + 2, sizeof(int)); |
| 45 | |
| 46 | eof = gFalse; |
| 47 | row = 0; |
| 48 | nextLine2D = encoding < 0; |
| 49 | inputBits = 0; |
| 50 | ! codingLine[0] = columns; |
| 51 | ! a0i = 0; |
| 52 | ! outputBits = 0; |
| 53 | |
| 54 | buf = EOF; |
| 55 | } |
| 56 | *************** |
| 57 | *** 1278,1286 **** |
| 58 | row = 0; |
| 59 | nextLine2D = encoding < 0; |
| 60 | inputBits = 0; |
| 61 | ! codingLine[0] = 0; |
| 62 | ! codingLine[1] = columns; |
| 63 | ! a0 = 1; |
| 64 | buf = EOF; |
| 65 | |
| 66 | // skip any initial zero bits and end-of-line marker, and get the 2D |
| 67 | --- 1281,1289 ---- |
| 68 | row = 0; |
| 69 | nextLine2D = encoding < 0; |
| 70 | inputBits = 0; |
| 71 | ! codingLine[0] = columns; |
| 72 | ! a0i = 0; |
| 73 | ! outputBits = 0; |
| 74 | buf = EOF; |
| 75 | |
| 76 | // skip any initial zero bits and end-of-line marker, and get the 2D |
| 77 | *************** |
| 78 | *** 1297,1507 **** |
| 79 | } |
| 80 | } |
| 81 | |
| 82 | int CCITTFaxStream::lookChar() { |
| 83 | short code1, code2, code3; |
| 84 | ! int a0New; |
| 85 | ! GBool err, gotEOL; |
| 86 | ! int ret; |
| 87 | ! int bits, i; |
| 88 | |
| 89 | ! // if at eof just return EOF |
| 90 | ! if (eof && codingLine[a0] >= columns) { |
| 91 | ! return EOF; |
| 92 | } |
| 93 | |
| 94 | // read the next row |
| 95 | ! err = gFalse; |
| 96 | ! if (codingLine[a0] >= columns) { |
| 97 | |
| 98 | // 2-D encoding |
| 99 | if (nextLine2D) { |
| 100 | - // state: |
| 101 | - // a0New = current position in coding line (0 <= a0New <= columns) |
| 102 | - // codingLine[a0] = last change in coding line |
| 103 | - // (black-to-white if a0 is even, |
| 104 | - // white-to-black if a0 is odd) |
| 105 | - // refLine[b1] = next change in reference line of opposite color |
| 106 | - // to a0 |
| 107 | - // invariants: |
| 108 | - // 0 <= codingLine[a0] <= a0New |
| 109 | - // <= refLine[b1] <= refLine[b1+1] <= columns |
| 110 | - // 0 <= a0 <= columns+1 |
| 111 | - // refLine[0] = 0 |
| 112 | - // refLine[n] = refLine[n+1] = columns |
| 113 | - // -- for some 1 <= n <= columns+1 |
| 114 | - // end condition: |
| 115 | - // 0 = codingLine[0] <= codingLine[1] < codingLine[2] < ... |
| 116 | - // < codingLine[n-1] < codingLine[n] = columns |
| 117 | - // -- where 1 <= n <= columns+1 |
| 118 | for (i = 0; codingLine[i] < columns; ++i) { |
| 119 | refLine[i] = codingLine[i]; |
| 120 | } |
| 121 | ! refLine[i] = refLine[i + 1] = columns; |
| 122 | ! b1 = 1; |
| 123 | ! a0New = codingLine[a0 = 0] = 0; |
| 124 | ! do { |
| 125 | code1 = getTwoDimCode(); |
| 126 | switch (code1) { |
| 127 | case twoDimPass: |
| 128 | ! if (refLine[b1] < columns) { |
| 129 | ! a0New = refLine[b1 + 1]; |
| 130 | ! b1 += 2; |
| 131 | } |
| 132 | break; |
| 133 | case twoDimHoriz: |
| 134 | ! if ((a0 & 1) == 0) { |
| 135 | ! code1 = code2 = 0; |
| 136 | do { |
| 137 | ! code1 += code3 = getWhiteCode(); |
| 138 | } while (code3 >= 64); |
| 139 | do { |
| 140 | ! code2 += code3 = getBlackCode(); |
| 141 | } while (code3 >= 64); |
| 142 | } else { |
| 143 | - code1 = code2 = 0; |
| 144 | do { |
| 145 | ! code1 += code3 = getBlackCode(); |
| 146 | } while (code3 >= 64); |
| 147 | do { |
| 148 | ! code2 += code3 = getWhiteCode(); |
| 149 | } while (code3 >= 64); |
| 150 | } |
| 151 | ! if (code1 > 0 || code2 > 0) { |
| 152 | ! if (a0New + code1 <= columns) { |
| 153 | ! codingLine[a0 + 1] = a0New + code1; |
| 154 | ! } else { |
| 155 | ! codingLine[a0 + 1] = columns; |
| 156 | ! } |
| 157 | ! ++a0; |
| 158 | ! if (codingLine[a0] + code2 <= columns) { |
| 159 | ! codingLine[a0 + 1] = codingLine[a0] + code2; |
| 160 | ! } else { |
| 161 | ! codingLine[a0 + 1] = columns; |
| 162 | ! } |
| 163 | ! ++a0; |
| 164 | ! a0New = codingLine[a0]; |
| 165 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 166 | ! b1 += 2; |
| 167 | } |
| 168 | } |
| 169 | break; |
| 170 | ! case twoDimVert0: |
| 171 | ! if (refLine[b1] < columns) { |
| 172 | ! a0New = codingLine[++a0] = refLine[b1]; |
| 173 | ! ++b1; |
| 174 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 175 | ! b1 += 2; |
| 176 | } |
| 177 | - } else { |
| 178 | - a0New = codingLine[++a0] = columns; |
| 179 | } |
| 180 | break; |
| 181 | case twoDimVertR1: |
| 182 | ! if (refLine[b1] + 1 < columns) { |
| 183 | ! a0New = codingLine[++a0] = refLine[b1] + 1; |
| 184 | ! ++b1; |
| 185 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 186 | ! b1 += 2; |
| 187 | } |
| 188 | - } else { |
| 189 | - a0New = codingLine[++a0] = columns; |
| 190 | } |
| 191 | break; |
| 192 | ! case twoDimVertL1: |
| 193 | ! if (refLine[b1] - 1 > a0New || (a0 == 0 && refLine[b1] == 1)) { |
| 194 | ! a0New = codingLine[++a0] = refLine[b1] - 1; |
| 195 | ! --b1; |
| 196 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 197 | ! b1 += 2; |
| 198 | } |
| 199 | } |
| 200 | break; |
| 201 | ! case twoDimVertR2: |
| 202 | ! if (refLine[b1] + 2 < columns) { |
| 203 | ! a0New = codingLine[++a0] = refLine[b1] + 2; |
| 204 | ! ++b1; |
| 205 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 206 | ! b1 += 2; |
| 207 | } |
| 208 | - } else { |
| 209 | - a0New = codingLine[++a0] = columns; |
| 210 | } |
| 211 | break; |
| 212 | case twoDimVertL2: |
| 213 | ! if (refLine[b1] - 2 > a0New || (a0 == 0 && refLine[b1] == 2)) { |
| 214 | ! a0New = codingLine[++a0] = refLine[b1] - 2; |
| 215 | ! --b1; |
| 216 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 217 | ! b1 += 2; |
| 218 | } |
| 219 | ! } |
| 220 | ! break; |
| 221 | ! case twoDimVertR3: |
| 222 | ! if (refLine[b1] + 3 < columns) { |
| 223 | ! a0New = codingLine[++a0] = refLine[b1] + 3; |
| 224 | ! ++b1; |
| 225 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 226 | ! b1 += 2; |
| 227 | } |
| 228 | - } else { |
| 229 | - a0New = codingLine[++a0] = columns; |
| 230 | } |
| 231 | break; |
| 232 | ! case twoDimVertL3: |
| 233 | ! if (refLine[b1] - 3 > a0New || (a0 == 0 && refLine[b1] == 3)) { |
| 234 | ! a0New = codingLine[++a0] = refLine[b1] - 3; |
| 235 | ! --b1; |
| 236 | ! while (refLine[b1] <= a0New && refLine[b1] < columns) { |
| 237 | ! b1 += 2; |
| 238 | } |
| 239 | } |
| 240 | break; |
| 241 | case EOF: |
| 242 | eof = gTrue; |
| 243 | ! codingLine[a0 = 0] = columns; |
| 244 | ! return EOF; |
| 245 | default: |
| 246 | error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); |
| 247 | err = gTrue; |
| 248 | break; |
| 249 | } |
| 250 | ! } while (codingLine[a0] < columns); |
| 251 | |
| 252 | // 1-D encoding |
| 253 | } else { |
| 254 | ! codingLine[a0 = 0] = 0; |
| 255 | ! while (1) { |
| 256 | code1 = 0; |
| 257 | ! do { |
| 258 | ! code1 += code3 = getWhiteCode(); |
| 259 | ! } while (code3 >= 64); |
| 260 | ! codingLine[a0+1] = codingLine[a0] + code1; |
| 261 | ! ++a0; |
| 262 | ! if (codingLine[a0] >= columns) { |
| 263 | ! break; |
| 264 | ! } |
| 265 | ! code2 = 0; |
| 266 | ! do { |
| 267 | ! code2 += code3 = getBlackCode(); |
| 268 | ! } while (code3 >= 64); |
| 269 | ! codingLine[a0+1] = codingLine[a0] + code2; |
| 270 | ! ++a0; |
| 271 | ! if (codingLine[a0] >= columns) { |
| 272 | ! break; |
| 273 | } |
| 274 | } |
| 275 | } |
| 276 | |
| 277 | - if (codingLine[a0] != columns) { |
| 278 | - error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]); |
| 279 | - // force the row to be the correct length |
| 280 | - while (codingLine[a0] > columns) { |
| 281 | - --a0; |
| 282 | - } |
| 283 | - codingLine[++a0] = columns; |
| 284 | - err = gTrue; |
| 285 | - } |
| 286 | - |
| 287 | // byte-align the row |
| 288 | if (byteAlign) { |
| 289 | inputBits &= ~7; |
| 290 | --- 1300,1529 ---- |
| 291 | } |
| 292 | } |
| 293 | |
| 294 | + inline void CCITTFaxStream::addPixels(int a1, int blackPixels) { |
| 295 | + if (a1 > codingLine[a0i]) { |
| 296 | + if (a1 > columns) { |
| 297 | + error(getPos(), "CCITTFax row is wrong length (%d)", a1); |
| 298 | + err = gTrue; |
| 299 | + a1 = columns; |
| 300 | + } |
| 301 | + if ((a0i & 1) ^ blackPixels) { |
| 302 | + ++a0i; |
| 303 | + } |
| 304 | + codingLine[a0i] = a1; |
| 305 | + } |
| 306 | + } |
| 307 | + |
| 308 | + inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) { |
| 309 | + if (a1 > codingLine[a0i]) { |
| 310 | + if (a1 > columns) { |
| 311 | + error(getPos(), "CCITTFax row is wrong length (%d)", a1); |
| 312 | + err = gTrue; |
| 313 | + a1 = columns; |
| 314 | + } |
| 315 | + if ((a0i & 1) ^ blackPixels) { |
| 316 | + ++a0i; |
| 317 | + } |
| 318 | + codingLine[a0i] = a1; |
| 319 | + } else if (a1 < codingLine[a0i]) { |
| 320 | + if (a1 < 0) { |
| 321 | + error(getPos(), "Invalid CCITTFax code"); |
| 322 | + err = gTrue; |
| 323 | + a1 = 0; |
| 324 | + } |
| 325 | + while (a0i > 0 && a1 <= codingLine[a0i - 1]) { |
| 326 | + --a0i; |
| 327 | + } |
| 328 | + codingLine[a0i] = a1; |
| 329 | + } |
| 330 | + } |
| 331 | + |
| 332 | int CCITTFaxStream::lookChar() { |
| 333 | short code1, code2, code3; |
| 334 | ! int b1i, blackPixels, i, bits; |
| 335 | ! GBool gotEOL; |
| 336 | |
| 337 | ! if (buf != EOF) { |
| 338 | ! return buf; |
| 339 | } |
| 340 | |
| 341 | // read the next row |
| 342 | ! if (outputBits == 0) { |
| 343 | ! |
| 344 | ! // if at eof just return EOF |
| 345 | ! if (eof) { |
| 346 | ! return EOF; |
| 347 | ! } |
| 348 | ! |
| 349 | ! err = gFalse; |
| 350 | |
| 351 | // 2-D encoding |
| 352 | if (nextLine2D) { |
| 353 | for (i = 0; codingLine[i] < columns; ++i) { |
| 354 | refLine[i] = codingLine[i]; |
| 355 | } |
| 356 | ! refLine[i++] = columns; |
| 357 | ! refLine[i] = columns; |
| 358 | ! codingLine[0] = 0; |
| 359 | ! a0i = 0; |
| 360 | ! b1i = 0; |
| 361 | ! blackPixels = 0; |
| 362 | ! // invariant: |
| 363 | ! // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] |
| 364 | ! // <= columns |
| 365 | ! // exception at left edge: |
| 366 | ! // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible |
| 367 | ! // exception at right edge: |
| 368 | ! // refLine[b1i] = refLine[b1i+1] = columns is possible |
| 369 | ! while (codingLine[a0i] < columns) { |
| 370 | code1 = getTwoDimCode(); |
| 371 | switch (code1) { |
| 372 | case twoDimPass: |
| 373 | ! addPixels(refLine[b1i + 1], blackPixels); |
| 374 | ! if (refLine[b1i + 1] < columns) { |
| 375 | ! b1i += 2; |
| 376 | } |
| 377 | break; |
| 378 | case twoDimHoriz: |
| 379 | ! code1 = code2 = 0; |
| 380 | ! if (blackPixels) { |
| 381 | do { |
| 382 | ! code1 += code3 = getBlackCode(); |
| 383 | } while (code3 >= 64); |
| 384 | do { |
| 385 | ! code2 += code3 = getWhiteCode(); |
| 386 | } while (code3 >= 64); |
| 387 | } else { |
| 388 | do { |
| 389 | ! code1 += code3 = getWhiteCode(); |
| 390 | } while (code3 >= 64); |
| 391 | do { |
| 392 | ! code2 += code3 = getBlackCode(); |
| 393 | } while (code3 >= 64); |
| 394 | } |
| 395 | ! addPixels(codingLine[a0i] + code1, blackPixels); |
| 396 | ! if (codingLine[a0i] < columns) { |
| 397 | ! addPixels(codingLine[a0i] + code2, blackPixels ^ 1); |
| 398 | ! } |
| 399 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 400 | ! b1i += 2; |
| 401 | ! } |
| 402 | ! break; |
| 403 | ! case twoDimVertR3: |
| 404 | ! addPixels(refLine[b1i] + 3, blackPixels); |
| 405 | ! blackPixels ^= 1; |
| 406 | ! if (codingLine[a0i] < columns) { |
| 407 | ! ++b1i; |
| 408 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 409 | ! b1i += 2; |
| 410 | } |
| 411 | } |
| 412 | break; |
| 413 | ! case twoDimVertR2: |
| 414 | ! addPixels(refLine[b1i] + 2, blackPixels); |
| 415 | ! blackPixels ^= 1; |
| 416 | ! if (codingLine[a0i] < columns) { |
| 417 | ! ++b1i; |
| 418 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 419 | ! b1i += 2; |
| 420 | } |
| 421 | } |
| 422 | break; |
| 423 | case twoDimVertR1: |
| 424 | ! addPixels(refLine[b1i] + 1, blackPixels); |
| 425 | ! blackPixels ^= 1; |
| 426 | ! if (codingLine[a0i] < columns) { |
| 427 | ! ++b1i; |
| 428 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 429 | ! b1i += 2; |
| 430 | } |
| 431 | } |
| 432 | break; |
| 433 | ! case twoDimVert0: |
| 434 | ! addPixels(refLine[b1i], blackPixels); |
| 435 | ! blackPixels ^= 1; |
| 436 | ! if (codingLine[a0i] < columns) { |
| 437 | ! ++b1i; |
| 438 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 439 | ! b1i += 2; |
| 440 | } |
| 441 | } |
| 442 | break; |
| 443 | ! case twoDimVertL3: |
| 444 | ! addPixelsNeg(refLine[b1i] - 3, blackPixels); |
| 445 | ! blackPixels ^= 1; |
| 446 | ! if (codingLine[a0i] < columns) { |
| 447 | ! if (b1i > 0) { |
| 448 | ! --b1i; |
| 449 | ! } else { |
| 450 | ! ++b1i; |
| 451 | ! } |
| 452 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 453 | ! b1i += 2; |
| 454 | } |
| 455 | } |
| 456 | break; |
| 457 | case twoDimVertL2: |
| 458 | ! addPixelsNeg(refLine[b1i] - 2, blackPixels); |
| 459 | ! blackPixels ^= 1; |
| 460 | ! if (codingLine[a0i] < columns) { |
| 461 | ! if (b1i > 0) { |
| 462 | ! --b1i; |
| 463 | ! } else { |
| 464 | ! ++b1i; |
| 465 | } |
| 466 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 467 | ! b1i += 2; |
| 468 | } |
| 469 | } |
| 470 | break; |
| 471 | ! case twoDimVertL1: |
| 472 | ! addPixelsNeg(refLine[b1i] - 1, blackPixels); |
| 473 | ! blackPixels ^= 1; |
| 474 | ! if (codingLine[a0i] < columns) { |
| 475 | ! if (b1i > 0) { |
| 476 | ! --b1i; |
| 477 | ! } else { |
| 478 | ! ++b1i; |
| 479 | ! } |
| 480 | ! while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
| 481 | ! b1i += 2; |
| 482 | } |
| 483 | } |
| 484 | break; |
| 485 | case EOF: |
| 486 | + addPixels(columns, 0); |
| 487 | eof = gTrue; |
| 488 | ! break; |
| 489 | default: |
| 490 | error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); |
| 491 | + addPixels(columns, 0); |
| 492 | err = gTrue; |
| 493 | break; |
| 494 | } |
| 495 | ! } |
| 496 | |
| 497 | // 1-D encoding |
| 498 | } else { |
| 499 | ! codingLine[0] = 0; |
| 500 | ! a0i = 0; |
| 501 | ! blackPixels = 0; |
| 502 | ! while (codingLine[a0i] < columns) { |
| 503 | code1 = 0; |
| 504 | ! if (blackPixels) { |
| 505 | ! do { |
| 506 | ! code1 += code3 = getBlackCode(); |
| 507 | ! } while (code3 >= 64); |
| 508 | ! } else { |
| 509 | ! do { |
| 510 | ! code1 += code3 = getWhiteCode(); |
| 511 | ! } while (code3 >= 64); |
| 512 | } |
| 513 | + addPixels(codingLine[a0i] + code1, blackPixels); |
| 514 | + blackPixels ^= 1; |
| 515 | } |
| 516 | } |
| 517 | |
| 518 | // byte-align the row |
| 519 | if (byteAlign) { |
| 520 | inputBits &= ~7; |
| 521 | *************** |
| 522 | *** 1560,1573 **** |
| 523 | // this if we know the stream contains end-of-line markers because |
| 524 | // the "just plow on" technique tends to work better otherwise |
| 525 | } else if (err && endOfLine) { |
| 526 | ! do { |
| 527 | if (code1 == EOF) { |
| 528 | eof = gTrue; |
| 529 | return EOF; |
| 530 | } |
| 531 | eatBits(1); |
| 532 | ! code1 = lookBits(13); |
| 533 | ! } while ((code1 >> 1) != 0x001); |
| 534 | eatBits(12); |
| 535 | if (encoding > 0) { |
| 536 | eatBits(1); |
| 537 | --- 1582,1598 ---- |
| 538 | // this if we know the stream contains end-of-line markers because |
| 539 | // the "just plow on" technique tends to work better otherwise |
| 540 | } else if (err && endOfLine) { |
| 541 | ! while (1) { |
| 542 | ! code1 = lookBits(13); |
| 543 | if (code1 == EOF) { |
| 544 | eof = gTrue; |
| 545 | return EOF; |
| 546 | } |
| 547 | + if ((code1 >> 1) == 0x001) { |
| 548 | + break; |
| 549 | + } |
| 550 | eatBits(1); |
| 551 | ! } |
| 552 | eatBits(12); |
| 553 | if (encoding > 0) { |
| 554 | eatBits(1); |
| 555 | *************** |
| 556 | *** 1575,1585 **** |
| 557 | } |
| 558 | } |
| 559 | |
| 560 | ! a0 = 0; |
| 561 | ! outputBits = codingLine[1] - codingLine[0]; |
| 562 | ! if (outputBits == 0) { |
| 563 | ! a0 = 1; |
| 564 | ! outputBits = codingLine[2] - codingLine[1]; |
| 565 | } |
| 566 | |
| 567 | ++row; |
| 568 | --- 1600,1610 ---- |
| 569 | } |
| 570 | } |
| 571 | |
| 572 | ! // set up for output |
| 573 | ! if (codingLine[0] > 0) { |
| 574 | ! outputBits = codingLine[a0i = 0]; |
| 575 | ! } else { |
| 576 | ! outputBits = codingLine[a0i = 1]; |
| 577 | } |
| 578 | |
| 579 | ++row; |
| 580 | *************** |
| 581 | *** 1587,1625 **** |
| 582 | |
| 583 | // get a byte |
| 584 | if (outputBits >= 8) { |
| 585 | ! ret = ((a0 & 1) == 0) ? 0xff : 0x00; |
| 586 | ! if ((outputBits -= 8) == 0) { |
| 587 | ! ++a0; |
| 588 | ! if (codingLine[a0] < columns) { |
| 589 | ! outputBits = codingLine[a0 + 1] - codingLine[a0]; |
| 590 | ! } |
| 591 | } |
| 592 | } else { |
| 593 | bits = 8; |
| 594 | ! ret = 0; |
| 595 | do { |
| 596 | if (outputBits > bits) { |
| 597 | ! i = bits; |
| 598 | ! bits = 0; |
| 599 | ! if ((a0 & 1) == 0) { |
| 600 | ! ret |= 0xff >> (8 - i); |
| 601 | } |
| 602 | ! outputBits -= i; |
| 603 | } else { |
| 604 | ! i = outputBits; |
| 605 | ! bits -= outputBits; |
| 606 | ! if ((a0 & 1) == 0) { |
| 607 | ! ret |= (0xff >> (8 - i)) << bits; |
| 608 | } |
| 609 | outputBits = 0; |
| 610 | ! ++a0; |
| 611 | ! if (codingLine[a0] < columns) { |
| 612 | ! outputBits = codingLine[a0 + 1] - codingLine[a0]; |
| 613 | } |
| 614 | } |
| 615 | ! } while (bits > 0 && codingLine[a0] < columns); |
| 616 | } |
| 617 | - buf = black ? (ret ^ 0xff) : ret; |
| 618 | return buf; |
| 619 | } |
| 620 | |
| 621 | --- 1612,1654 ---- |
| 622 | |
| 623 | // get a byte |
| 624 | if (outputBits >= 8) { |
| 625 | ! buf = (a0i & 1) ? 0x00 : 0xff; |
| 626 | ! outputBits -= 8; |
| 627 | ! if (outputBits == 0 && codingLine[a0i] < columns) { |
| 628 | ! ++a0i; |
| 629 | ! outputBits = codingLine[a0i] - codingLine[a0i - 1]; |
| 630 | } |
| 631 | } else { |
| 632 | bits = 8; |
| 633 | ! buf = 0; |
| 634 | do { |
| 635 | if (outputBits > bits) { |
| 636 | ! buf <<= bits; |
| 637 | ! if (!(a0i & 1)) { |
| 638 | ! buf |= 0xff >> (8 - bits); |
| 639 | } |
| 640 | ! outputBits -= bits; |
| 641 | ! bits = 0; |
| 642 | } else { |
| 643 | ! buf <<= outputBits; |
| 644 | ! if (!(a0i & 1)) { |
| 645 | ! buf |= 0xff >> (8 - outputBits); |
| 646 | } |
| 647 | + bits -= outputBits; |
| 648 | outputBits = 0; |
| 649 | ! if (codingLine[a0i] < columns) { |
| 650 | ! ++a0i; |
| 651 | ! outputBits = codingLine[a0i] - codingLine[a0i - 1]; |
| 652 | ! } else if (bits > 0) { |
| 653 | ! buf <<= bits; |
| 654 | ! bits = 0; |
| 655 | } |
| 656 | } |
| 657 | ! } while (bits); |
| 658 | ! } |
| 659 | ! if (black) { |
| 660 | ! buf ^= 0xff; |
| 661 | } |
| 662 | return buf; |
| 663 | } |
| 664 | |
| 665 | *************** |
| 666 | *** 1661,1666 **** |
| 667 | --- 1690,1698 ---- |
| 668 | code = 0; // make gcc happy |
| 669 | if (endOfBlock) { |
| 670 | code = lookBits(12); |
| 671 | + if (code == EOF) { |
| 672 | + return 1; |
| 673 | + } |
| 674 | if ((code >> 5) == 0) { |
| 675 | p = &whiteTab1[code]; |
| 676 | } else { |
| 677 | *************** |
| 678 | *** 1673,1678 **** |
| 679 | --- 1705,1713 ---- |
| 680 | } else { |
| 681 | for (n = 1; n <= 9; ++n) { |
| 682 | code = lookBits(n); |
| 683 | + if (code == EOF) { |
| 684 | + return 1; |
| 685 | + } |
| 686 | if (n < 9) { |
| 687 | code <<= 9 - n; |
| 688 | } |
| 689 | *************** |
| 690 | *** 1684,1689 **** |
| 691 | --- 1719,1727 ---- |
| 692 | } |
| 693 | for (n = 11; n <= 12; ++n) { |
| 694 | code = lookBits(n); |
| 695 | + if (code == EOF) { |
| 696 | + return 1; |
| 697 | + } |
| 698 | if (n < 12) { |
| 699 | code <<= 12 - n; |
| 700 | } |
| 701 | *************** |
| 702 | *** 1709,1717 **** |
| 703 | code = 0; // make gcc happy |
| 704 | if (endOfBlock) { |
| 705 | code = lookBits(13); |
| 706 | if ((code >> 7) == 0) { |
| 707 | p = &blackTab1[code]; |
| 708 | ! } else if ((code >> 9) == 0) { |
| 709 | p = &blackTab2[(code >> 1) - 64]; |
| 710 | } else { |
| 711 | p = &blackTab3[code >> 7]; |
| 712 | --- 1747,1758 ---- |
| 713 | code = 0; // make gcc happy |
| 714 | if (endOfBlock) { |
| 715 | code = lookBits(13); |
| 716 | + if (code == EOF) { |
| 717 | + return 1; |
| 718 | + } |
| 719 | if ((code >> 7) == 0) { |
| 720 | p = &blackTab1[code]; |
| 721 | ! } else if ((code >> 9) == 0 && (code >> 7) != 0) { |
| 722 | p = &blackTab2[(code >> 1) - 64]; |
| 723 | } else { |
| 724 | p = &blackTab3[code >> 7]; |
| 725 | *************** |
| 726 | *** 1723,1728 **** |
| 727 | --- 1764,1772 ---- |
| 728 | } else { |
| 729 | for (n = 2; n <= 6; ++n) { |
| 730 | code = lookBits(n); |
| 731 | + if (code == EOF) { |
| 732 | + return 1; |
| 733 | + } |
| 734 | if (n < 6) { |
| 735 | code <<= 6 - n; |
| 736 | } |
| 737 | *************** |
| 738 | *** 1734,1739 **** |
| 739 | --- 1778,1786 ---- |
| 740 | } |
| 741 | for (n = 7; n <= 12; ++n) { |
| 742 | code = lookBits(n); |
| 743 | + if (code == EOF) { |
| 744 | + return 1; |
| 745 | + } |
| 746 | if (n < 12) { |
| 747 | code <<= 12 - n; |
| 748 | } |
| 749 | *************** |
| 750 | *** 1747,1752 **** |
| 751 | --- 1794,1802 ---- |
| 752 | } |
| 753 | for (n = 10; n <= 13; ++n) { |
| 754 | code = lookBits(n); |
| 755 | + if (code == EOF) { |
| 756 | + return 1; |
| 757 | + } |
| 758 | if (n < 13) { |
| 759 | code <<= 13 - n; |
| 760 | } |
| 761 | *************** |
| 762 | *** 1961,1966 **** |
| 763 | --- 2011,2022 ---- |
| 764 | // allocate a buffer for the whole image |
| 765 | bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth; |
| 766 | bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight; |
| 767 | + if (bufWidth <= 0 || bufHeight <= 0 || |
| 768 | + bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) { |
| 769 | + error(getPos(), "Invalid image size in DCT stream"); |
| 770 | + y = height; |
| 771 | + return; |
| 772 | + } |
| 773 | for (i = 0; i < numComps; ++i) { |
| 774 | frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int)); |
| 775 | memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int)); |
| 776 | *************** |
| 777 | *** 3036,3041 **** |
| 778 | --- 3092,3102 ---- |
| 779 | } |
| 780 | scanInfo.firstCoeff = str->getChar(); |
| 781 | scanInfo.lastCoeff = str->getChar(); |
| 782 | + if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 || |
| 783 | + scanInfo.firstCoeff > scanInfo.lastCoeff) { |
| 784 | + error(getPos(), "Bad DCT coefficient numbers in scan info block"); |
| 785 | + return gFalse; |
| 786 | + } |
| 787 | c = str->getChar(); |
| 788 | scanInfo.ah = (c >> 4) & 0x0f; |
| 789 | scanInfo.al = c & 0x0f; |
| 790 | diff -c -r xpdf-3.02pl1.orig/xpdf/Stream.h xpdf-3.02/xpdf/Stream.h |
| 791 | *** xpdf-3.02pl1.orig/xpdf/Stream.h Tue Feb 27 14:05:52 2007 |
| 792 | --- xpdf-3.02/xpdf/Stream.h Thu Oct 25 15:48:15 2007 |
| 793 | *************** |
| 794 | *** 528,540 **** |
| 795 | int row; // current row |
| 796 | int inputBuf; // input buffer |
| 797 | int inputBits; // number of bits in input buffer |
| 798 | ! short *refLine; // reference line changing elements |
| 799 | ! int b1; // index into refLine |
| 800 | ! short *codingLine; // coding line changing elements |
| 801 | ! int a0; // index into codingLine |
| 802 | int outputBits; // remaining ouput bits |
| 803 | int buf; // character buffer |
| 804 | |
| 805 | short getTwoDimCode(); |
| 806 | short getWhiteCode(); |
| 807 | short getBlackCode(); |
| 808 | --- 528,542 ---- |
| 809 | int row; // current row |
| 810 | int inputBuf; // input buffer |
| 811 | int inputBits; // number of bits in input buffer |
| 812 | ! int *codingLine; // coding line changing elements |
| 813 | ! int *refLine; // reference line changing elements |
| 814 | ! int a0i; // index into codingLine |
| 815 | ! GBool err; // error on current line |
| 816 | int outputBits; // remaining ouput bits |
| 817 | int buf; // character buffer |
| 818 | |
| 819 | + void addPixels(int a1, int black); |
| 820 | + void addPixelsNeg(int a1, int black); |
| 821 | short getTwoDimCode(); |
| 822 | short getWhiteCode(); |
| 823 | short getBlackCode(); |