diff options
| author | Robin Watts <robin.watts@artifex.com> | 2011-11-15 17:04:46 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2011-11-17 18:32:04 +0000 |
| commit | 37b1af3eeae78cfe312d81eb616d98158445cae6 (patch) | |
| tree | 16d295da6cc2ea8bd41f3c6e7a2402bbcecc6031 | |
| parent | 819aed16c190263a853fabe07870f9da98070f80 (diff) | |
| download | mupdf-37b1af3eeae78cfe312d81eb616d98158445cae6.tar.xz | |
Fix bug 692627: stack overflows in text handling.
The existing code uses recursion for text span handling. With sufficiently
many chained spans we get stack overflow.
Simple fixes to use a loop.
| -rw-r--r-- | fitz/dev_text.c | 89 |
1 files changed, 49 insertions, 40 deletions
diff --git a/fitz/dev_text.c b/fitz/dev_text.c index 139c3eed..fb75c944 100644 --- a/fitz/dev_text.c +++ b/fitz/dev_text.c @@ -35,12 +35,17 @@ fz_new_text_span(void) void fz_free_text_span(fz_text_span *span) { - if (span->font) - fz_drop_font(span->font); - if (span->next) - fz_free_text_span(span->next); - fz_free(span->text); - fz_free(span); + fz_text_span *next; + + while (span) + { + if (span->font) + fz_drop_font(span->font); + next = span->next; + fz_free(span->text); + fz_free(span); + span = next; + } } static void @@ -154,32 +159,34 @@ fz_debug_text_span_xml(fz_text_span *span) char buf[10]; int c, n, k, i; - printf("<span font=\"%s\" size=\"%g\" wmode=\"%d\" eol=\"%d\">\n", - span->font ? span->font->name : "NULL", span->size, span->wmode, span->eol); - - for (i = 0; i < span->len; i++) + while (span) { - printf("\t<char ucs=\""); - c = span->text[i].c; - if (c < 128) - putchar(c); - else + printf("<span font=\"%s\" size=\"%g\" wmode=\"%d\" eol=\"%d\">\n", + span->font ? span->font->name : "NULL", span->size, span->wmode, span->eol); + + for (i = 0; i < span->len; i++) { - n = runetochar(buf, &c); - for (k = 0; k < n; k++) - putchar(buf[k]); + printf("\t<char ucs=\""); + c = span->text[i].c; + if (c < 128) + putchar(c); + else + { + n = runetochar(buf, &c); + for (k = 0; k < n; k++) + putchar(buf[k]); + } + printf("\" bbox=\"%d %d %d %d\" />\n", + span->text[i].bbox.x0, + span->text[i].bbox.y0, + span->text[i].bbox.x1, + span->text[i].bbox.y1); } - printf("\" bbox=\"%d %d %d %d\" />\n", - span->text[i].bbox.x0, - span->text[i].bbox.y0, - span->text[i].bbox.x1, - span->text[i].bbox.y1); - } - printf("</span>\n"); + printf("</span>\n"); - if (span->next) - fz_debug_text_span_xml(span->next); + span = span->next; + } } void @@ -188,24 +195,26 @@ fz_debug_text_span(fz_text_span *span) char buf[10]; int c, n, k, i; - for (i = 0; i < span->len; i++) + while (span) { - c = span->text[i].c; - if (c < 128) - putchar(c); - else + for (i = 0; i < span->len; i++) { - n = runetochar(buf, &c); - for (k = 0; k < n; k++) - putchar(buf[k]); + c = span->text[i].c; + if (c < 128) + putchar(c); + else + { + n = runetochar(buf, &c); + for (k = 0; k < n; k++) + putchar(buf[k]); + } } - } - if (span->eol) - putchar('\n'); + if (span->eol) + putchar('\n'); - if (span->next) - fz_debug_text_span(span->next); + span = span->next; + } } static void |