1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
--- poppler-0.18.4/poppler/Function.cc
+++ poppler-0.18.4/poppler/Function.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
// Copyright (C) 2011 Andrea Canciani <ranma42@gmail.com>
@@ -1002,6 +1002,10 @@ void PSStack::copy(int n) {
error(-1, "Stack underflow in PostScript function");
return;
}
+ if (unlikely(sp - n > psStackSize)) {
+ error(-1, "Stack underflow in PostScript function");
+ return;
+ }
if (!checkOverflow(n)) {
return;
}
--- poppler-0.18.4/poppler/Stream.cc
+++ poppler-0.18.4/poppler/Stream.cc
@@ -2132,7 +2133,8 @@ GBool CCITTFaxStream::isBinary(GBool las
// clip [-256,511] --> [0,255]
#define dctClipOffset 256
-static Guchar dctClip[768];
+#define dctClipLength 768
+static Guchar dctClip[dctClipLength];
static int dctClipInit = 0;
// zig zag decode map
@@ -3078,7 +3080,12 @@ void DCTStream::transformDataUnit(Gushor
// convert to 8-bit integers
for (i = 0; i < 64; ++i) {
- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
+ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
+ if (unlikely(ix < 0 || ix >= dctClipLength)) {
+ dataOut[i] = 0;
+ } else {
+ dataOut[i] = dctClip[ix];
+ }
}
}
--- poppler-0.18.4/splash/Splash.cc
+++ poppler-0.18.4/splash/Splash.cc
@@ -14,7 +14,7 @@
// Copyright (C) 2005-2011 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>
// Copyright (C) 2010, 2011 Thomas Freitag <Thomas.Freitag@alfa.de>
-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
// Copyright (C) 2011 William Bader <williambader@hotmail.com>
//
// To see a description of the changes please see the Changelog file that
@@ -1521,11 +1521,14 @@ SplashPath *Splash::makeDashedPath(Splas
lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
lineDashStartOn = gTrue;
lineDashStartIdx = 0;
- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
lineDashStartOn = !lineDashStartOn;
lineDashStartPhase -= state->lineDash[lineDashStartIdx];
++lineDashStartIdx;
}
+ if (unlikely(lineDashStartIdx == state->lineDashLength)) {
+ return new SplashPath();
+ }
dPath = new SplashPath();
|
