Bug 693290: Various fixes found from fuzzing.

Thanks to zeniko for finding various problems and submitting a
patch that fixes them. This commit covers the simpler issues from
his patch; other commits will follow shortly.

 * Out of range LZW codes.

 * Buffer overflows and error handling in image_jpeg.c

 * Buffer overflows in tiff handling

 * buffer overflows in cmap parsing.

 * Potential double free in font handling.

 * Buffer overflow in pdf_form.c

 * use of uninitialised value in error case in pdf_image.c

 * NULL pointer dereference in xps_outline.c

5 files changed, 12 insertions, 5 deletions

diff --git a/pdf/pdf_cmap_parse.c b/pdf/pdf_cmap_parse.c
index 7f2587ec..b482dcb5 100644
--- a/pdf/pdf_cmap_parse.c
+++ b/pdf/pdf_cmap_parse.c
@@ -198,7 +198,8 @@ pdf_parse_bf_range_array(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_l
 
 		if (buf->len / 2)
 		{
-			for (i = 0; i < buf->len / 2; i++)
+			int len = fz_mini(buf->len / 2, nelem(dst));
+			for (i = 0; i < len; i++)
 				dst[i] = pdf_code_from_string(&buf->scratch[i * 2], 2);
 
 			pdf_map_one_to_many(ctx, cmap, lo, dst, buf->len / 2);
@@ -248,7 +249,8 @@ pdf_parse_bf_range(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf
 
 				if (buf->len / 2)
 				{
-					for (i = 0; i < buf->len / 2; i++)
+					int len = fz_mini(buf->len / 2, nelem(dststr));
+					for (i = 0; i < len; i++)
 						dststr[i] = pdf_code_from_string(&buf->scratch[i * 2], 2);
 
 					while (lo <= hi)
@@ -300,7 +302,8 @@ pdf_parse_bf_char(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf *
 
 		if (buf->len / 2)
 		{
-			for (i = 0; i < buf->len / 2; i++)
+			int len = fz_mini(buf->len / 2, nelem(dst));
+			for (i = 0; i < len; i++)
 				dst[i] = pdf_code_from_string(&buf->scratch[i * 2], 2);
 			pdf_map_one_to_many(ctx, cmap, src, dst, i);
 		}
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index 6879d12b..34199e06 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -455,6 +455,7 @@ pdf_load_simple_font(pdf_document *xref, pdf_obj *dict)
 			{
 				fz_warn(ctx, "workaround for S22PDF lying about chinese font encodings");
 				pdf_drop_font(ctx, fontdesc);
+				fontdesc = NULL;
 				fontdesc = pdf_new_font_desc(ctx);
 				pdf_load_font_descriptor(fontdesc, xref, descriptor, "Adobe-GB1", cp936fonts[i+1]);
 				fontdesc->encoding = pdf_load_system_cmap(ctx, "GBK-EUC-H");
diff --git a/pdf/pdf_form.c b/pdf/pdf_form.c
index d532fcd3..ec2190f6 100644
--- a/pdf/pdf_form.c
+++ b/pdf/pdf_form.c
@@ -2519,7 +2519,8 @@ void pdf_field_set_text_color(pdf_document *doc, pdf_obj *field, pdf_obj *col)
 		parse_da(ctx, da, &di);
 		di.col_size = pdf_array_len(col);
 
-		for (i = 0; i < di.col_size; i++)
+		len = fz_mini(di.col_size, nelem(di.col));
+		for (i = 0; i < len; i++)
 			di.col[i] = pdf_to_real(pdf_array_get(col, i));
 
 		fzbuf = fz_new_buffer(ctx, 0);
diff --git a/pdf/pdf_image.c b/pdf/pdf_image.c
index ead7db49..d71d974a 100644
--- a/pdf/pdf_image.c
+++ b/pdf/pdf_image.c
@@ -108,10 +108,11 @@ decomp_image_from_stream(fz_context *ctx, fz_stream *stm, pdf_image *image, int
 	int f = 1<<native_l2factor;
 	int w = (image->base.w + f-1) >> native_l2factor;
 	int h = (image->base.h + f-1) >> native_l2factor;
-	pdf_image_key *key;
+	pdf_image_key *key = NULL;
 
 	fz_var(tile);
 	fz_var(samples);
+	fz_var(key);
 
 	fz_try(ctx)
 	{
diff --git a/pdf/pdf_stream.c b/pdf/pdf_stream.c
index 41e438ac..1efe116c 100644
--- a/pdf/pdf_stream.c
+++ b/pdf/pdf_stream.c
@@ -486,6 +486,7 @@ pdf_load_compressed_stream(pdf_document *xref, int num, int gen)
 	fz_catch(ctx)
 	{
 		fz_free(ctx, bc);
+		fz_rethrow(ctx);
 	}
 	return bc;
 }