cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add tons of xpdf-related security fixes.

Browse Source 
"reads fine" landry@
This commit is contained in:
kili 2009-10-15 15:50:25 +00:00
parent c90872dc95
commit 9f2a062bdc
10 changed files with 1071 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
x11/kde/graphics3/Makefile
View File

@ -1,4 +1,4 @@
# $OpenBSD: Makefile,v 1.86 2009/08/31 18:51:02 kili Exp $
# $OpenBSD: Makefile,v 1.87 2009/10/15 15:50:25 kili Exp $
COMMENT-main = K Desktop Environment, graphic applications
COMMENT-kamera = KDE interface to digital cameras
@ -14,7 +14,7 @@ SEPARATE_BUILD = flavored
MULTI_PACKAGES = -main -kpov -kamera -sane
PKGNAME = ${DISTNAME}
PKGNAME-main = ${DISTNAME}p2
PKGNAME-main = ${DISTNAME}p3
PKGNAME-kamera = kamera-${VERSION}p3
PKGNAME-kpov = kpovmodeller-${VERSION}p2
PKGNAME-sane = ksane-${VERSION}p3

71
x11/kde/graphics3/patches/patch-kpdf_xpdf_goo_gmem_cc Normal file
View File

@ -0,0 +1,71 @@
$OpenBSD: patch-kpdf_xpdf_goo_gmem_cc,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/goo/gmem.cc.orig Wed Feb 13 10:37:05 2008
+++ kpdf/xpdf/goo/gmem.cc Sun Apr 19 22:28:20 2009
@@ -55,7 +55,15 @@ void *gmalloc(int size) GMEM_EXCEP {
void *data;
unsigned long *trl, *p;
- if (size <= 0) {
+ if (size < 0) {
+#if USE_EXCEPTIONS
+ throw GMemException();
+#else
+ fprintf(stderr, "Invalid memory allocation size\n");
+ exit(1);
+#endif
+ }
+ if (size == 0) {
return NULL;
}
size1 = gMemDataSize(size);
@@ -91,7 +99,15 @@ void *gmalloc(int size) GMEM_EXCEP {
#else
void *p;
- if (size <= 0) {
+ if (size < 0) {
+#if USE_EXCEPTIONS
+ throw GMemException();
+#else
+ fprintf(stderr, "Invalid memory allocation size\n");
+ exit(1);
+#endif
+ }
+ if (size == 0) {
return NULL;
}
if (!(p = malloc(size))) {
@@ -112,7 +128,15 @@ void *grealloc(void *p, int size) GMEM_EXCEP {
void *q;
int oldSize;
- if (size <= 0) {
+ if (size < 0) {
+#if USE_EXCEPTIONS
+ throw GMemException();
+#else
+ fprintf(stderr, "Invalid memory allocation size\n");
+ exit(1);
+#endif
+ }
+ if (size == 0) {
if (p) {
gfree(p);
}
@@ -131,7 +155,15 @@ void *grealloc(void *p, int size) GMEM_EXCEP {
#else
void *q;
- if (size <= 0) {
+ if (size < 0) {
+#if USE_EXCEPTIONS
+ throw GMemException();
+#else
+ fprintf(stderr, "Invalid memory allocation size\n");
+ exit(1);
+#endif
+ }
+ if (size == 0) {
if (p) {
free(p);
}

68
x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashBitmap_cc Normal file
View File

@ -0,0 +1,68 @@
$OpenBSD: patch-kpdf_xpdf_splash_SplashBitmap_cc,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/splash/SplashBitmap.cc.orig Mon May 14 09:39:31 2007
+++ kpdf/xpdf/splash/SplashBitmap.cc Thu Oct 15 16:35:46 2009
@@ -11,6 +11,7 @@
#endif
#include <stdio.h>
+#include <limits.h>
#include "gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
@@ -27,30 +28,48 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, in
mode = modeA;
switch (mode) {
case splashModeMono1:
- rowSize = (width + 7) >> 3;
+ if (width > 0) {
+ rowSize = (width + 7) >> 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeMono8:
- rowSize = width;
+ if (width > 0) {
+ rowSize = width;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeRGB8:
case splashModeBGR8:
- rowSize = width * 3;
+ if (width > 0 && width <= INT_MAX / 3) {
+ rowSize = width * 3;
+ } else {
+ rowSize = -1;
+ }
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#endif
}
- rowSize += rowPad - 1;
- rowSize -= rowSize % rowPad;
- data = (SplashColorPtr)gmalloc(rowSize * height);
+ if (rowSize > 0) {
+ rowSize += rowPad - 1;
+ rowSize -= rowSize % rowPad;
+ }
+ data = (SplashColorPtr)gmallocn(height, rowSize);
if (!topDown) {
data += (height - 1) * rowSize;
rowSize = -rowSize;
}
if (alphaA) {
- alpha = (Guchar *)gmalloc(width * height);
+ alpha = (Guchar *)gmallocn(width, height);
} else {
alpha = NULL;
}

12
x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashErrorCodes_h Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-kpdf_xpdf_splash_SplashErrorCodes_h,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/splash/SplashErrorCodes.h.orig Mon Jan 15 12:21:56 2007
+++ kpdf/xpdf/splash/SplashErrorCodes.h Thu Oct 15 16:35:46 2009
@@ -29,6 +29,8 @@
#define splashErrSingularMatrix 8 // matrix is singular
+#define splashErrBadArg 9 // bad argument
+
#define splashErrZeroImage 9 // image of 0x0
#endif

38
x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_Splash_cc Normal file
View File

@ -0,0 +1,38 @@
$OpenBSD: patch-kpdf_xpdf_splash_Splash_cc,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/splash/Splash.cc.orig Tue Aug 19 20:12:37 2008
+++ kpdf/xpdf/splash/Splash.cc Thu Oct 15 16:35:46 2009
@@ -12,6 +12,7 @@
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "gmem.h"
#include "SplashErrorCodes.h"
#include "SplashMath.h"
@@ -1937,7 +1938,10 @@ SplashError Splash::fillImageMask(SplashImageMaskSourc
xq = w % scaledWidth;
// allocate pixel buffer
- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
+ if (yp < 0 || yp > INT_MAX - 1) {
+ return splashErrBadArg;
+ }
+ pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
// initialize the pixel pipe
pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
@@ -2233,9 +2237,12 @@ SplashError Splash::drawImage(SplashImageSource src, v
xq = w % scaledWidth;
// allocate pixel buffers
- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
+ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
+ return splashErrBadArg;
+ }
+ colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
if (srcAlpha) {
- alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
+ alphaBuf = (Guchar *)gmallocn(yp + 1, w);
} else {
alphaBuf = NULL;
}

776
x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_cc Normal file
View File

@ -0,0 +1,776 @@
$OpenBSD: patch-kpdf_xpdf_xpdf_JBIG2Stream_cc,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/xpdf/JBIG2Stream.cc.orig Tue Aug 19 20:12:37 2008
+++ kpdf/xpdf/xpdf/JBIG2Stream.cc Sun Apr 19 22:57:52 2009
@@ -422,12 +422,14 @@ void JBIG2HuffmanDecoder::buildTable(JBIG2HuffmanTable
table[i] = table[len];
// assign prefixes
- i = 0;
- prefix = 0;
- table[i++].prefix = prefix++;
- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
- prefix <<= table[i].prefixLen - table[i-1].prefixLen;
- table[i].prefix = prefix++;
+ if (table[0].rangeLen != jbig2HuffmanEOT) {
+ i = 0;
+ prefix = 0;
+ table[i++].prefix = prefix++;
+ for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
+ prefix <<= table[i].prefixLen - table[i-1].prefixLen;
+ table[i].prefix = prefix++;
+ }
}
}
@@ -491,7 +493,7 @@ int JBIG2MMRDecoder::get2DCode() {
}
if (p->bits < 0) {
error(str->getPos(), "Bad two dim code in JBIG2 MMR stream");
- return 0;
+ return EOF;
}
bufLen -= p->bits;
return p->n;
@@ -684,8 +686,9 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA
h = hA;
line = (wA + 7) >> 3;
if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
- data = NULL;
- return;
+ // force a call to gmalloc(-1), which will throw an exception
+ h = -1;
+ line = 2;
}
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
@@ -699,8 +702,9 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *b
h = bitmap->h;
line = bitmap->line;
if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
- data = NULL;
- return;
+ // force a call to gmalloc(-1), which will throw an exception
+ h = -1;
+ line = 2;
}
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
@@ -755,6 +759,8 @@ void JBIG2Bitmap::clearToOne() {
inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
if (y < 0 || y >= h || x >= w) {
ptr->p = NULL;
+ ptr->shift = 0; // make gcc happy
+ ptr->x = 0; // make gcc happy
} else if (x < 0) {
ptr->p = &data[y * line];
ptr->shift = 7;
@@ -799,6 +805,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x,
Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
GBool oneByte;
+ // check for the pathological case where y = -2^31
+ if (y < -0x7fffffff) {
+ return;
+ }
if (y < 0) {
y0 = -y;
} else {
@@ -1012,8 +1022,13 @@ class JBIG2SymbolDict: public JBIG2Segment { (private)
JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA):
JBIG2Segment(segNumA)
{
+ Guint i;
+
size = sizeA;
bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *));
+ for (i = 0; i < size; ++i) {
+ bitmaps[i] = NULL;
+ }
genericRegionStats = NULL;
refinementRegionStats = NULL;
}
@@ -1022,7 +1037,9 @@ JBIG2SymbolDict::~JBIG2SymbolDict() {
Guint i;
for (i = 0; i < size; ++i) {
- delete bitmaps[i];
+ if (bitmaps[i]) {
+ delete bitmaps[i];
+ }
}
gfree(bitmaps);
if (genericRegionStats) {
@@ -1301,6 +1318,13 @@ void JBIG2Stream::readSegments() {
// keep track of the start of the segment data
segDataPos = getPos();
+ // check for missing page information segment
+ if (!pageBitmap && ((segType >= 4 && segType <= 7) ||
+ (segType >= 20 && segType <= 43))) {
+ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment");
+ goto syntaxError;
+ }
+
// read the segment data
switch (segType) {
case 0:
@@ -1455,6 +1479,8 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
Guint i, j, k;
Guchar *p;
+ symWidths = NULL;
+
// symbol dictionary flags
if (!readUWord(&flags)) {
goto eofError;
@@ -1515,7 +1541,13 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
// part of it
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
- numInputSyms += ((JBIG2SymbolDict *)seg)->getSize();
+ j = ((JBIG2SymbolDict *)seg)->getSize();
+ if (numInputSyms > UINT_MAX - j) {
+ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
+ delete codeTables;
+ goto eofError;
+ }
+ numInputSyms += j;
} else if (seg->getType() == jbig2SegCodeTable) {
codeTables->append(seg);
}
@@ -1523,13 +1555,18 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
return gFalse;
}
}
+ if (numInputSyms > UINT_MAX - numNewSyms) {
+ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
+ delete codeTables;
+ goto eofError;
+ }
// compute symbol code length
- symCodeLen = 0;
- i = 1;
- while (i < numInputSyms + numNewSyms) {
+ symCodeLen = 1;
+ i = (numInputSyms + numNewSyms) >> 1;
+ while (i) {
++symCodeLen;
- i <<= 1;
+ i >>= 1;
}
// get the input symbol bitmaps
@@ -1541,11 +1578,12 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
k = 0;
inputSymbolDict = NULL;
for (i = 0; i < nRefSegs; ++i) {
- seg = findSegment(refSegs[i]);
- if (seg->getType() == jbig2SegSymbolDict) {
- inputSymbolDict = (JBIG2SymbolDict *)seg;
- for (j = 0; j < inputSymbolDict->getSize(); ++j) {
- bitmaps[k++] = inputSymbolDict->getBitmap(j);
+ if ((seg = findSegment(refSegs[i]))) {
+ if (seg->getType() == jbig2SegSymbolDict) {
+ inputSymbolDict = (JBIG2SymbolDict *)seg;
+ for (j = 0; j < inputSymbolDict->getSize(); ++j) {
+ bitmaps[k++] = inputSymbolDict->getBitmap(j);
+ }
}
}
}
@@ -1560,6 +1598,9 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
} else if (huffDH == 1) {
huffDHTable = huffTableE;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDW == 0) {
@@ -1567,17 +1608,26 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
} else if (huffDW == 1) {
huffDWTable = huffTableC;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffBMSize == 0) {
huffBMSizeTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffBMSizeTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffAggInst == 0) {
huffAggInstTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffAggInstTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
@@ -1610,7 +1660,6 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
}
// allocate symbol widths storage
- symWidths = NULL;
if (huff && !refAgg) {
symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint));
}
@@ -1652,6 +1701,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
goto syntaxError;
}
symWidth += dw;
+ if (i >= numNewSyms) {
+ error(getPos(), "Too many symbols in JBIG2 symbol dictionary");
+ goto syntaxError;
+ }
// using a collective bitmap, so don't read a bitmap here
if (huff && !refAgg) {
@@ -1688,6 +1741,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
arithDecoder->decodeInt(&refDX, iardxStats);
arithDecoder->decodeInt(&refDY, iardyStats);
}
+ if (symID >= numInputSyms + i) {
+ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary");
+ goto syntaxError;
+ }
refBitmap = bitmaps[symID];
bitmaps[numInputSyms + i] =
readGenericRefinementRegion(symWidth, symHeight,
@@ -1754,6 +1811,12 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
} else {
arithDecoder->decodeInt(&run, iaexStats);
}
+ if (i + run > numInputSyms + numNewSyms ||
+ (ex && j + run > numExSyms)) {
+ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary");
+ delete symbolDict;
+ goto syntaxError;
+ }
if (ex) {
for (cnt = 0; cnt < run; ++cnt) {
symbolDict->setBitmap(j++, bitmaps[i++]->copy());
@@ -1763,6 +1826,11 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
}
ex = !ex;
}
+ if (j != numExSyms) {
+ error(getPos(), "Too few symbols in JBIG2 symbol dictionary");
+ delete symbolDict;
+ goto syntaxError;
+ }
for (i = 0; i < numNewSyms; ++i) {
delete bitmaps[numInputSyms + i];
@@ -1785,6 +1853,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui
return gTrue;
+ codeTableError:
+ error(getPos(), "Missing code table in JBIG2 symbol dictionary");
+ delete codeTables;
+
syntaxError:
for (i = 0; i < numNewSyms; ++i) {
if (bitmaps[numInputSyms + i]) {
@@ -1887,6 +1959,8 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
}
} else {
error(getPos(), "Invalid segment reference in JBIG2 text region");
+ delete codeTables;
+ return;
}
}
symCodeLen = 0;
@@ -1921,6 +1995,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffFS == 1) {
huffFSTable = huffTableG;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDS == 0) {
@@ -1930,6 +2007,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffDS == 2) {
huffDSTable = huffTableJ;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDT == 0) {
@@ -1939,6 +2019,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffDT == 2) {
huffDTTable = huffTableM;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDW == 0) {
@@ -1946,6 +2029,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffRDW == 1) {
huffRDWTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDH == 0) {
@@ -1953,6 +2039,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffRDH == 1) {
huffRDHTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDX == 0) {
@@ -1960,6 +2049,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffRDX == 1) {
huffRDXTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDY == 0) {
@@ -1967,11 +2059,17 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
} else if (huffRDY == 1) {
huffRDYTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRSize == 0) {
huffRSizeTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRSizeTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
@@ -2066,8 +2164,15 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo
return;
+ codeTableError:
+ error(getPos(), "Missing code table in JBIG2 text region");
+ gfree(codeTables);
+ delete syms;
+ return;
+
eofError:
error(getPos(), "Unexpected EOF in JBIG2 stream");
+ return;
}
JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
@@ -2374,8 +2479,8 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum,
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
- seg = findSegment(refSegs[0]);
- if (seg->getType() != jbig2SegPatternDict) {
+ if (!(seg = findSegment(refSegs[0])) ||
+ seg->getType() != jbig2SegPatternDict) {
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
@@ -2533,7 +2638,7 @@ void JBIG2Stream::readGenericRegionSeg(Guint segNum, G
// read the bitmap
bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
- NULL, atx, aty, mmr ? 0 : length - 18);
+ NULL, atx, aty, mmr ? length - 18 : 0);
// combine the region bitmap into the page bitmap
if (imm) {
@@ -2555,6 +2660,43 @@ void JBIG2Stream::readGenericRegionSeg(Guint segNum, G
error(getPos(), "Unexpected EOF in JBIG2 stream");
}
+inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w) {
+ if (a1 > codingLine[*a0i]) {
+ if (a1 > w) {
+ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
+ a1 = w;
+ }
+ if ((*a0i & 1) ^ blackPixels) {
+ ++*a0i;
+ }
+ codingLine[*a0i] = a1;
+ }
+}
+
+inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w) {
+ if (a1 > codingLine[*a0i]) {
+ if (a1 > w) {
+ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
+ a1 = w;
+ }
+ if ((*a0i & 1) ^ blackPixels) {
+ ++*a0i;
+ }
+ codingLine[*a0i] = a1;
+ } else if (a1 < codingLine[*a0i]) {
+ if (a1 < 0) {
+ error(getPos(), "Invalid JBIG2 MMR code");
+ a1 = 0;
+ }
+ while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) {
+ --*a0i;
+ }
+ codingLine[*a0i] = a1;
+ }
+}
+
JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
int templ, GBool tpgdOn,
GBool useSkip, JBIG2Bitmap *skip,
@@ -2567,7 +2709,7 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr,
JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3;
int *refLine, *codingLine;
int code1, code2, code3;
- int x, y, a0, pix, i, refI, codingI;
+ int x, y, a0i, b1i, blackPixels, pix, i;
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();
@@ -2577,9 +2719,18 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr,
if (mmr) {
mmrDecoder->reset();
+ if (w > INT_MAX - 2) {
+ error(getPos(), "Bad width in JBIG2 generic bitmap");
+ // force a call to gmalloc(-1), which will throw an exception
+ w = -3;
+ }
+ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w
+ // ---> max codingLine size = w + 1
+ // refLine has one extra guard entry at the end
+ // ---> max refLine size = w + 2
+ codingLine = (int *)gmallocn(w + 1, sizeof(int));
refLine = (int *)gmallocn(w + 2, sizeof(int));
- codingLine = (int *)gmallocn(w + 2, sizeof(int));
- codingLine[0] = codingLine[1] = w;
+ codingLine[0] = w;
for (y = 0; y < h; ++y) {
@@ -2587,128 +2738,157 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr,
for (i = 0; codingLine[i] < w; ++i) {
refLine[i] = codingLine[i];
}
- refLine[i] = refLine[i + 1] = w;
+ refLine[i++] = w;
+ refLine[i] = w;
// decode a line
- refI = 0; // b1 = refLine[refI]
- codingI = 0; // a1 = codingLine[codingI]
- a0 = 0;
- do {
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
+ blackPixels = 0;
+ // invariant:
+ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w
+ // exception at left edge:
+ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
+ // exception at right edge:
+ // refLine[b1i] = refLine[b1i+1] = w is possible
+ while (codingLine[a0i] < w) {
code1 = mmrDecoder->get2DCode();
switch (code1) {
case twoDimPass:
- if (refLine[refI] < w) {
- a0 = refLine[refI + 1];
- refI += 2;
- }
- break;
+ mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w);
+ if (refLine[b1i + 1] < w) {
+ b1i += 2;
+ }
+ break;
case twoDimHoriz:
- if (codingI & 1) {
- code1 = 0;
- do {
- code1 += code3 = mmrDecoder->getBlackCode();
- } while (code3 >= 64);
- code2 = 0;
- do {
- code2 += code3 = mmrDecoder->getWhiteCode();
- } while (code3 >= 64);
- } else {
- code1 = 0;
- do {
- code1 += code3 = mmrDecoder->getWhiteCode();
- } while (code3 >= 64);
- code2 = 0;
- do {
- code2 += code3 = mmrDecoder->getBlackCode();
- } while (code3 >= 64);
- }
- if (code1 > 0 || code2 > 0) {
- a0 = codingLine[codingI++] = a0 + code1;
- a0 = codingLine[codingI++] = a0 + code2;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
- case twoDimVert0:
- a0 = codingLine[codingI++] = refLine[refI];
- if (refLine[refI] < w) {
- ++refI;
- }
- break;
- case twoDimVertR1:
- a0 = codingLine[codingI++] = refLine[refI] + 1;
- if (refLine[refI] < w) {
- ++refI;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
- case twoDimVertR2:
- a0 = codingLine[codingI++] = refLine[refI] + 2;
- if (refLine[refI] < w) {
- ++refI;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
+ code1 = code2 = 0;
+ if (blackPixels) {
+ do {
+ code1 += code3 = mmrDecoder->getBlackCode();
+ } while (code3 >= 64);
+ do {
+ code2 += code3 = mmrDecoder->getWhiteCode();
+ } while (code3 >= 64);
+ } else {
+ do {
+ code1 += code3 = mmrDecoder->getWhiteCode();
+ } while (code3 >= 64);
+ do {
+ code2 += code3 = mmrDecoder->getBlackCode();
+ } while (code3 >= 64);
+ }
+ mmrAddPixels(codingLine[a0i] + code1, blackPixels,
+ codingLine, &a0i, w);
+ if (codingLine[a0i] < w) {
+ mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1,
+ codingLine, &a0i, w);
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ break;
case twoDimVertR3:
- a0 = codingLine[codingI++] = refLine[refI] + 3;
- if (refLine[refI] < w) {
- ++refI;
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- }
- break;
- case twoDimVertL1:
- a0 = codingLine[codingI++] = refLine[refI] - 1;
- if (refI > 0) {
- --refI;
- } else {
- ++refI;
- }
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- break;
- case twoDimVertL2:
- a0 = codingLine[codingI++] = refLine[refI] - 2;
- if (refI > 0) {
- --refI;
- } else {
- ++refI;
- }
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- break;
+ mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertR2:
+ mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertR1:
+ mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVert0:
+ mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
case twoDimVertL3:
- a0 = codingLine[codingI++] = refLine[refI] - 3;
- if (refI > 0) {
- --refI;
- } else {
- ++refI;
- }
- while (refLine[refI] <= a0 && refLine[refI] < w) {
- refI += 2;
- }
- break;
+ mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL2:
+ mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case twoDimVertL1:
+ mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < w) {
+ if (b1i > 0) {
+ --b1i;
+ } else {
+ ++b1i;
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
+ b1i += 2;
+ }
+ }
+ break;
+ case EOF:
+ mmrAddPixels(w, 0, codingLine, &a0i, w);
+ break;
default:
error(getPos(), "Illegal code in JBIG2 MMR bitmap data");
+ mmrAddPixels(w, 0, codingLine, &a0i, w);
break;
}
- } while (a0 < w);
- codingLine[codingI++] = w;
+ }
// convert the run lengths to a bitmap line
i = 0;
- while (codingLine[i] < w) {
+ while (1) {
for (x = codingLine[i]; x < codingLine[i+1]; ++x) {
bitmap->setPixel(x, y);
}
+ if (codingLine[i+1] >= w || codingLine[i+2] >= w) {
+ break;
+ }
i += 2;
}
}
@@ -2756,7 +2936,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr,
ltp = !ltp;
}
if (ltp) {
- bitmap->duplicateRow(y, y-1);
+ if (y > 0) {
+ bitmap->duplicateRow(y, y-1);
+ }
continue;
}
}
@@ -2959,8 +3141,8 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint
return;
}
if (nRefSegs == 1) {
- seg = findSegment(refSegs[0]);
- if (seg->getType() != jbig2SegBitmap) {
+ if (!(seg = findSegment(refSegs[0])) ||
+ seg->getType() != jbig2SegBitmap) {
error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment");
return;
}
@@ -3054,6 +3236,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(
tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ } else {
+ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
+ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
+ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
}
for (x = 0; x < w; ++x) {

14
x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_h Normal file
View File

@ -0,0 +1,14 @@
$OpenBSD: patch-kpdf_xpdf_xpdf_JBIG2Stream_h,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/xpdf/JBIG2Stream.h.orig Mon May 14 09:39:30 2007
+++ kpdf/xpdf/xpdf/JBIG2Stream.h Sun Apr 19 22:28:20 2009
@@ -78,6 +78,10 @@ class JBIG2Stream: public FilterStream { (private)
Guint *refSegs, Guint nRefSegs);
void readGenericRegionSeg(Guint segNum, GBool imm,
GBool lossless, Guint length);
+ void mmrAddPixels(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w);
+ void mmrAddPixelsNeg(int a1, int blackPixels,
+ int *codingLine, int *a0i, int w);
JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h,
int templ, GBool tpgdOn,
GBool useSkip, JBIG2Bitmap *skip,

12
x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_PSOutputDev_cc Normal file
View File

@ -0,0 +1,12 @@
$OpenBSD: patch-kpdf_xpdf_xpdf_PSOutputDev_cc,v 1.1 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/xpdf/PSOutputDev.cc.orig Mon Oct 8 11:48:37 2007
+++ kpdf/xpdf/xpdf/PSOutputDev.cc Thu Oct 15 16:35:46 2009
@@ -4386,7 +4386,7 @@ void PSOutputDev::doImageL1Sep(GfxImageColorMap *color
width, -height, height);
// allocate a line buffer
- lineBuf = (Guchar *)gmalloc(4 * width);
+ lineBuf = (Guchar *)gmallocn(width, 4);
// set up to process the data stream
imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),

14
x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_Stream_cc Normal file
View File

@ -0,0 +1,14 @@
$OpenBSD: patch-kpdf_xpdf_xpdf_Stream_cc,v 1.2 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/xpdf/Stream.cc.orig Wed Feb 13 10:37:05 2008
+++ kpdf/xpdf/xpdf/Stream.cc Thu Oct 15 16:35:46 2009
@@ -323,6 +323,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int
} else {
imgLineSize = nVals;
}
+ if (width > INT_MAX / nComps) {
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
imgIdx = nVals;
}

89
x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_XRef_cc
View File

@ -1,27 +1,66 @@
$OpenBSD: patch-kpdf_xpdf_xpdf_XRef_cc,v 1.1 2008/05/21 09:46:18 ajacoutot Exp $
--- kpdf/xpdf/xpdf/XRef.cc.orig Fri Apr 25 18:17:39 2008
+++ kpdf/xpdf/xpdf/XRef.cc Fri Apr 25 18:18:22 2008
@@ -771,19 +771,19 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa
$OpenBSD: patch-kpdf_xpdf_xpdf_XRef_cc,v 1.2 2009/10/15 15:50:25 kili Exp $
--- kpdf/xpdf/xpdf/XRef.cc.orig Thu Oct 15 16:32:56 2009
+++ kpdf/xpdf/xpdf/XRef.cc Thu Oct 15 16:35:46 2009
@@ -52,6 +52,8 @@ class ObjectStream { (public)
// generation 0.
ObjectStream(XRef *xref, int objStrNumA);
+ GBool isOk() { return ok; }
+
~ObjectStream();
// Return the object number of this object stream.
@@ -67,6 +69,7 @@ class ObjectStream { (public)
int nObjects; // number of objects in the stream
Object *objs; // the objects (length = nObjects)
int *objNums; // the object numbers (length = nObjects)
+ GBool ok;
};
ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
@@ -80,6 +83,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
nObjects = 0;
objs = NULL;
objNums = NULL;
+ ok = gFalse;
if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
goto err1;
@@ -105,6 +109,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
goto err1;
}
+ // this is an arbitrary limit to avoid integer overflow problems
+ // in the 'new Object[nObjects]' call (Acrobat apparently limits
+ // object streams to 100-200 objects)
+ if (nObjects > 1000000) {
+ error(-1, "Too many objects in an object stream");
+ goto err1;
+ }
objs = new Object[nObjects];
objNums = (int *)gmallocn(nObjects, sizeof(int));
offsets = (int *)gmallocn(nObjects, sizeof(int));
@@ -161,10 +172,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
}
gfree(offsets);
+ ok = gTrue;
err1:
objStr.free();
- return;
}
GBool XRef::okToPrint(GBool ignoreOwnerPW) {
- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permPrint);
+ return (1);
}
GBool XRef::okToChange(GBool ignoreOwnerPW) {
- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permChange);
+ return (1);
}
GBool XRef::okToCopy(GBool ignoreOwnerPW) {
- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permCopy);
+ return (1);
}
GBool XRef::okToAddNotes(GBool ignoreOwnerPW) {
- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permNotes);
+ return (1);
}
Object *XRef::fetch(int num, int gen, Object *obj) {
ObjectStream::~ObjectStream() {
@@ -837,6 +848,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) {
delete objStr;
}
objStr = new ObjectStream(this, e->offset);
+ if (!objStr->isOk()) {
+ delete objStr;
+ objStr = NULL;
+ goto err;
+ }
}
objStr->getObject(e->gen, num, obj);
break;