1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
From:
[1] http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492
[2] http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=e14b6e9c13d35c9bd1e0c50906ace8e707816888
[3] http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=0388837f01bc467045164f9ddaff787000a8caaa
[4] http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=957aa252912cde85d76c41e9710b33425a82b696
[5] http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.22&id=bbc2d8918fe234b7ef2c480eb148943922cc0959
diff --git a/poppler/Function.cc b/poppler/Function.cc
index 25e8f74..0cad9c9 100644
--- a/poppler/Function.cc
+++ b/poppler/Function.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
// Copyright (C) 2011 Andrea Canciani <ranma42@gmail.com>
@@ -1058,6 +1058,10 @@ void PSStack::copy(int n) {
error(errSyntaxError, -1, "Stack underflow in PostScript function");
return;
}
+ if (unlikely(sp - n > psStackSize)) {
+ error(errSyntaxError, -1, "Stack underflow in PostScript function");
+ return;
+ }
if (!checkOverflow(n)) {
return;
}
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 4ce6c00..3e6c908 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -2288,7 +2288,8 @@ GBool CCITTFaxStream::isBinary(GBool last) {
// clip [-256,511] --> [0,255]
#define dctClipOffset 256
-static Guchar dctClip[768];
+#define dctClipLength 768
+static Guchar dctClip[dctClipLength];
static int dctClipInit = 0;
// zig zag decode map
@@ -3244,7 +3245,12 @@ void DCTStream::transformDataUnit(Gushort *quantTable,
// convert to 8-bit integers
for (i = 0; i < 64; ++i) {
- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
+ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
+ if (unlikely(ix < 0 || ix >= dctClipLength)) {
+ dataOut[i] = 0;
+ } else {
+ dataOut[i] = dctClip[ix];
+ }
}
}
diff --git a/splash/Splash.cc b/splash/Splash.cc
index e6559f4..b8863dd 100644
--- a/splash/Splash.cc
+++ b/splash/Splash.cc
@@ -14,7 +14,7 @@
// Copyright (C) 2005-2012 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>
// Copyright (C) 2010-2012 Thomas Freitag <Thomas.Freitag@alfa.de>
-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
// Copyright (C) 2011, 2012 William Bader <williambader@hotmail.com>
// Copyright (C) 2012 Markus Trippelsdorf <markus@trippelsdorf.de>
//
@@ -2102,11 +2102,14 @@ SplashPath *Splash::makeDashedPath(SplashPath *path) {
lineDashStartOn = gTrue;
lineDashStartIdx = 0;
if (lineDashStartPhase > 0) {
- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
lineDashStartOn = !lineDashStartOn;
lineDashStartPhase -= state->lineDash[lineDashStartIdx];
++lineDashStartIdx;
}
+ if (unlikely(lineDashStartIdx == state->lineDashLength)) {
+ return new SplashPath();
+ }
}
dPath = new SplashPath();
@@ -3078,6 +3081,12 @@ void Splash::scaleMaskYdXu(SplashImageMaskSource src, void *srcData,
Guchar *destPtr;
int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, d;
int i, j;
+
+ destPtr = dest->data;
+ if (destPtr == NULL) {
+ error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYdXu");
+ return;
+ }
// Bresenham parameters for y scale
yp = srcHeight / scaledHeight;
@@ -3094,7 +3103,6 @@ void Splash::scaleMaskYdXu(SplashImageMaskSource src, void *srcData,
// init y scale Bresenham
yt = 0;
- destPtr = dest->data;
for (y = 0; y < scaledHeight; ++y) {
// y scale Bresenham
@@ -3153,6 +3161,12 @@ void Splash::scaleMaskYuXd(SplashImageMaskSource src, void *srcData,
Guchar *destPtr0, *destPtr;
int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, xx, d, d0, d1;
int i;
+
+ destPtr0 = dest->data;
+ if (destPtr0 == NULL) {
+ error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYuXd");
+ return;
+ }
// Bresenham parameters for y scale
yp = scaledHeight / srcHeight;
@@ -3168,7 +3182,6 @@ void Splash::scaleMaskYuXd(SplashImageMaskSource src, void *srcData,
// init y scale Bresenham
yt = 0;
- destPtr0 = dest->data;
for (y = 0; y < srcHeight; ++y) {
// y scale Bresenham
@@ -4491,6 +4504,11 @@ void Splash::vertFlipImage(SplashBitmap *img, int width, int height,
Guchar *lineBuf;
Guchar *p0, *p1;
int w;
+
+ if (unlikely(img->data == NULL)) {
+ error(errInternal, -1, "img->data is NULL in Splash::vertFlipImage");
+ return;
+ }
w = width * nComps;
lineBuf = (Guchar *)gmalloc(w);
|
