fofi/FoFiType1.cc | 4 ++-- poppler/Decrypt.cc | 4 +++- poppler/Dict.h | 3 +++ poppler/Form.cc | 32 +++++++++++++++++++++++++++----- poppler/Function.cc | 7 ++++++- poppler/Gfx.cc | 39 +++++++++++++++++++++++++++++++++------ 6 files changed, 74 insertions(+), 15 deletions(-)
New commits: commit b359cd0d225baf213ae21ee1f6c8450e2b257773 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:27:18 2010 +0100 Compile++ diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc index 3fe7f4f..363f213 100644 --- a/fofi/FoFiType1.cc +++ b/fofi/FoFiType1.cc @@ -31,7 +31,6 @@ #include <stdlib.h> #include <string.h> #include "goo/gmem.h" -#include "goo/GooLikely.h" #include "FoFiEncodings.h" #include "FoFiType1.h" #include "poppler/Error.h" @@ -244,7 +243,7 @@ void FoFiType1::parse() { code = code * 8 + (*p2 - '0'); } } - if (likely(code < 256 && code >= 0)) { + if (code < 256 && code >= 0) { for (p = p2; *p == ' ' || *p == '\t'; ++p) ; if (*p == '/') { ++p; commit 80a72431d7fce8421ad75530f5270234cb994f4a Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:19:27 2010 +0100 Avoid loops in Form::fieldLookup Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Dict.h b/poppler/Dict.h index bb747d5..a76bc89 100644 --- a/poppler/Dict.h +++ b/poppler/Dict.h @@ -16,6 +16,7 @@ // Copyright (C) 2005 Kristian Høgsberg <[email protected]> // Copyright (C) 2006 Krzysztof Kowalczyk <[email protected]> // Copyright (C) 2007-2008 Julien Rebetez <[email protected]> +// Copyright (C) 2010 Albert Astals Cid <[email protected]> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -83,6 +84,8 @@ public: // trailer dictionary, which is read before the xref table is // parsed. void setXRef(XRef *xrefA) { xref = xrefA; } + + XRef *getXRef() { return xref; } private: diff --git a/poppler/Form.cc b/poppler/Form.cc index 21ca672..ae9c509 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -22,6 +22,7 @@ #pragma implementation #endif +#include <set> #include <stddef.h> #include <string.h> #include "goo/gmem.h" @@ -1181,7 +1182,7 @@ Form::~Form() { } // Look up an inheritable field dictionary entry. -Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { +static Object *fieldLookup(Dict *field, char *key, Object *obj, std::set<int> *usedParents) { Dict *dict; Object parent; @@ -1190,8 +1191,23 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { return obj; } obj->free(); - if (dict->lookup("Parent", &parent)->isDict()) { - fieldLookup(parent.getDict(), key, obj); + dict->lookupNF("Parent", &parent); + if (parent.isRef()) { + const Ref ref = parent.getRef(); + if (usedParents->find(ref.num) == usedParents->end()) { + usedParents->insert(ref.num); + + Object obj2; + parent.fetch(dict->getXRef(), &obj2); + if (obj2.isDict()) { + fieldLookup(obj2.getDict(), key, obj, usedParents); + } else { + obj->initNull(); + } + obj2.free(); + } + } else if (parent.isDict()) { + fieldLookup(parent.getDict(), key, obj, usedParents); } else { obj->initNull(); } @@ -1199,6 +1215,11 @@ Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { return obj; } +Object *Form::fieldLookup(Dict *field, char *key, Object *obj) { + std::set<int> usedParents; + return ::fieldLookup(field, key, obj, &usedParents); +} + FormField *Form::createFieldFromDict (Object* obj, XRef *xrefA, const Ref& pref) { Object obj2; commit 2ce1d2bd3e4422c09b2eb53b6f7d17522531b25c Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:15:25 2010 +0100 Make sure obj1 is a num before reading it Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 7b85d79..76dae02 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4235,8 +4235,14 @@ void Gfx::doForm(Object *str) { } for (i = 0; i < 4; ++i) { bboxObj.arrayGet(i, &obj1); - bbox[i] = obj1.getNum(); - obj1.free(); + if (likely(obj1.isNum())) { + bbox[i] = obj1.getNum(); + obj1.free(); + } else { + obj1.free(); + error(getPos(), "Bad form bounding box value"); + return; + } } bboxObj.free(); @@ -4666,8 +4672,14 @@ void Gfx::drawAnnot(Object *str, AnnotBorder *border, AnnotColor *aColor, } for (i = 0; i < 4; ++i) { bboxObj.arrayGet(i, &obj1); - bbox[i] = obj1.getNum(); - obj1.free(); + if (likely(obj1.isNum())) { + bbox[i] = obj1.getNum(); + obj1.free(); + } else { + obj1.free(); + error(getPos(), "Bad form bounding box value"); + return; + } } bboxObj.free(); commit 2fa6e106d5123aad63f6c0a5c61dd457b14ef851 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:11:42 2010 +0100 Fix memory leak if obj2 is not a dict Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Form.cc b/poppler/Form.cc index 4df8a7d..21ca672 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -715,13 +715,14 @@ FormField::FormField(XRef* xrefA, Object *aobj, const Ref& aref, FormFieldType t // Load children for(int i=0; i<length; i++) { Object obj2,obj3; - Object childRef; array->get(i, &obj2); - array->getNF(i, &childRef); if (!obj2.isDict ()) { error (-1, "Reference to an invalid or non existant object"); + obj2.free(); continue; } + Object childRef; + array->getNF(i, &childRef); //field child if (dict->lookup ("FT", &obj3)->isName()) { // If I'm not a generic container field and my children commit 37525c8aa37f1b0b2e06702030956edd81c76798 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:09:37 2010 +0100 Fix crash when idx is out of range Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Function.cc b/poppler/Function.cc index ea35b7b..e7383fd 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -425,7 +425,7 @@ void SampledFunction::transform(double *in, double *out) { if (likely(idx >= 0 && idx < nSamples)) { sBuf[j] = samples[idx]; } else { - sBuf[j] = 0; + sBuf[j] = 0; // TODO Investigate if this is what Adobe does } } commit db10e0746785aa0a97989757facb14a05abd45ec Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:08:54 2010 +0100 Fix crash when idx is out of range Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Function.cc b/poppler/Function.cc index b28ee3d..ea35b7b 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -422,7 +422,11 @@ void SampledFunction::transform(double *in, double *out) { for (k = 0, t = j; k < m; ++k, t >>= 1) { idx += idxMul[k] * (e[k][t & 1]); } - sBuf[j] = samples[idx]; + if (likely(idx >= 0 && idx < nSamples)) { + sBuf[j] = samples[idx]; + } else { + sBuf[j] = 0; + } } // do m sets of interpolations commit a40449fabb4ccfb3bad2ad599cd0d4ab53ee8cbd Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:07:12 2010 +0100 Give a value to color.c[i] Might not be the better solution but it's better than having a random value there Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 919086e..7b85d79 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -1533,6 +1533,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) { for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setFillColor(&color); @@ -1552,6 +1554,8 @@ void Gfx::opSetFillColorN(Object args[], int numArgs) { for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setFillColor(&color); @@ -1576,6 +1580,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) { for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setStrokeColor(&color); @@ -1595,6 +1601,8 @@ void Gfx::opSetStrokeColorN(Object args[], int numArgs) { for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) { if (args[i].isNum()) { color.c[i] = dblToCol(args[i].getNum()); + } else { + color.c[i] = 0; // TODO Investigate if this is what Adobe does } } state->setStrokeColor(&color); commit 7b93fb7ed3eb3317b97317008bea2ff858901706 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:04:37 2010 +0100 Forgot my (C) here diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index 128dbb9..abca820 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -14,7 +14,7 @@ // under GPL version 2 or later // // Copyright (C) 2008 Julien Rebetez <[email protected]> -// Copyright (C) 2008 Albert Astals Cid <[email protected]> +// Copyright (C) 2008, 2010 Albert Astals Cid <[email protected]> // Copyright (C) 2009 Matthias Franz <[email protected]> // Copyright (C) 2009 David Benjamin <[email protected]> // commit fd881bdab112c4fbe9179727214834d1da42fa22 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:03:19 2010 +0100 Properly initialize stack Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Function.cc b/poppler/Function.cc index b7c23fe..b28ee3d 100644 --- a/poppler/Function.cc +++ b/poppler/Function.cc @@ -1108,6 +1108,7 @@ PostScriptFunction::PostScriptFunction(Object *funcObj, Dict *dict) { code = NULL; codeString = NULL; codeSize = 0; + stack = NULL; ok = gFalse; cache = new PopplerCache(5); commit 01ff4c3915a08a147aed1fc0041407eab3b7eedd Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 19:01:36 2010 +0100 Properly initialize parser Fixes crash in broken pdf provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index fc004b8..919086e 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -536,6 +536,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, int pageNum, Dict *resDict, Catalog *cata drawText = gFalse; maskHaveCSPattern = gFalse; mcStack = NULL; + parser = NULL; // start the resource stack res = new GfxResources(xref, resDict, NULL); @@ -590,6 +591,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, Dict *resDict, Catalog *catalogA, drawText = gFalse; maskHaveCSPattern = gFalse; mcStack = NULL; + parser = NULL; // start the resource stack res = new GfxResources(xref, resDict, NULL); commit aa3f227d277c4f2bf0e71dea944d22f82e08b481 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:58:43 2010 +0100 Fix crash in broken pdf (parser->getStream() is 0) Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc index 50870cc..fc004b8 100644 --- a/poppler/Gfx.cc +++ b/poppler/Gfx.cc @@ -4449,8 +4449,13 @@ Stream *Gfx::buildImageStream() { obj.free(); // make stream - str = new EmbedStream(parser->getStream(), &dict, gFalse, 0); - str = str->addFilters(&dict); + if (parser->getStream()) { + str = new EmbedStream(parser->getStream(), &dict, gFalse, 0); + str = str->addFilters(&dict); + } else { + str = NULL; + dict.free(); + } return str; } commit bf4f774f2d0e924224895525a7f8d1966ec8af51 Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:55:51 2010 +0100 Initialize properly charactersRead It is possible that there are calls to getPos before reset Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index ca294d3..128dbb9 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -229,6 +229,8 @@ DecryptStream::DecryptStream(Stream *strA, Guchar *fileKey, if ((objKeyLength = keyLength + 5) > 16) { objKeyLength = 16; } + + charactersRead = 0; } DecryptStream::~DecryptStream() { commit d04ab9d78a0fba07464e43ccdec80b05339fd08d Author: Albert Astals Cid <[email protected]> Date: Tue Sep 21 18:54:31 2010 +0100 Fix crash in broken pdf (code < 0) Found thanks to PDF provided by Joel Voss of Leviathan Security Group diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc index 25bdc0e..3fe7f4f 100644 --- a/fofi/FoFiType1.cc +++ b/fofi/FoFiType1.cc @@ -13,7 +13,7 @@ // All changes made under the Poppler project to this file are licensed // under GPL version 2 or later // -// Copyright (C) 2005, 2008 Albert Astals Cid <[email protected]> +// Copyright (C) 2005, 2008, 2010 Albert Astals Cid <[email protected]> // Copyright (C) 2005 Kristian Høgsberg <[email protected]> // Copyright (C) 2010 Jakub Wilk <[email protected]> // @@ -31,6 +31,7 @@ #include <stdlib.h> #include <string.h> #include "goo/gmem.h" +#include "goo/GooLikely.h" #include "FoFiEncodings.h" #include "FoFiType1.h" #include "poppler/Error.h" @@ -243,7 +244,7 @@ void FoFiType1::parse() { code = code * 8 + (*p2 - '0'); } } - if (code < 256) { + if (likely(code < 256 && code >= 0)) { for (p = p2; *p == ' ' || *p == '\t'; ++p) ; if (*p == '/') { ++p;
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
