diff options
| -rw-r--r-- | draw/imagescale.c | 2 | ||||
| -rw-r--r-- | draw/imagesmooth.c | 2 | ||||
| -rw-r--r-- | fitz/base_memory.c | 11 | ||||
| -rw-r--r-- | fitz/dev_text.c | 2 | ||||
| -rw-r--r-- | fitz/filt_flate.c | 2 | ||||
| -rw-r--r-- | fitz/fitz.h | 2 | ||||
| -rw-r--r-- | fitz/obj_array.c | 16 | ||||
| -rw-r--r-- | mupdf/pdf_font.c | 2 | ||||
| -rw-r--r-- | mupdf/pdf_image.c | 2 | ||||
| -rw-r--r-- | mupdf/pdf_interpret.c | 24 | ||||
| -rw-r--r-- | mupdf/pdf_outline.c | 3 |
11 files changed, 56 insertions, 12 deletions
diff --git a/draw/imagescale.c b/draw/imagescale.c index 60edadb5..d40898b1 100644 --- a/draw/imagescale.c +++ b/draw/imagescale.c @@ -238,7 +238,7 @@ fz_scalepixmap(fz_pixmap *src, int xdenom, int ydenom) oh = (src->h + ydenom - 1) / ydenom; n = src->n; - buf = fz_malloc(ow * n * ydenom); + buf = fz_calloc(ydenom, ow * n); dst = fz_newpixmap(src->colorspace, 0, 0, ow, oh); diff --git a/draw/imagesmooth.c b/draw/imagesmooth.c index c1002f46..67b5f481 100644 --- a/draw/imagesmooth.c +++ b/draw/imagesmooth.c @@ -1108,6 +1108,8 @@ fz_smoothscalepixmap(fz_pixmap *src, float x, float y, float w, float h) temp_span = contrib_cols->count * src->n; temp_rows = contrib_rows->max_len; + if (temp_span <= 0 || temp_rows > INT_MAX / temp_span) + goto cleanup; temp = fz_calloc(temp_span*temp_rows, sizeof(int)); if (temp == NULL) goto cleanup; diff --git a/fitz/base_memory.c b/fitz/base_memory.c index b7ebb2c9..caeee451 100644 --- a/fitz/base_memory.c +++ b/fitz/base_memory.c @@ -1,7 +1,5 @@ #include "fitz.h" -#define INT_MAX 2147483647 - void * fz_malloc(int size) { @@ -22,7 +20,7 @@ fz_calloc(int count, int size) if (count == 0 || size == 0) return 0; - if (count > INT_MAX / size) + if (count < 0 || size < 0 || count > INT_MAX / size) { fprintf(stderr, "fatal error: out of memory (integer overflow)\n"); abort(); @@ -43,9 +41,12 @@ fz_realloc(void *p, int count, int size) void *np; if (count == 0 || size == 0) - return p; + { + fz_free(p); + return 0; + } - if (count > INT_MAX / size) + if (count < 0 || size < 0 || count > INT_MAX / size) { fprintf(stderr, "fatal error: out of memory (integer overflow)\n"); abort(); diff --git a/fitz/dev_text.c b/fitz/dev_text.c index 806fa40c..8f22cfd1 100644 --- a/fitz/dev_text.c +++ b/fitz/dev_text.c @@ -98,7 +98,7 @@ fz_addtextchar(fz_textspan **last, fz_font *font, float size, int wmode, int c, span->size = size; } - if (span->font != font || span->size != size || span->wmode != wmode) + if ((span->font != font || span->size != size || span->wmode != wmode) && c != 32) { span = fz_newtextspan(); span->font = fz_keepfont(font); diff --git a/fitz/filt_flate.c b/fitz/filt_flate.c index e021b8fe..acda8c49 100644 --- a/fitz/filt_flate.c +++ b/fitz/filt_flate.c @@ -12,7 +12,7 @@ struct fz_flate_s static void *zmalloc(void *opaque, unsigned int items, unsigned int size) { - return fz_malloc(items * size); + return fz_calloc(items, size); } static void zfree(void *opaque, void *ptr) diff --git a/fitz/fitz.h b/fitz/fitz.h index b7787acc..4032bddf 100644 --- a/fitz/fitz.h +++ b/fitz/fitz.h @@ -14,6 +14,7 @@ #include <assert.h> #include <errno.h> +#include <limits.h> /* INT_MAX & co */ #include <float.h> /* FLT_EPSILON */ #include <fcntl.h> /* O_RDONLY & co */ @@ -427,6 +428,7 @@ int fz_arraylen(fz_obj *array); fz_obj *fz_arrayget(fz_obj *array, int i); void fz_arrayput(fz_obj *array, int i, fz_obj *obj); void fz_arraypush(fz_obj *array, fz_obj *obj); +void fz_arraydrop(fz_obj *array); void fz_arrayinsert(fz_obj *array, fz_obj *obj); int fz_dictlen(fz_obj *dict); diff --git a/fitz/obj_array.c b/fitz/obj_array.c index 8e94119f..391c1dd8 100644 --- a/fitz/obj_array.c +++ b/fitz/obj_array.c @@ -101,6 +101,22 @@ fz_arraypush(fz_obj *obj, fz_obj *item) } void +fz_arraydrop(fz_obj *obj) +{ + obj = fz_resolveindirect(obj); + + if (!fz_isarray(obj)) + fz_warn("assert: not an array (%s)", fz_objkindstr(obj)); + else + { + if (obj->u.a.len > 0) + { + fz_dropobj(obj->u.a.items[--obj->u.a.len]); + } + } +} + +void fz_arrayinsert(fz_obj *obj, fz_obj *item) { obj = fz_resolveindirect(obj); diff --git a/mupdf/pdf_font.c b/mupdf/pdf_font.c index a95a5dcd..c7bae912 100644 --- a/mupdf/pdf_font.c +++ b/mupdf/pdf_font.c @@ -838,7 +838,7 @@ pdf_loadfontdescriptor(pdf_fontdesc *fontdesc, pdf_xref *xref, fz_obj *dict, cha pdf_logfont("load fontdescriptor {\n"); - if (!strchr(basefont, ',')) + if (!strchr(basefont, ',') || strchr(basefont, '+')) origname = fz_toname(fz_dictgets(dict, "FontName")); else origname = basefont; diff --git a/mupdf/pdf_image.c b/mupdf/pdf_image.c index b5c7ec68..4252a580 100644 --- a/mupdf/pdf_image.c +++ b/mupdf/pdf_image.c @@ -132,7 +132,7 @@ pdf_loadimageimp(fz_pixmap **imgp, pdf_xref *xref, fz_obj *rdb, fz_obj *dict, fz } stride = (w * n * bpc + 7) / 8; - samples = fz_malloc(h * stride); + samples = fz_calloc(h, stride); if (cstm) { diff --git a/mupdf/pdf_interpret.c b/mupdf/pdf_interpret.c index 92b60f6d..e5303042 100644 --- a/mupdf/pdf_interpret.c +++ b/mupdf/pdf_interpret.c @@ -126,6 +126,8 @@ pdf_freecsi(pdf_csi *csi) pdf_dropmaterial(&csi->gstate[0].stroke); if (csi->gstate[0].font) pdf_dropfont(csi->gstate[0].font); + if (csi->gstate[0].softmask) + pdf_dropxobject(csi->gstate[0].softmask); while (csi->gstate[0].clipdepth--) csi->dev->popclip(csi->dev->user); @@ -163,7 +165,7 @@ pdf_runxobject(pdf_csi *csi, fz_obj *resources, pdf_xobject *xobj) if (gstate->softmask) { pdf_xobject *softmask = gstate->softmask; - fz_rect bbox = fz_transformrect(gstate->ctm, softmask->bbox); + fz_rect bbox = fz_transformrect(gstate->ctm, xobj->bbox); gstate->softmask = nil; popmask = 1; @@ -377,6 +379,14 @@ pdf_runextgstate(pdf_csi *csi, pdf_gstate *gstate, fz_obj *rdb, fz_obj *extgstat else gstate->luminosity = 0; } + else if (fz_isname(val) && !strcmp(fz_toname(val), "None")) + { + if (gstate->softmask) + { + pdf_dropxobject(gstate->softmask); + gstate->softmask = nil; + } + } } else if (!strcmp(s, "TR")) @@ -1386,6 +1396,16 @@ pdf_runcsifile(pdf_csi *csi, fz_obj *rdb, fz_stream *file, char *buf, int buflen fz_arraypush(csi->array, obj); fz_dropobj(obj); } + else if (tok == PDF_TKEYWORD) + { + /* some producers try to put Tw and Tc commands in the TJ array */ + fz_warn("ignoring keyword '%s' inside array", buf); + if (!strcmp(buf, "Tw") || !strcmp(buf, "Tc")) + { + if (fz_arraylen(csi->array) > 0) + fz_arraydrop(csi->array); + } + } else if (tok == PDF_TEOF) { return fz_okay; @@ -1474,7 +1494,7 @@ pdf_runcsifile(pdf_csi *csi, fz_obj *rdb, fz_stream *file, char *buf, int buflen { error = pdf_runkeyword(csi, rdb, buf); if (error) - return fz_rethrow(error, "cannot run keyword '%s'", buf); + fz_catch(error, "cannot run keyword '%s'", buf); pdf_clearstack(csi); } break; diff --git a/mupdf/pdf_outline.c b/mupdf/pdf_outline.c index 865b0fbf..b211060f 100644 --- a/mupdf/pdf_outline.c +++ b/mupdf/pdf_outline.c @@ -7,6 +7,9 @@ pdf_loadoutlineimp(pdf_xref *xref, fz_obj *dict) pdf_outline *node; fz_obj *obj; + if (fz_isnull(dict)) + return nil; + node = fz_malloc(sizeof(pdf_outline)); node->title = nil; node->link = nil; |