| blob | 9bf67f07af47f8014e41725bba4687eeb7658fc3 |
1 --- misc/xpdf-3.02/goo/gmem.cc 2007-02-27 23:05:51.000000000 +0100
2 +++ misc/build/xpdf-3.02/goo/gmem.cc 2009-11-10 11:43:10.374175496 +0100
3 @@ -55,7 +55,15 @@
4 void *data;
5 unsigned long *trl, *p;
7 - if (size <= 0) {
8 + if (size < 0) {
9 +#if USE_EXCEPTIONS
10 + throw GMemException();
11 +#else
12 + fprintf(stderr, "Invalid memory allocation size\n");
13 + exit(1);
14 +#endif
15 + }
16 + if (size == 0) {
17 return NULL;
18 }
19 size1 = gMemDataSize(size);
20 @@ -91,7 +99,15 @@
21 #else
22 void *p;
24 - if (size <= 0) {
25 + if (size < 0) {
26 +#if USE_EXCEPTIONS
27 + throw GMemException();
28 +#else
29 + fprintf(stderr, "Invalid memory allocation size\n");
30 + exit(1);
31 +#endif
32 + }
33 + if (size == 0) {
34 return NULL;
35 }
36 if (!(p = malloc(size))) {
37 @@ -112,7 +128,15 @@
38 void *q;
39 int oldSize;
41 - if (size <= 0) {
42 + if (size < 0) {
43 +#if USE_EXCEPTIONS
44 + throw GMemException();
45 +#else
46 + fprintf(stderr, "Invalid memory allocation size\n");
47 + exit(1);
48 +#endif
49 + }
50 + if (size == 0) {
51 if (p) {
52 gfree(p);
53 }
54 @@ -131,7 +155,15 @@
55 #else
56 void *q;
58 - if (size <= 0) {
59 + if (size < 0) {
60 +#if USE_EXCEPTIONS
61 + throw GMemException();
62 +#else
63 + fprintf(stderr, "Invalid memory allocation size\n");
64 + exit(1);
65 +#endif
66 + }
67 + if (size == 0) {
68 if (p) {
69 free(p);
70 }
71 --- misc/xpdf-3.02/goo/GString.cc 2007-02-27 23:05:51.000000000 +0100
72 +++ misc/build/xpdf-3.02/goo/GString.cc 2009-11-10 11:43:10.368006116 +0100
73 @@ -528,7 +528,7 @@
74 if ((neg = x < 0)) {
75 x = -x;
76 }
77 - x = floor(x * pow(10, prec) + 0.5);
78 + x = floor(x * pow(10.0, prec) + 0.5);
79 i = bufSize;
80 started = !trim;
81 for (j = 0; j < prec && i > 1; ++j) {
82 --- misc/xpdf-3.02/ms_make.bat 2007-02-27 23:05:51.000000000 +0100
83 +++ misc/build/xpdf-3.02/ms_make.bat 2009-11-10 11:43:10.450112062 +0100
84 @@ -1,5 +1,5 @@
85 set CC=cl
86 -set CFLAGS=/DWIN32 /I.. /I..\goo /I..\fofi /O2 /nologo
87 +set CFLAGS=/DWIN32 /D_MT /I.. /I..\goo /I..\fofi /O2 /nologo
88 set CXX=cl
89 set CXXFLAGS=%CFLAGS% /TP
90 set LIBPROG=lib
91 @@ -70,6 +70,8 @@
92 %CXX% %CXXFLAGS% /c pdffonts.cc
93 %CXX% %CXXFLAGS% /c pdfimages.cc
95 +%LIBPROG% /nologo /out:xpdf.lib Annot.obj Array.obj BuiltinFont.obj BuiltinFontTables.obj Catalog.obj CharCodeToUnicode.obj CMap.obj Decrypt.obj Dict.obj Error.obj FontEncodingTables.obj Function.obj Gfx.obj GfxFont.obj GfxState.obj GlobalParams.obj JArithmeticDecoder.obj JBIG2Stream.obj JPXStream.obj Lexer.obj Link.obj NameToCharCode.obj Object.obj Outline.obj OutputDev.obj Page.obj Parser.obj PDFDoc.obj PDFDocEncoding.obj PSTokenizer.obj SecurityHandler.obj Stream.obj UnicodeMap.obj XRef.obj
96 +
97 %CXX% %LINKFLAGS% /Fepdftops.exe Annot.obj Array.obj BuiltinFont.obj BuiltinFontTables.obj Catalog.obj CharCodeToUnicode.obj CMap.obj Decrypt.obj Dict.obj Error.obj FontEncodingTables.obj Function.obj Gfx.obj GfxFont.obj GfxState.obj GlobalParams.obj JArithmeticDecoder.obj JBIG2Stream.obj JPXStream.obj Lexer.obj Link.obj NameToCharCode.obj Object.obj Outline.obj OutputDev.obj Page.obj Parser.obj PDFDoc.obj PDFDocEncoding.obj PSOutputDev.obj PSTokenizer.obj SecurityHandler.obj Stream.obj UnicodeMap.obj XRef.obj pdftops.obj ..\fofi\fofi.lib ..\goo\Goo.lib shell32.lib user32.lib gdi32.lib advapi32.lib
99 %CXX% %LINKFLAGS% /Fepdftotext.exe Annot.obj Array.obj BuiltinFont.obj BuiltinFontTables.obj Catalog.obj CharCodeToUnicode.obj CMap.obj Decrypt.obj Dict.obj Error.obj FontEncodingTables.obj Function.obj Gfx.obj GfxFont.obj GfxState.obj GlobalParams.obj JArithmeticDecoder.obj JBIG2Stream.obj JPXStream.obj Lexer.obj Link.obj NameToCharCode.obj Object.obj Outline.obj OutputDev.obj Page.obj Parser.obj PDFDoc.obj PDFDocEncoding.obj PSTokenizer.obj SecurityHandler.obj Stream.obj TextOutputDev.obj UnicodeMap.obj UnicodeTypeTable.obj XRef.obj pdftotext.obj ..\fofi\fofi.lib ..\goo\Goo.lib shell32.lib user32.lib gdi32.lib advapi32.lib
100 @@ -82,37 +84,3 @@
102 cd ..
104 -rem --- This part will only work if you have FreeType installed ---
105 -
106 -set FT2DIR=..\freetype-2.3.1
107 -set CXXFLAGS=%CXXFLAGS% /I..\splash /I%FT2DIR%\include
108 -
109 -cd splash
110 -%CXX% %CXXFLAGS% /c Splash.cc
111 -%CXX% %CXXFLAGS% /c SplashBitmap.cc
112 -%CXX% %CXXFLAGS% /c SplashClip.cc
113 -%CXX% %CXXFLAGS% /c SplashFTFont.cc
114 -%CXX% %CXXFLAGS% /c SplashFTFontEngine.cc
115 -%CXX% %CXXFLAGS% /c SplashFTFontFile.cc
116 -%CXX% %CXXFLAGS% /c SplashFont.cc
117 -%CXX% %CXXFLAGS% /c SplashFontEngine.cc
118 -%CXX% %CXXFLAGS% /c SplashFontFile.cc
119 -%CXX% %CXXFLAGS% /c SplashFontFileID.cc
120 -%CXX% %CXXFLAGS% /c SplashPath.cc
121 -%CXX% %CXXFLAGS% /c SplashPattern.cc
122 -%CXX% %CXXFLAGS% /c SplashScreen.cc
123 -%CXX% %CXXFLAGS% /c SplashState.cc
124 -%CXX% %CXXFLAGS% /c SplashT1Font.cc
125 -%CXX% %CXXFLAGS% /c SplashT1FontEngine.cc
126 -%CXX% %CXXFLAGS% /c SplashT1FontFile.cc
127 -%CXX% %CXXFLAGS% /c SplashXPath.cc
128 -%CXX% %CXXFLAGS% /c SplashXPathScanner.cc
129 -%LIBPROG% /nologo /out:splash.lib Splash.obj SplashBitmap.obj SplashClip.obj SplashFTFont.obj SplashFTFontEngine.obj SplashFTFontFile.obj SplashFont.obj SplashFontEngine.obj SplashFontFile.obj SplashFontFileID.obj SplashPath.obj SplashPattern.obj SplashScreen.obj SplashState.obj SplashT1Font.obj SplashT1FontEngine.obj SplashT1FontFile.obj SplashXPath.obj SplashXPathScanner.obj
130 -
131 -cd ..\xpdf
132 -%CXX% %CXXFLAGS% /c SplashOutputDev.cc
133 -%CXX% %CXXFLAGS% /c pdftoppm.cc
134 -
135 -%CXX% %LINKFLAGS% /Fepdftoppm.exe Annot.obj Array.obj BuiltinFont.obj BuiltinFontTables.obj Catalog.obj CharCodeToUnicode.obj CMap.obj Decrypt.obj Dict.obj Error.obj FontEncodingTables.obj Function.obj Gfx.obj GfxFont.obj GfxState.obj GlobalParams.obj JArithmeticDecoder.obj JBIG2Stream.obj JPXStream.obj Lexer.obj Link.obj NameToCharCode.obj Object.obj Outline.obj OutputDev.obj Page.obj Parser.obj PDFDoc.obj PDFDocEncoding.obj PSTokenizer.obj SecurityHandler.obj SplashOutputDev.obj Stream.obj UnicodeMap.obj UnicodeTypeTable.obj XRef.obj pdftoppm.obj ..\splash\splash.lib ..\fofi\fofi.lib ..\goo\Goo.lib %FT2DIR%\freetype2.lib shell32.lib user32.lib gdi32.lib advapi32.lib
136 -
137 -cd ..
138 --- misc/xpdf-3.02/splash/SplashBitmap.cc 2007-02-27 23:05:52.000000000 +0100
139 +++ misc/build/xpdf-3.02/splash/SplashBitmap.cc 2009-11-10 11:43:54.912615507 +0100
140 @@ -11,6 +11,7 @@
141 #endif
143 #include <stdio.h>
144 +#include <limits.h>
145 #include "gmem.h"
146 #include "SplashErrorCodes.h"
147 #include "SplashBitmap.h"
148 @@ -27,30 +28,48 @@
149 mode = modeA;
150 switch (mode) {
151 case splashModeMono1:
152 - rowSize = (width + 7) >> 3;
153 + if (width > 0) {
154 + rowSize = (width + 7) >> 3;
155 + } else {
156 + rowSize = -1;
157 + }
158 break;
159 case splashModeMono8:
160 - rowSize = width;
161 + if (width > 0) {
162 + rowSize = width;
163 + } else {
164 + rowSize = -1;
165 + }
166 break;
167 case splashModeRGB8:
168 case splashModeBGR8:
169 - rowSize = width * 3;
170 + if (width > 0 && width <= INT_MAX / 3) {
171 + rowSize = width * 3;
172 + } else {
173 + rowSize = -1;
174 + }
175 break;
176 #if SPLASH_CMYK
177 case splashModeCMYK8:
178 - rowSize = width * 4;
179 + if (width > 0 && width <= INT_MAX / 4) {
180 + rowSize = width * 4;
181 + } else {
182 + rowSize = -1;
183 + }
184 break;
185 #endif
186 }
187 - rowSize += rowPad - 1;
188 - rowSize -= rowSize % rowPad;
189 - data = (SplashColorPtr)gmalloc(rowSize * height);
190 + if (rowSize > 0) {
191 + rowSize += rowPad - 1;
192 + rowSize -= rowSize % rowPad;
193 + }
194 + data = (SplashColorPtr)gmallocn(height, rowSize);
195 if (!topDown) {
196 data += (height - 1) * rowSize;
197 rowSize = -rowSize;
198 }
199 if (alphaA) {
200 - alpha = (Guchar *)gmalloc(width * height);
201 + alpha = (Guchar *)gmallocn(width, height);
202 } else {
203 alpha = NULL;
204 }
205 --- misc/xpdf-3.02/splash/Splash.cc 2007-02-27 23:05:52.000000000 +0100
206 +++ misc/build/xpdf-3.02/splash/Splash.cc 2009-11-10 11:43:54.894089400 +0100
207 @@ -12,6 +12,7 @@
209 #include <stdlib.h>
210 #include <string.h>
211 +#include <limits.h>
212 #include "gmem.h"
213 #include "SplashErrorCodes.h"
214 #include "SplashMath.h"
215 @@ -1912,7 +1913,10 @@
216 xq = w % scaledWidth;
218 // allocate pixel buffer
219 - pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
220 + if (yp < 0 || yp > INT_MAX - 1) {
221 + return splashErrBadArg;
222 + }
223 + pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
225 // initialize the pixel pipe
226 pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
227 @@ -2208,9 +2212,12 @@
228 xq = w % scaledWidth;
230 // allocate pixel buffers
231 - colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
232 + if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
233 + return splashErrBadArg;
234 + }
235 + colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
236 if (srcAlpha) {
237 - alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
238 + alphaBuf = (Guchar *)gmallocn(yp + 1, w);
239 } else {
240 alphaBuf = NULL;
241 }
242 --- misc/xpdf-3.02/splash/SplashErrorCodes.h 2007-02-27 23:05:52.000000000 +0100
243 +++ misc/build/xpdf-3.02/splash/SplashErrorCodes.h 2009-11-10 11:43:54.903536237 +0100
244 @@ -29,4 +29,6 @@
246 #define splashErrSingularMatrix 8 // matrix is singular
248 +#define splashErrBadArg 9 // bad argument
249 +
250 #endif
251 --- misc/xpdf-3.02/xpdf/JBIG2Stream.cc 2007-02-27 23:05:52.000000000 +0100
252 +++ misc/build/xpdf-3.02/xpdf/JBIG2Stream.cc 2009-11-10 11:43:10.393213949 +0100
253 @@ -422,12 +422,14 @@
254 table[i] = table[len];
256 // assign prefixes
257 - i = 0;
258 - prefix = 0;
259 - table[i++].prefix = prefix++;
260 - for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
261 - prefix <<= table[i].prefixLen - table[i-1].prefixLen;
262 - table[i].prefix = prefix++;
263 + if (table[0].rangeLen != jbig2HuffmanEOT) {
264 + i = 0;
265 + prefix = 0;
266 + table[i++].prefix = prefix++;
267 + for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
268 + prefix <<= table[i].prefixLen - table[i-1].prefixLen;
269 + table[i].prefix = prefix++;
270 + }
271 }
272 }
274 @@ -491,7 +493,7 @@
275 }
276 if (p->bits < 0) {
277 error(str->getPos(), "Bad two dim code in JBIG2 MMR stream");
278 - return 0;
279 + return EOF;
280 }
281 bufLen -= p->bits;
282 return p->n;
283 @@ -507,7 +509,7 @@
284 ++nBytesRead;
285 }
286 while (1) {
287 - if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
288 + if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
289 if (bufLen <= 12) {
290 code = buf << (12 - bufLen);
291 } else {
292 @@ -550,14 +552,15 @@
293 ++nBytesRead;
294 }
295 while (1) {
296 - if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
297 + if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
298 if (bufLen <= 13) {
299 code = buf << (13 - bufLen);
300 } else {
301 code = buf >> (bufLen - 13);
302 }
303 p = &blackTab1[code & 0x7f];
304 - } else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) {
305 + } else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 &&
306 + ((buf >> (bufLen - 6)) & 0x03) != 0) {
307 if (bufLen <= 12) {
308 code = buf << (12 - bufLen);
309 } else {
310 @@ -683,8 +686,9 @@
311 h = hA;
312 line = (wA + 7) >> 3;
313 if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
314 - data = NULL;
315 - return;
316 + // force a call to gmalloc(-1), which will throw an exception
317 + h = -1;
318 + line = 2;
319 }
320 // need to allocate one extra guard byte for use in combine()
321 data = (Guchar *)gmalloc(h * line + 1);
322 @@ -698,8 +702,9 @@
323 h = bitmap->h;
324 line = bitmap->line;
325 if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
326 - data = NULL;
327 - return;
328 + // force a call to gmalloc(-1), which will throw an exception
329 + h = -1;
330 + line = 2;
331 }
332 // need to allocate one extra guard byte for use in combine()
333 data = (Guchar *)gmalloc(h * line + 1);
334 @@ -754,6 +759,8 @@
335 inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
336 if (y < 0 || y >= h || x >= w) {
337 ptr->p = NULL;
338 + ptr->shift = 0; // make gcc happy
339 + ptr->x = 0; // make gcc happy
340 } else if (x < 0) {
341 ptr->p = &data[y * line];
342 ptr->shift = 7;
343 @@ -798,6 +805,10 @@
344 Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
345 GBool oneByte;
347 + // check for the pathological case where y = -2^31
348 + if (y < -0x7fffffff) {
349 + return;
350 + }
351 if (y < 0) {
352 y0 = -y;
353 } else {
354 @@ -1011,8 +1022,13 @@
355 JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA):
356 JBIG2Segment(segNumA)
357 {
358 + Guint i;
359 +
360 size = sizeA;
361 bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *));
362 + for (i = 0; i < size; ++i) {
363 + bitmaps[i] = NULL;
364 + }
365 genericRegionStats = NULL;
366 refinementRegionStats = NULL;
367 }
368 @@ -1021,7 +1037,9 @@
369 Guint i;
371 for (i = 0; i < size; ++i) {
372 - delete bitmaps[i];
373 + if (bitmaps[i]) {
374 + delete bitmaps[i];
375 + }
376 }
377 gfree(bitmaps);
378 if (genericRegionStats) {
379 @@ -1296,6 +1314,13 @@
380 goto eofError2;
381 }
383 + // check for missing page information segment
384 + if (!pageBitmap && ((segType >= 4 && segType <= 7) ||
385 + (segType >= 20 && segType <= 43))) {
386 + error(getPos(), "First JBIG2 segment associated with a page must be a page information segment");
387 + goto syntaxError;
388 + }
389 +
390 // read the segment data
391 switch (segType) {
392 case 0:
393 @@ -1411,6 +1436,8 @@
394 Guint i, j, k;
395 Guchar *p;
397 + symWidths = NULL;
398 +
399 // symbol dictionary flags
400 if (!readUWord(&flags)) {
401 goto eofError;
402 @@ -1466,20 +1493,32 @@
403 codeTables = new GList();
404 numInputSyms = 0;
405 for (i = 0; i < nRefSegs; ++i) {
406 - seg = findSegment(refSegs[i]);
407 - if (seg->getType() == jbig2SegSymbolDict) {
408 - numInputSyms += ((JBIG2SymbolDict *)seg)->getSize();
409 - } else if (seg->getType() == jbig2SegCodeTable) {
410 - codeTables->append(seg);
411 + if ((seg = findSegment(refSegs[i]))) {
412 + if (seg->getType() == jbig2SegSymbolDict) {
413 + j = ((JBIG2SymbolDict *)seg)->getSize();
414 + if (numInputSyms > UINT_MAX - j) {
415 + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
416 + delete codeTables;
417 + goto eofError;
418 + }
419 + numInputSyms += j;
420 + } else if (seg->getType() == jbig2SegCodeTable) {
421 + codeTables->append(seg);
422 + }
423 }
424 }
425 + if (numInputSyms > UINT_MAX - numNewSyms) {
426 + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
427 + delete codeTables;
428 + goto eofError;
429 + }
431 // compute symbol code length
432 - symCodeLen = 0;
433 - i = 1;
434 - while (i < numInputSyms + numNewSyms) {
435 + symCodeLen = 1;
436 + i = (numInputSyms + numNewSyms) >> 1;
437 + while (i) {
438 ++symCodeLen;
439 - i <<= 1;
440 + i >>= 1;
441 }
443 // get the input symbol bitmaps
444 @@ -1491,11 +1530,12 @@
445 k = 0;
446 inputSymbolDict = NULL;
447 for (i = 0; i < nRefSegs; ++i) {
448 - seg = findSegment(refSegs[i]);
449 - if (seg->getType() == jbig2SegSymbolDict) {
450 - inputSymbolDict = (JBIG2SymbolDict *)seg;
451 - for (j = 0; j < inputSymbolDict->getSize(); ++j) {
452 - bitmaps[k++] = inputSymbolDict->getBitmap(j);
453 + if ((seg = findSegment(refSegs[i]))) {
454 + if (seg->getType() == jbig2SegSymbolDict) {
455 + inputSymbolDict = (JBIG2SymbolDict *)seg;
456 + for (j = 0; j < inputSymbolDict->getSize(); ++j) {
457 + bitmaps[k++] = inputSymbolDict->getBitmap(j);
458 + }
459 }
460 }
461 }
462 @@ -1510,6 +1550,9 @@
463 } else if (huffDH == 1) {
464 huffDHTable = huffTableE;
465 } else {
466 + if (i >= (Guint)codeTables->getLength()) {
467 + goto codeTableError;
468 + }
469 huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
470 }
471 if (huffDW == 0) {
472 @@ -1517,17 +1560,26 @@
473 } else if (huffDW == 1) {
474 huffDWTable = huffTableC;
475 } else {
476 + if (i >= (Guint)codeTables->getLength()) {
477 + goto codeTableError;
478 + }
479 huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
480 }
481 if (huffBMSize == 0) {
482 huffBMSizeTable = huffTableA;
483 } else {
484 + if (i >= (Guint)codeTables->getLength()) {
485 + goto codeTableError;
486 + }
487 huffBMSizeTable =
488 ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
489 }
490 if (huffAggInst == 0) {
491 huffAggInstTable = huffTableA;
492 } else {
493 + if (i >= (Guint)codeTables->getLength()) {
494 + goto codeTableError;
495 + }
496 huffAggInstTable =
497 ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
498 }
499 @@ -1560,7 +1612,6 @@
500 }
502 // allocate symbol widths storage
503 - symWidths = NULL;
504 if (huff && !refAgg) {
505 symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint));
506 }
507 @@ -1602,6 +1653,10 @@
508 goto syntaxError;
509 }
510 symWidth += dw;
511 + if (i >= numNewSyms) {
512 + error(getPos(), "Too many symbols in JBIG2 symbol dictionary");
513 + goto syntaxError;
514 + }
516 // using a collective bitmap, so don't read a bitmap here
517 if (huff && !refAgg) {
518 @@ -1638,6 +1693,10 @@
519 arithDecoder->decodeInt(&refDX, iardxStats);
520 arithDecoder->decodeInt(&refDY, iardyStats);
521 }
522 + if (symID >= numInputSyms + i) {
523 + error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary");
524 + goto syntaxError;
525 + }
526 refBitmap = bitmaps[symID];
527 bitmaps[numInputSyms + i] =
528 readGenericRefinementRegion(symWidth, symHeight,
529 @@ -1704,6 +1763,12 @@
530 } else {
531 arithDecoder->decodeInt(&run, iaexStats);
532 }
533 + if (i + run > numInputSyms + numNewSyms ||
534 + (ex && j + run > numExSyms)) {
535 + error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary");
536 + delete symbolDict;
537 + goto syntaxError;
538 + }
539 if (ex) {
540 for (cnt = 0; cnt < run; ++cnt) {
541 symbolDict->setBitmap(j++, bitmaps[i++]->copy());
542 @@ -1713,6 +1778,11 @@
543 }
544 ex = !ex;
545 }
546 + if (j != numExSyms) {
547 + error(getPos(), "Too few symbols in JBIG2 symbol dictionary");
548 + delete symbolDict;
549 + goto syntaxError;
550 + }
552 for (i = 0; i < numNewSyms; ++i) {
553 delete bitmaps[numInputSyms + i];
554 @@ -1735,6 +1805,10 @@
556 return gTrue;
558 + codeTableError:
559 + error(getPos(), "Missing code table in JBIG2 symbol dictionary");
560 + delete codeTables;
561 +
562 syntaxError:
563 for (i = 0; i < numNewSyms; ++i) {
564 if (bitmaps[numInputSyms + i]) {
565 @@ -1837,6 +1911,8 @@
566 }
567 } else {
568 error(getPos(), "Invalid segment reference in JBIG2 text region");
569 + delete codeTables;
570 + return;
571 }
572 }
573 symCodeLen = 0;
574 @@ -1871,6 +1947,9 @@
575 } else if (huffFS == 1) {
576 huffFSTable = huffTableG;
577 } else {
578 + if (i >= (Guint)codeTables->getLength()) {
579 + goto codeTableError;
580 + }
581 huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
582 }
583 if (huffDS == 0) {
584 @@ -1880,6 +1959,9 @@
585 } else if (huffDS == 2) {
586 huffDSTable = huffTableJ;
587 } else {
588 + if (i >= (Guint)codeTables->getLength()) {
589 + goto codeTableError;
590 + }
591 huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
592 }
593 if (huffDT == 0) {
594 @@ -1889,6 +1971,9 @@
595 } else if (huffDT == 2) {
596 huffDTTable = huffTableM;
597 } else {
598 + if (i >= (Guint)codeTables->getLength()) {
599 + goto codeTableError;
600 + }
601 huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
602 }
603 if (huffRDW == 0) {
604 @@ -1896,6 +1981,9 @@
605 } else if (huffRDW == 1) {
606 huffRDWTable = huffTableO;
607 } else {
608 + if (i >= (Guint)codeTables->getLength()) {
609 + goto codeTableError;
610 + }
611 huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
612 }
613 if (huffRDH == 0) {
614 @@ -1903,6 +1991,9 @@
615 } else if (huffRDH == 1) {
616 huffRDHTable = huffTableO;
617 } else {
618 + if (i >= (Guint)codeTables->getLength()) {
619 + goto codeTableError;
620 + }
621 huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
622 }
623 if (huffRDX == 0) {
624 @@ -1910,6 +2001,9 @@
625 } else if (huffRDX == 1) {
626 huffRDXTable = huffTableO;
627 } else {
628 + if (i >= (Guint)codeTables->getLength()) {
629 + goto codeTableError;
630 + }
631 huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
632 }
633 if (huffRDY == 0) {
634 @@ -1917,11 +2011,17 @@
635 } else if (huffRDY == 1) {
636 huffRDYTable = huffTableO;
637 } else {
638 + if (i >= (Guint)codeTables->getLength()) {
639 + goto codeTableError;
640 + }
641 huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
642 }
643 if (huffRSize == 0) {
644 huffRSizeTable = huffTableA;
645 } else {
646 + if (i >= (Guint)codeTables->getLength()) {
647 + goto codeTableError;
648 + }
649 huffRSizeTable =
650 ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
651 }
652 @@ -2016,8 +2116,15 @@
654 return;
656 + codeTableError:
657 + error(getPos(), "Missing code table in JBIG2 text region");
658 + gfree(codeTables);
659 + delete syms;
660 + return;
661 +
662 eofError:
663 error(getPos(), "Unexpected EOF in JBIG2 stream");
664 + return;
665 }
667 JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
668 @@ -2324,8 +2431,8 @@
669 error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
670 return;
671 }
672 - seg = findSegment(refSegs[0]);
673 - if (seg->getType() != jbig2SegPatternDict) {
674 + if (!(seg = findSegment(refSegs[0])) ||
675 + seg->getType() != jbig2SegPatternDict) {
676 error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
677 return;
678 }
679 @@ -2483,7 +2590,7 @@
681 // read the bitmap
682 bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
683 - NULL, atx, aty, mmr ? 0 : length - 18);
684 + NULL, atx, aty, mmr ? length - 18 : 0);
686 // combine the region bitmap into the page bitmap
687 if (imm) {
688 @@ -2505,6 +2612,43 @@
689 error(getPos(), "Unexpected EOF in JBIG2 stream");
690 }
692 +inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels,
693 + int *codingLine, int *a0i, int w) {
694 + if (a1 > codingLine[*a0i]) {
695 + if (a1 > w) {
696 + error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
697 + a1 = w;
698 + }
699 + if ((*a0i & 1) ^ blackPixels) {
700 + ++*a0i;
701 + }
702 + codingLine[*a0i] = a1;
703 + }
704 +}
705 +
706 +inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels,
707 + int *codingLine, int *a0i, int w) {
708 + if (a1 > codingLine[*a0i]) {
709 + if (a1 > w) {
710 + error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1);
711 + a1 = w;
712 + }
713 + if ((*a0i & 1) ^ blackPixels) {
714 + ++*a0i;
715 + }
716 + codingLine[*a0i] = a1;
717 + } else if (a1 < codingLine[*a0i]) {
718 + if (a1 < 0) {
719 + error(getPos(), "Invalid JBIG2 MMR code");
720 + a1 = 0;
721 + }
722 + while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) {
723 + --*a0i;
724 + }
725 + codingLine[*a0i] = a1;
726 + }
727 +}
728 +
729 JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h,
730 int templ, GBool tpgdOn,
731 GBool useSkip, JBIG2Bitmap *skip,
732 @@ -2517,7 +2661,7 @@
733 JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3;
734 int *refLine, *codingLine;
735 int code1, code2, code3;
736 - int x, y, a0, pix, i, refI, codingI;
737 + int x, y, a0i, b1i, blackPixels, pix, i;
739 bitmap = new JBIG2Bitmap(0, w, h);
740 bitmap->clearToZero();
741 @@ -2527,9 +2671,18 @@
742 if (mmr) {
744 mmrDecoder->reset();
745 + if (w > INT_MAX - 2) {
746 + error(getPos(), "Bad width in JBIG2 generic bitmap");
747 + // force a call to gmalloc(-1), which will throw an exception
748 + w = -3;
749 + }
750 + // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w
751 + // ---> max codingLine size = w + 1
752 + // refLine has one extra guard entry at the end
753 + // ---> max refLine size = w + 2
754 + codingLine = (int *)gmallocn(w + 1, sizeof(int));
755 refLine = (int *)gmallocn(w + 2, sizeof(int));
756 - codingLine = (int *)gmallocn(w + 2, sizeof(int));
757 - codingLine[0] = codingLine[1] = w;
758 + codingLine[0] = w;
760 for (y = 0; y < h; ++y) {
762 @@ -2537,128 +2690,157 @@
763 for (i = 0; codingLine[i] < w; ++i) {
764 refLine[i] = codingLine[i];
765 }
766 - refLine[i] = refLine[i + 1] = w;
767 + refLine[i++] = w;
768 + refLine[i] = w;
770 // decode a line
771 - refI = 0; // b1 = refLine[refI]
772 - codingI = 0; // a1 = codingLine[codingI]
773 - a0 = 0;
774 - do {
775 + codingLine[0] = 0;
776 + a0i = 0;
777 + b1i = 0;
778 + blackPixels = 0;
779 + // invariant:
780 + // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w
781 + // exception at left edge:
782 + // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
783 + // exception at right edge:
784 + // refLine[b1i] = refLine[b1i+1] = w is possible
785 + while (codingLine[a0i] < w) {
786 code1 = mmrDecoder->get2DCode();
787 switch (code1) {
788 case twoDimPass:
789 - if (refLine[refI] < w) {
790 - a0 = refLine[refI + 1];
791 - refI += 2;
792 - }
793 - break;
794 + mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w);
795 + if (refLine[b1i + 1] < w) {
796 + b1i += 2;
797 + }
798 + break;
799 case twoDimHoriz:
800 - if (codingI & 1) {
801 - code1 = 0;
802 - do {
803 - code1 += code3 = mmrDecoder->getBlackCode();
804 - } while (code3 >= 64);
805 - code2 = 0;
806 - do {
807 - code2 += code3 = mmrDecoder->getWhiteCode();
808 - } while (code3 >= 64);
809 - } else {
810 - code1 = 0;
811 - do {
812 - code1 += code3 = mmrDecoder->getWhiteCode();
813 - } while (code3 >= 64);
814 - code2 = 0;
815 - do {
816 - code2 += code3 = mmrDecoder->getBlackCode();
817 - } while (code3 >= 64);
818 - }
819 - if (code1 > 0 || code2 > 0) {
820 - a0 = codingLine[codingI++] = a0 + code1;
821 - a0 = codingLine[codingI++] = a0 + code2;
822 - while (refLine[refI] <= a0 && refLine[refI] < w) {
823 - refI += 2;
824 - }
825 - }
826 - break;
827 - case twoDimVert0:
828 - a0 = codingLine[codingI++] = refLine[refI];
829 - if (refLine[refI] < w) {
830 - ++refI;
831 - }
832 - break;
833 - case twoDimVertR1:
834 - a0 = codingLine[codingI++] = refLine[refI] + 1;
835 - if (refLine[refI] < w) {
836 - ++refI;
837 - while (refLine[refI] <= a0 && refLine[refI] < w) {
838 - refI += 2;
839 - }
840 - }
841 - break;
842 - case twoDimVertR2:
843 - a0 = codingLine[codingI++] = refLine[refI] + 2;
844 - if (refLine[refI] < w) {
845 - ++refI;
846 - while (refLine[refI] <= a0 && refLine[refI] < w) {
847 - refI += 2;
848 - }
849 - }
850 - break;
851 + code1 = code2 = 0;
852 + if (blackPixels) {
853 + do {
854 + code1 += code3 = mmrDecoder->getBlackCode();
855 + } while (code3 >= 64);
856 + do {
857 + code2 += code3 = mmrDecoder->getWhiteCode();
858 + } while (code3 >= 64);
859 + } else {
860 + do {
861 + code1 += code3 = mmrDecoder->getWhiteCode();
862 + } while (code3 >= 64);
863 + do {
864 + code2 += code3 = mmrDecoder->getBlackCode();
865 + } while (code3 >= 64);
866 + }
867 + mmrAddPixels(codingLine[a0i] + code1, blackPixels,
868 + codingLine, &a0i, w);
869 + if (codingLine[a0i] < w) {
870 + mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1,
871 + codingLine, &a0i, w);
872 + }
873 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
874 + b1i += 2;
875 + }
876 + break;
877 case twoDimVertR3:
878 - a0 = codingLine[codingI++] = refLine[refI] + 3;
879 - if (refLine[refI] < w) {
880 - ++refI;
881 - while (refLine[refI] <= a0 && refLine[refI] < w) {
882 - refI += 2;
883 - }
884 - }
885 - break;
886 - case twoDimVertL1:
887 - a0 = codingLine[codingI++] = refLine[refI] - 1;
888 - if (refI > 0) {
889 - --refI;
890 - } else {
891 - ++refI;
892 - }
893 - while (refLine[refI] <= a0 && refLine[refI] < w) {
894 - refI += 2;
895 - }
896 - break;
897 - case twoDimVertL2:
898 - a0 = codingLine[codingI++] = refLine[refI] - 2;
899 - if (refI > 0) {
900 - --refI;
901 - } else {
902 - ++refI;
903 - }
904 - while (refLine[refI] <= a0 && refLine[refI] < w) {
905 - refI += 2;
906 - }
907 - break;
908 + mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w);
909 + blackPixels ^= 1;
910 + if (codingLine[a0i] < w) {
911 + ++b1i;
912 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
913 + b1i += 2;
914 + }
915 + }
916 + break;
917 + case twoDimVertR2:
918 + mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w);
919 + blackPixels ^= 1;
920 + if (codingLine[a0i] < w) {
921 + ++b1i;
922 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
923 + b1i += 2;
924 + }
925 + }
926 + break;
927 + case twoDimVertR1:
928 + mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w);
929 + blackPixels ^= 1;
930 + if (codingLine[a0i] < w) {
931 + ++b1i;
932 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
933 + b1i += 2;
934 + }
935 + }
936 + break;
937 + case twoDimVert0:
938 + mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w);
939 + blackPixels ^= 1;
940 + if (codingLine[a0i] < w) {
941 + ++b1i;
942 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
943 + b1i += 2;
944 + }
945 + }
946 + break;
947 case twoDimVertL3:
948 - a0 = codingLine[codingI++] = refLine[refI] - 3;
949 - if (refI > 0) {
950 - --refI;
951 - } else {
952 - ++refI;
953 - }
954 - while (refLine[refI] <= a0 && refLine[refI] < w) {
955 - refI += 2;
956 - }
957 - break;
958 + mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w);
959 + blackPixels ^= 1;
960 + if (codingLine[a0i] < w) {
961 + if (b1i > 0) {
962 + --b1i;
963 + } else {
964 + ++b1i;
965 + }
966 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
967 + b1i += 2;
968 + }
969 + }
970 + break;
971 + case twoDimVertL2:
972 + mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w);
973 + blackPixels ^= 1;
974 + if (codingLine[a0i] < w) {
975 + if (b1i > 0) {
976 + --b1i;
977 + } else {
978 + ++b1i;
979 + }
980 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
981 + b1i += 2;
982 + }
983 + }
984 + break;
985 + case twoDimVertL1:
986 + mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w);
987 + blackPixels ^= 1;
988 + if (codingLine[a0i] < w) {
989 + if (b1i > 0) {
990 + --b1i;
991 + } else {
992 + ++b1i;
993 + }
994 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) {
995 + b1i += 2;
996 + }
997 + }
998 + break;
999 + case EOF:
1000 + mmrAddPixels(w, 0, codingLine, &a0i, w);
1001 + break;
1002 default:
1003 error(getPos(), "Illegal code in JBIG2 MMR bitmap data");
1004 + mmrAddPixels(w, 0, codingLine, &a0i, w);
1005 break;
1006 }
1007 - } while (a0 < w);
1008 - codingLine[codingI++] = w;
1009 + }
1011 // convert the run lengths to a bitmap line
1012 i = 0;
1013 - while (codingLine[i] < w) {
1014 + while (1) {
1015 for (x = codingLine[i]; x < codingLine[i+1]; ++x) {
1016 bitmap->setPixel(x, y);
1017 }
1018 + if (codingLine[i+1] >= w || codingLine[i+2] >= w) {
1019 + break;
1020 + }
1021 i += 2;
1022 }
1023 }
1024 @@ -2706,7 +2888,9 @@
1025 ltp = !ltp;
1026 }
1027 if (ltp) {
1028 - bitmap->duplicateRow(y, y-1);
1029 + if (y > 0) {
1030 + bitmap->duplicateRow(y, y-1);
1031 + }
1032 continue;
1033 }
1034 }
1035 @@ -2909,8 +3093,8 @@
1036 return;
1037 }
1038 if (nRefSegs == 1) {
1039 - seg = findSegment(refSegs[0]);
1040 - if (seg->getType() != jbig2SegBitmap) {
1041 + if (!(seg = findSegment(refSegs[0])) ||
1042 + seg->getType() != jbig2SegBitmap) {
1043 error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment");
1044 return;
1045 }
1046 @@ -3004,6 +3188,10 @@
1047 tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
1048 tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
1049 tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
1050 + } else {
1051 + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
1052 + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
1053 + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
1054 }
1056 for (x = 0; x < w; ++x) {
1057 @@ -3075,6 +3263,10 @@
1058 tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
1059 tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
1060 tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
1061 + } else {
1062 + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
1063 + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
1064 + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
1065 }
1067 for (x = 0; x < w; ++x) {
1068 --- misc/xpdf-3.02/xpdf/JBIG2Stream.h 2007-02-27 23:05:52.000000000 +0100
1069 +++ misc/build/xpdf-3.02/xpdf/JBIG2Stream.h 2009-11-10 11:43:10.400610529 +0100
1070 @@ -78,6 +78,10 @@
1071 Guint *refSegs, Guint nRefSegs);
1072 void readGenericRegionSeg(Guint segNum, GBool imm,
1073 GBool lossless, Guint length);
1074 + void mmrAddPixels(int a1, int blackPixels,
1075 + int *codingLine, int *a0i, int w);
1076 + void mmrAddPixelsNeg(int a1, int blackPixels,
1077 + int *codingLine, int *a0i, int w);
1078 JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h,
1079 int templ, GBool tpgdOn,
1080 GBool useSkip, JBIG2Bitmap *skip,
1081 --- misc/xpdf-3.02/xpdf/Makefile.in 2007-02-27 23:05:52.000000000 +0100
1082 +++ misc/build/xpdf-3.02/xpdf/Makefile.in 2009-11-10 11:43:10.407182402 +0100
1083 @@ -20,6 +20,8 @@
1084 SPLASHLIBDIR = ../splash
1086 CXXFLAGS = @CXXFLAGS@ @DEFS@ -I.. -I$(GOOSRCDIR) -I$(FOFISRCDIR) -I$(SPLASHSRCDIR) -I$(srcdir) @freetype2_CFLAGS@ @Sgm_CFLAGS@ @Xm_CFLAGS@ @Xt_CFLAGS@ @Xp_CFLAGS@ @Xext_CFLAGS@ @Xpm_CFLAGS@ @t1_CFLAGS@ @libpaper_CFLAGS@ @X_CFLAGS@
1087 +AR = @AR@
1088 +RANLIB = @RANLIB@
1090 LDFLAGS = @LDFLAGS@
1092 @@ -107,10 +109,27 @@
1093 #------------------------------------------------------------------------
1095 all: xpdf$(EXE) pdftops$(EXE) pdftotext$(EXE) pdfinfo$(EXE) \
1096 - pdffonts$(EXE) pdftoppm$(EXE) pdfimages$(EXE)
1097 + pdffonts$(EXE) pdftoppm$(EXE) pdfimages$(EXE) $(LIBPREFIX)xpdf.a
1099 all-no-x: pdftops$(EXE) pdftotext$(EXE) pdfinfo$(EXE) pdffonts$(EXE) \
1100 - pdfimages$(EXE)
1101 + pdfimages$(EXE) $(LIBPREFIX)xpdf.a
1102 +
1103 +#------------------------------------------------------------------------
1104 +
1105 +XPDFLIB_OBJS = Annot.o Array.o BuiltinFont.o BuiltinFontTables.o Catalog.o \
1106 + CharCodeToUnicode.o CMap.o Decrypt.o Dict.o \
1107 + Error.o FontEncodingTables.o Function.o Gfx.o GfxFont.o \
1108 + GfxState.o GlobalParams.o JArithmeticDecoder.o JBIG2Stream.o \
1109 + JPXStream.o Lexer.o Link.o NameToCharCode.o Object.o Outline.o \
1110 + OutputDev.o Page.o Parser.o PDFCore.o PDFDoc.o PDFDocEncoding.o \
1111 + PSTokenizer.o SecurityHandler.o \
1112 + Stream.o UnicodeMap.o \
1113 + UnicodeTypeTable.o XRef.o
1114 +
1115 +$(LIBPREFIX)xpdf.a: $(XPDFLIB_OBJS)
1116 + rm -f $(LIBPREFIX)xpdf.a
1117 + $(AR) $(LIBPREFIX)xpdf.a $(XPDFLIB_OBJS)
1118 + $(RANLIB) $(LIBPREFIX)xpdf.a
1120 #------------------------------------------------------------------------
1122 --- misc/xpdf-3.02/xpdf/PSOutputDev.cc 2007-02-27 23:05:52.000000000 +0100
1123 +++ misc/build/xpdf-3.02/xpdf/PSOutputDev.cc 2009-11-10 11:43:54.879574544 +0100
1124 @@ -4301,7 +4301,7 @@
1125 width, -height, height);
1127 // allocate a line buffer
1128 - lineBuf = (Guchar *)gmalloc(4 * width);
1129 + lineBuf = (Guchar *)gmallocn(width, 4);
1131 // set up to process the data stream
1132 imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
1133 --- misc/xpdf-3.02/xpdf/Stream.cc 2007-02-27 23:05:52.000000000 +0100
1134 +++ misc/build/xpdf-3.02/xpdf/Stream.cc 2009-11-10 11:43:54.863071127 +0100
1135 @@ -323,6 +323,10 @@
1136 } else {
1137 imgLineSize = nVals;
1138 }
1139 + if (width > INT_MAX / nComps) {
1140 + // force a call to gmallocn(-1,...), which will throw an exception
1141 + imgLineSize = -1;
1142 + }
1143 imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
1144 imgIdx = nVals;
1145 }
1146 @@ -410,15 +414,13 @@
1147 ok = gFalse;
1149 nVals = width * nComps;
1150 - if (width <= 0 || nComps <= 0 || nBits <= 0 ||
1151 - nComps >= INT_MAX / nBits ||
1152 - width >= INT_MAX / nComps / nBits ||
1153 - nVals * nBits + 7 < 0) {
1154 - return;
1155 - }
1156 pixBytes = (nComps * nBits + 7) >> 3;
1157 rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
1158 - if (rowBytes <= 0) {
1159 + if (width <= 0 || nComps <= 0 || nBits <= 0 ||
1160 + nComps > gfxColorMaxComps ||
1161 + nBits > 16 ||
1162 + width >= INT_MAX / nComps || // check for overflow in nVals
1163 + nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
1164 return;
1165 }
1166 predLine = (Guchar *)gmalloc(rowBytes);
1167 @@ -1245,23 +1247,26 @@
1168 columns = columnsA;
1169 if (columns < 1) {
1170 columns = 1;
1171 - }
1172 - if (columns + 4 <= 0) {
1173 - columns = INT_MAX - 4;
1174 + } else if (columns > INT_MAX - 2) {
1175 + columns = INT_MAX - 2;
1176 }
1177 rows = rowsA;
1178 endOfBlock = endOfBlockA;
1179 black = blackA;
1180 - refLine = (short *)gmallocn(columns + 3, sizeof(short));
1181 - codingLine = (short *)gmallocn(columns + 2, sizeof(short));
1182 + // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns
1183 + // ---> max codingLine size = columns + 1
1184 + // refLine has one extra guard entry at the end
1185 + // ---> max refLine size = columns + 2
1186 + codingLine = (int *)gmallocn(columns + 1, sizeof(int));
1187 + refLine = (int *)gmallocn(columns + 2, sizeof(int));
1189 eof = gFalse;
1190 row = 0;
1191 nextLine2D = encoding < 0;
1192 inputBits = 0;
1193 - codingLine[0] = 0;
1194 - codingLine[1] = refLine[2] = columns;
1195 - a0 = 1;
1196 + codingLine[0] = columns;
1197 + a0i = 0;
1198 + outputBits = 0;
1200 buf = EOF;
1201 }
1202 @@ -1280,9 +1285,9 @@
1203 row = 0;
1204 nextLine2D = encoding < 0;
1205 inputBits = 0;
1206 - codingLine[0] = 0;
1207 - codingLine[1] = columns;
1208 - a0 = 1;
1209 + codingLine[0] = columns;
1210 + a0i = 0;
1211 + outputBits = 0;
1212 buf = EOF;
1214 // skip any initial zero bits and end-of-line marker, and get the 2D
1215 @@ -1299,211 +1304,230 @@
1216 }
1217 }
1219 +inline void CCITTFaxStream::addPixels(int a1, int blackPixels) {
1220 + if (a1 > codingLine[a0i]) {
1221 + if (a1 > columns) {
1222 + error(getPos(), "CCITTFax row is wrong length (%d)", a1);
1223 + err = gTrue;
1224 + a1 = columns;
1225 + }
1226 + if ((a0i & 1) ^ blackPixels) {
1227 + ++a0i;
1228 + }
1229 + codingLine[a0i] = a1;
1230 + }
1231 +}
1232 +
1233 +inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) {
1234 + if (a1 > codingLine[a0i]) {
1235 + if (a1 > columns) {
1236 + error(getPos(), "CCITTFax row is wrong length (%d)", a1);
1237 + err = gTrue;
1238 + a1 = columns;
1239 + }
1240 + if ((a0i & 1) ^ blackPixels) {
1241 + ++a0i;
1242 + }
1243 + codingLine[a0i] = a1;
1244 + } else if (a1 < codingLine[a0i]) {
1245 + if (a1 < 0) {
1246 + error(getPos(), "Invalid CCITTFax code");
1247 + err = gTrue;
1248 + a1 = 0;
1249 + }
1250 + while (a0i > 0 && a1 <= codingLine[a0i - 1]) {
1251 + --a0i;
1252 + }
1253 + codingLine[a0i] = a1;
1254 + }
1255 +}
1256 +
1257 int CCITTFaxStream::lookChar() {
1258 short code1, code2, code3;
1259 - int a0New;
1260 - GBool err, gotEOL;
1261 - int ret;
1262 - int bits, i;
1263 + int b1i, blackPixels, i, bits;
1264 + GBool gotEOL;
1266 - // if at eof just return EOF
1267 - if (eof && codingLine[a0] >= columns) {
1268 - return EOF;
1269 + if (buf != EOF) {
1270 + return buf;
1271 }
1273 // read the next row
1274 - err = gFalse;
1275 - if (codingLine[a0] >= columns) {
1276 + if (outputBits == 0) {
1277 +
1278 + // if at eof just return EOF
1279 + if (eof) {
1280 + return EOF;
1281 + }
1282 +
1283 + err = gFalse;
1285 // 2-D encoding
1286 if (nextLine2D) {
1287 - // state:
1288 - // a0New = current position in coding line (0 <= a0New <= columns)
1289 - // codingLine[a0] = last change in coding line
1290 - // (black-to-white if a0 is even,
1291 - // white-to-black if a0 is odd)
1292 - // refLine[b1] = next change in reference line of opposite color
1293 - // to a0
1294 - // invariants:
1295 - // 0 <= codingLine[a0] <= a0New
1296 - // <= refLine[b1] <= refLine[b1+1] <= columns
1297 - // 0 <= a0 <= columns+1
1298 - // refLine[0] = 0
1299 - // refLine[n] = refLine[n+1] = columns
1300 - // -- for some 1 <= n <= columns+1
1301 - // end condition:
1302 - // 0 = codingLine[0] <= codingLine[1] < codingLine[2] < ...
1303 - // < codingLine[n-1] < codingLine[n] = columns
1304 - // -- where 1 <= n <= columns+1
1305 for (i = 0; codingLine[i] < columns; ++i) {
1306 refLine[i] = codingLine[i];
1307 }
1308 - refLine[i] = refLine[i + 1] = columns;
1309 - b1 = 1;
1310 - a0New = codingLine[a0 = 0] = 0;
1311 - do {
1312 + refLine[i++] = columns;
1313 + refLine[i] = columns;
1314 + codingLine[0] = 0;
1315 + a0i = 0;
1316 + b1i = 0;
1317 + blackPixels = 0;
1318 + // invariant:
1319 + // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1]
1320 + // <= columns
1321 + // exception at left edge:
1322 + // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
1323 + // exception at right edge:
1324 + // refLine[b1i] = refLine[b1i+1] = columns is possible
1325 + while (codingLine[a0i] < columns) {
1326 code1 = getTwoDimCode();
1327 switch (code1) {
1328 case twoDimPass:
1329 - if (refLine[b1] < columns) {
1330 - a0New = refLine[b1 + 1];
1331 - b1 += 2;
1332 + addPixels(refLine[b1i + 1], blackPixels);
1333 + if (refLine[b1i + 1] < columns) {
1334 + b1i += 2;
1335 }
1336 break;
1337 case twoDimHoriz:
1338 - if ((a0 & 1) == 0) {
1339 - code1 = code2 = 0;
1340 + code1 = code2 = 0;
1341 + if (blackPixels) {
1342 do {
1343 - code1 += code3 = getWhiteCode();
1344 + code1 += code3 = getBlackCode();
1345 } while (code3 >= 64);
1346 do {
1347 - code2 += code3 = getBlackCode();
1348 + code2 += code3 = getWhiteCode();
1349 } while (code3 >= 64);
1350 } else {
1351 - code1 = code2 = 0;
1352 do {
1353 - code1 += code3 = getBlackCode();
1354 + code1 += code3 = getWhiteCode();
1355 } while (code3 >= 64);
1356 do {
1357 - code2 += code3 = getWhiteCode();
1358 + code2 += code3 = getBlackCode();
1359 } while (code3 >= 64);
1360 }
1361 - if (code1 > 0 || code2 > 0) {
1362 - if (a0New + code1 <= columns) {
1363 - codingLine[a0 + 1] = a0New + code1;
1364 - } else {
1365 - codingLine[a0 + 1] = columns;
1366 - }
1367 - ++a0;
1368 - if (codingLine[a0] + code2 <= columns) {
1369 - codingLine[a0 + 1] = codingLine[a0] + code2;
1370 - } else {
1371 - codingLine[a0 + 1] = columns;
1372 - }
1373 - ++a0;
1374 - a0New = codingLine[a0];
1375 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1376 - b1 += 2;
1377 + addPixels(codingLine[a0i] + code1, blackPixels);
1378 + if (codingLine[a0i] < columns) {
1379 + addPixels(codingLine[a0i] + code2, blackPixels ^ 1);
1380 + }
1381 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1382 + b1i += 2;
1383 + }
1384 + break;
1385 + case twoDimVertR3:
1386 + addPixels(refLine[b1i] + 3, blackPixels);
1387 + blackPixels ^= 1;
1388 + if (codingLine[a0i] < columns) {
1389 + ++b1i;
1390 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1391 + b1i += 2;
1392 }
1393 }
1394 break;
1395 - case twoDimVert0:
1396 - if (refLine[b1] < columns) {
1397 - a0New = codingLine[++a0] = refLine[b1];
1398 - ++b1;
1399 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1400 - b1 += 2;
1401 + case twoDimVertR2:
1402 + addPixels(refLine[b1i] + 2, blackPixels);
1403 + blackPixels ^= 1;
1404 + if (codingLine[a0i] < columns) {
1405 + ++b1i;
1406 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1407 + b1i += 2;
1408 }
1409 - } else {
1410 - a0New = codingLine[++a0] = columns;
1411 }
1412 break;
1413 case twoDimVertR1:
1414 - if (refLine[b1] + 1 < columns) {
1415 - a0New = codingLine[++a0] = refLine[b1] + 1;
1416 - ++b1;
1417 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1418 - b1 += 2;
1419 + addPixels(refLine[b1i] + 1, blackPixels);
1420 + blackPixels ^= 1;
1421 + if (codingLine[a0i] < columns) {
1422 + ++b1i;
1423 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1424 + b1i += 2;
1425 }
1426 - } else {
1427 - a0New = codingLine[++a0] = columns;
1428 }
1429 break;
1430 - case twoDimVertL1:
1431 - if (refLine[b1] - 1 > a0New || (a0 == 0 && refLine[b1] == 1)) {
1432 - a0New = codingLine[++a0] = refLine[b1] - 1;
1433 - --b1;
1434 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1435 - b1 += 2;
1436 + case twoDimVert0:
1437 + addPixels(refLine[b1i], blackPixels);
1438 + blackPixels ^= 1;
1439 + if (codingLine[a0i] < columns) {
1440 + ++b1i;
1441 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1442 + b1i += 2;
1443 }
1444 }
1445 break;
1446 - case twoDimVertR2:
1447 - if (refLine[b1] + 2 < columns) {
1448 - a0New = codingLine[++a0] = refLine[b1] + 2;
1449 - ++b1;
1450 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1451 - b1 += 2;
1452 + case twoDimVertL3:
1453 + addPixelsNeg(refLine[b1i] - 3, blackPixels);
1454 + blackPixels ^= 1;
1455 + if (codingLine[a0i] < columns) {
1456 + if (b1i > 0) {
1457 + --b1i;
1458 + } else {
1459 + ++b1i;
1460 + }
1461 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1462 + b1i += 2;
1463 }
1464 - } else {
1465 - a0New = codingLine[++a0] = columns;
1466 }
1467 break;
1468 case twoDimVertL2:
1469 - if (refLine[b1] - 2 > a0New || (a0 == 0 && refLine[b1] == 2)) {
1470 - a0New = codingLine[++a0] = refLine[b1] - 2;
1471 - --b1;
1472 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1473 - b1 += 2;
1474 + addPixelsNeg(refLine[b1i] - 2, blackPixels);
1475 + blackPixels ^= 1;
1476 + if (codingLine[a0i] < columns) {
1477 + if (b1i > 0) {
1478 + --b1i;
1479 + } else {
1480 + ++b1i;
1481 }
1482 - }
1483 - break;
1484 - case twoDimVertR3:
1485 - if (refLine[b1] + 3 < columns) {
1486 - a0New = codingLine[++a0] = refLine[b1] + 3;
1487 - ++b1;
1488 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1489 - b1 += 2;
1490 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1491 + b1i += 2;
1492 }
1493 - } else {
1494 - a0New = codingLine[++a0] = columns;
1495 }
1496 break;
1497 - case twoDimVertL3:
1498 - if (refLine[b1] - 3 > a0New || (a0 == 0 && refLine[b1] == 3)) {
1499 - a0New = codingLine[++a0] = refLine[b1] - 3;
1500 - --b1;
1501 - while (refLine[b1] <= a0New && refLine[b1] < columns) {
1502 - b1 += 2;
1503 + case twoDimVertL1:
1504 + addPixelsNeg(refLine[b1i] - 1, blackPixels);
1505 + blackPixels ^= 1;
1506 + if (codingLine[a0i] < columns) {
1507 + if (b1i > 0) {
1508 + --b1i;
1509 + } else {
1510 + ++b1i;
1511 + }
1512 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
1513 + b1i += 2;
1514 }
1515 }
1516 break;
1517 case EOF:
1518 + addPixels(columns, 0);
1519 eof = gTrue;
1520 - codingLine[a0 = 0] = columns;
1521 - return EOF;
1522 + break;
1523 default:
1524 error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
1525 + addPixels(columns, 0);
1526 err = gTrue;
1527 break;
1528 }
1529 - } while (codingLine[a0] < columns);
1530 + }
1532 // 1-D encoding
1533 } else {
1534 - codingLine[a0 = 0] = 0;
1535 - while (1) {
1536 + codingLine[0] = 0;
1537 + a0i = 0;
1538 + blackPixels = 0;
1539 + while (codingLine[a0i] < columns) {
1540 code1 = 0;
1541 - do {
1542 - code1 += code3 = getWhiteCode();
1543 - } while (code3 >= 64);
1544 - codingLine[a0+1] = codingLine[a0] + code1;
1545 - ++a0;
1546 - if (codingLine[a0] >= columns) {
1547 - break;
1548 - }
1549 - code2 = 0;
1550 - do {
1551 - code2 += code3 = getBlackCode();
1552 - } while (code3 >= 64);
1553 - codingLine[a0+1] = codingLine[a0] + code2;
1554 - ++a0;
1555 - if (codingLine[a0] >= columns) {
1556 - break;
1557 + if (blackPixels) {
1558 + do {
1559 + code1 += code3 = getBlackCode();
1560 + } while (code3 >= 64);
1561 + } else {
1562 + do {
1563 + code1 += code3 = getWhiteCode();
1564 + } while (code3 >= 64);
1565 }
1566 + addPixels(codingLine[a0i] + code1, blackPixels);
1567 + blackPixels ^= 1;
1568 }
1569 }
1571 - if (codingLine[a0] != columns) {
1572 - error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]);
1573 - // force the row to be the correct length
1574 - while (codingLine[a0] > columns) {
1575 - --a0;
1576 - }
1577 - codingLine[++a0] = columns;
1578 - err = gTrue;
1579 - }
1580 -
1581 // byte-align the row
1582 if (byteAlign) {
1583 inputBits &= ~7;
1584 @@ -1562,14 +1586,17 @@
1585 // this if we know the stream contains end-of-line markers because
1586 // the "just plow on" technique tends to work better otherwise
1587 } else if (err && endOfLine) {
1588 - do {
1589 + while (1) {
1590 + code1 = lookBits(13);
1591 if (code1 == EOF) {
1592 eof = gTrue;
1593 return EOF;
1594 }
1595 + if ((code1 >> 1) == 0x001) {
1596 + break;
1597 + }
1598 eatBits(1);
1599 - code1 = lookBits(13);
1600 - } while ((code1 >> 1) != 0x001);
1601 + }
1602 eatBits(12);
1603 if (encoding > 0) {
1604 eatBits(1);
1605 @@ -1577,11 +1604,11 @@
1606 }
1607 }
1609 - a0 = 0;
1610 - outputBits = codingLine[1] - codingLine[0];
1611 - if (outputBits == 0) {
1612 - a0 = 1;
1613 - outputBits = codingLine[2] - codingLine[1];
1614 + // set up for output
1615 + if (codingLine[0] > 0) {
1616 + outputBits = codingLine[a0i = 0];
1617 + } else {
1618 + outputBits = codingLine[a0i = 1];
1619 }
1621 ++row;
1622 @@ -1589,39 +1616,43 @@
1624 // get a byte
1625 if (outputBits >= 8) {
1626 - ret = ((a0 & 1) == 0) ? 0xff : 0x00;
1627 - if ((outputBits -= 8) == 0) {
1628 - ++a0;
1629 - if (codingLine[a0] < columns) {
1630 - outputBits = codingLine[a0 + 1] - codingLine[a0];
1631 - }
1632 + buf = (a0i & 1) ? 0x00 : 0xff;
1633 + outputBits -= 8;
1634 + if (outputBits == 0 && codingLine[a0i] < columns) {
1635 + ++a0i;
1636 + outputBits = codingLine[a0i] - codingLine[a0i - 1];
1637 }
1638 } else {
1639 bits = 8;
1640 - ret = 0;
1641 + buf = 0;
1642 do {
1643 if (outputBits > bits) {
1644 - i = bits;
1645 - bits = 0;
1646 - if ((a0 & 1) == 0) {
1647 - ret |= 0xff >> (8 - i);
1648 + buf <<= bits;
1649 + if (!(a0i & 1)) {
1650 + buf |= 0xff >> (8 - bits);
1651 }
1652 - outputBits -= i;
1653 + outputBits -= bits;
1654 + bits = 0;
1655 } else {
1656 - i = outputBits;
1657 - bits -= outputBits;
1658 - if ((a0 & 1) == 0) {
1659 - ret |= (0xff >> (8 - i)) << bits;
1660 + buf <<= outputBits;
1661 + if (!(a0i & 1)) {
1662 + buf |= 0xff >> (8 - outputBits);
1663 }
1664 + bits -= outputBits;
1665 outputBits = 0;
1666 - ++a0;
1667 - if (codingLine[a0] < columns) {
1668 - outputBits = codingLine[a0 + 1] - codingLine[a0];
1669 + if (codingLine[a0i] < columns) {
1670 + ++a0i;
1671 + outputBits = codingLine[a0i] - codingLine[a0i - 1];
1672 + } else if (bits > 0) {
1673 + buf <<= bits;
1674 + bits = 0;
1675 }
1676 }
1677 - } while (bits > 0 && codingLine[a0] < columns);
1678 + } while (bits);
1679 + }
1680 + if (black) {
1681 + buf ^= 0xff;
1682 }
1683 - buf = black ? (ret ^ 0xff) : ret;
1684 return buf;
1685 }
1687 @@ -1663,6 +1694,9 @@
1688 code = 0; // make gcc happy
1689 if (endOfBlock) {
1690 code = lookBits(12);
1691 + if (code == EOF) {
1692 + return 1;
1693 + }
1694 if ((code >> 5) == 0) {
1695 p = &whiteTab1[code];
1696 } else {
1697 @@ -1675,6 +1709,9 @@
1698 } else {
1699 for (n = 1; n <= 9; ++n) {
1700 code = lookBits(n);
1701 + if (code == EOF) {
1702 + return 1;
1703 + }
1704 if (n < 9) {
1705 code <<= 9 - n;
1706 }
1707 @@ -1686,6 +1723,9 @@
1708 }
1709 for (n = 11; n <= 12; ++n) {
1710 code = lookBits(n);
1711 + if (code == EOF) {
1712 + return 1;
1713 + }
1714 if (n < 12) {
1715 code <<= 12 - n;
1716 }
1717 @@ -1711,9 +1751,12 @@
1718 code = 0; // make gcc happy
1719 if (endOfBlock) {
1720 code = lookBits(13);
1721 + if (code == EOF) {
1722 + return 1;
1723 + }
1724 if ((code >> 7) == 0) {
1725 p = &blackTab1[code];
1726 - } else if ((code >> 9) == 0) {
1727 + } else if ((code >> 9) == 0 && (code >> 7) != 0) {
1728 p = &blackTab2[(code >> 1) - 64];
1729 } else {
1730 p = &blackTab3[code >> 7];
1731 @@ -1725,6 +1768,9 @@
1732 } else {
1733 for (n = 2; n <= 6; ++n) {
1734 code = lookBits(n);
1735 + if (code == EOF) {
1736 + return 1;
1737 + }
1738 if (n < 6) {
1739 code <<= 6 - n;
1740 }
1741 @@ -1736,6 +1782,9 @@
1742 }
1743 for (n = 7; n <= 12; ++n) {
1744 code = lookBits(n);
1745 + if (code == EOF) {
1746 + return 1;
1747 + }
1748 if (n < 12) {
1749 code <<= 12 - n;
1750 }
1751 @@ -1749,6 +1798,9 @@
1752 }
1753 for (n = 10; n <= 13; ++n) {
1754 code = lookBits(n);
1755 + if (code == EOF) {
1756 + return 1;
1757 + }
1758 if (n < 13) {
1759 code <<= 13 - n;
1760 }
1761 @@ -1963,6 +2015,12 @@
1762 // allocate a buffer for the whole image
1763 bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth;
1764 bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight;
1765 + if (bufWidth <= 0 || bufHeight <= 0 ||
1766 + bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) {
1767 + error(getPos(), "Invalid image size in DCT stream");
1768 + y = height;
1769 + return;
1770 + }
1771 for (i = 0; i < numComps; ++i) {
1772 frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int));
1773 memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int));
1774 @@ -3038,6 +3096,11 @@
1775 }
1776 scanInfo.firstCoeff = str->getChar();
1777 scanInfo.lastCoeff = str->getChar();
1778 + if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 ||
1779 + scanInfo.firstCoeff > scanInfo.lastCoeff) {
1780 + error(getPos(), "Bad DCT coefficient numbers in scan info block");
1781 + return gFalse;
1782 + }
1783 c = str->getChar();
1784 scanInfo.ah = (c >> 4) & 0x0f;
1785 scanInfo.al = c & 0x0f;
1786 --- misc/xpdf-3.02/xpdf/Stream.h 2007-02-27 23:05:52.000000000 +0100
1787 +++ misc/build/xpdf-3.02/xpdf/Stream.h 2009-11-10 11:43:10.426813566 +0100
1788 @@ -528,13 +528,15 @@
1789 int row; // current row
1790 int inputBuf; // input buffer
1791 int inputBits; // number of bits in input buffer
1792 - short *refLine; // reference line changing elements
1793 - int b1; // index into refLine
1794 - short *codingLine; // coding line changing elements
1795 - int a0; // index into codingLine
1796 + int *codingLine; // coding line changing elements
1797 + int *refLine; // reference line changing elements
1798 + int a0i; // index into codingLine
1799 + GBool err; // error on current line
1800 int outputBits; // remaining ouput bits
1801 int buf; // character buffer
1803 + void addPixels(int a1, int black);
1804 + void addPixelsNeg(int a1, int black);
1805 short getTwoDimCode();
1806 short getWhiteCode();
1807 short getBlackCode();
1808 --- misc/xpdf-3.02/xpdf/XRef.cc 2007-02-27 23:05:52.000000000 +0100
1809 +++ misc/build/xpdf-3.02/xpdf/XRef.cc 2009-11-10 11:43:54.923556696 +0100
1810 @@ -52,6 +52,8 @@
1811 // generation 0.
1812 ObjectStream(XRef *xref, int objStrNumA);
1814 + GBool isOk() { return ok; }
1815 +
1816 ~ObjectStream();
1818 // Return the object number of this object stream.
1819 @@ -67,6 +69,7 @@
1820 int nObjects; // number of objects in the stream
1821 Object *objs; // the objects (length = nObjects)
1822 int *objNums; // the object numbers (length = nObjects)
1823 + GBool ok;
1824 };
1826 ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
1827 @@ -80,6 +83,7 @@
1828 nObjects = 0;
1829 objs = NULL;
1830 objNums = NULL;
1831 + ok = gFalse;
1833 if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
1834 goto err1;
1835 @@ -105,6 +109,13 @@
1836 goto err1;
1837 }
1839 + // this is an arbitrary limit to avoid integer overflow problems
1840 + // in the 'new Object[nObjects]' call (Acrobat apparently limits
1841 + // object streams to 100-200 objects)
1842 + if (nObjects > 1000000) {
1843 + error(-1, "Too many objects in an object stream");
1844 + goto err1;
1845 + }
1846 objs = new Object[nObjects];
1847 objNums = (int *)gmallocn(nObjects, sizeof(int));
1848 offsets = (int *)gmallocn(nObjects, sizeof(int));
1849 @@ -161,10 +172,10 @@
1850 }
1852 gfree(offsets);
1853 + ok = gTrue;
1855 err1:
1856 objStr.free();
1857 - return;
1858 }
1860 ObjectStream::~ObjectStream() {
1861 @@ -837,6 +848,11 @@
1862 delete objStr;
1863 }
1864 objStr = new ObjectStream(this, e->offset);
1865 + if (!objStr->isOk()) {
1866 + delete objStr;
1867 + objStr = NULL;
1868 + goto err;
1869 + }
1870 }
1871 objStr->getObject(e->gen, num, obj);
1872 break;
1873 --- misc/xpdf-3.02/fofi/FoFiType1.cc 2007-02-27 23:05:51.000000000 +0100
1874 +++ misc/build/xpdf-3.02/fofi/FoFiType1.cc 2011-01-04 13:41:06.871136746 +0100
1875 @@ -224,7 +224,7 @@
1876 code = code * 8 + (*p2 - '0');
1877 }
1878 }
1879 - if (code < 256) {
1880 + if (code < 256 && code >= 0) {
1881 for (p = p2; *p == ' ' || *p == '\t'; ++p) ;
1882 if (*p == '/') {
1883 ++p;
1884 --- misc/xpdf-3.02/xpdf/Gfx.cc 2007-02-27 23:05:52.000000000 +0100
1885 +++ misc/build/xpdf-3.02/xpdf/Gfx.cc 2011-01-04 13:41:19.847501431 +0100
1886 @@ -441,6 +441,7 @@
1887 void *abortCheckCbkDataA) {
1888 int i;
1890 + parser = NULL;
1891 xref = xrefA;
1892 subPage = gFalse;
1893 printCommands = globalParams->getPrintCommands();
1894 @@ -483,6 +484,7 @@
1895 void *abortCheckCbkDataA) {
1896 int i;
1898 + parser = NULL;
1899 xref = xrefA;
1900 subPage = gTrue;
1901 printCommands = globalParams->getPrintCommands();