summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--fitz/filt_lzwd.c4
-rw-r--r--fitz/image_jpeg.c137
-rw-r--r--fitz/image_tiff.c16
-rw-r--r--pdf/pdf_cmap_parse.c9
-rw-r--r--pdf/pdf_font.c1
-rw-r--r--pdf/pdf_form.c3
-rw-r--r--pdf/pdf_image.c3
-rw-r--r--pdf/pdf_stream.c1
-rw-r--r--xps/xps_outline.c2
9 files changed, 104 insertions, 72 deletions
diff --git a/fitz/filt_lzwd.c b/fitz/filt_lzwd.c
index b1aa4421..7b65fa28 100644
--- a/fitz/filt_lzwd.c
+++ b/fitz/filt_lzwd.c
@@ -99,6 +99,10 @@ read_lzwd(fz_stream *stm, unsigned char *buf, int len)
{
old_code = code;
}
+ else if (code > next_code || next_code >= NUM_CODES)
+ {
+ fz_warn(stm->ctx, "out of range code encountered in lzw decode");
+ }
else
{
/* add new entry to the code table */
diff --git a/fitz/image_jpeg.c b/fitz/image_jpeg.c
index 2840adbf..aedd48c8 100644
--- a/fitz/image_jpeg.c
+++ b/fitz/image_jpeg.c
@@ -41,8 +41,11 @@ static void skip_input_data(j_decompress_ptr cinfo, long num_bytes)
struct jpeg_source_mgr *src = cinfo->src;
if (num_bytes > 0)
{
- src->next_input_byte += num_bytes;
- src->bytes_in_buffer -= num_bytes;
+ size_t skip = (size_t)num_bytes; /* size_t may be 64bit */
+ if (skip > src->bytes_in_buffer)
+ skip = (size_t)src->bytes_in_buffer;
+ src->next_input_byte += skip;
+ src->bytes_in_buffer -= skip;
}
}
@@ -56,87 +59,91 @@ fz_load_jpeg(fz_context *ctx, unsigned char *rbuf, int rlen)
fz_colorspace *colorspace;
unsigned int x;
int k;
-
fz_pixmap *image = NULL;
- if (setjmp(err.env))
+ fz_var(image);
+ fz_var(row);
+
+ row[0] = NULL;
+
+ fz_try(ctx)
{
- if (image)
- fz_drop_pixmap(ctx, image);
- fz_throw(ctx, "jpeg error: %s", err.msg);
- }
+ if (setjmp(err.env))
+ {
+ fz_throw(ctx, "jpeg error: %s", err.msg);
+ }
- cinfo.err = jpeg_std_error(&err.super);
- err.super.error_exit = error_exit;
+ cinfo.err = jpeg_std_error(&err.super);
+ err.super.error_exit = error_exit;
- jpeg_create_decompress(&cinfo);
+ jpeg_create_decompress(&cinfo);
- cinfo.src = &src;
- src.init_source = init_source;
- src.fill_input_buffer = fill_input_buffer;
- src.skip_input_data = skip_input_data;
- src.resync_to_restart = jpeg_resync_to_restart;
- src.term_source = term_source;
- src.next_input_byte = rbuf;
- src.bytes_in_buffer = rlen;
+ cinfo.src = &src;
+ src.init_source = init_source;
+ src.fill_input_buffer = fill_input_buffer;
+ src.skip_input_data = skip_input_data;
+ src.resync_to_restart = jpeg_resync_to_restart;
+ src.term_source = term_source;
+ src.next_input_byte = rbuf;
+ src.bytes_in_buffer = rlen;
- jpeg_read_header(&cinfo, 1);
+ jpeg_read_header(&cinfo, 1);
- jpeg_start_decompress(&cinfo);
+ jpeg_start_decompress(&cinfo);
- if (cinfo.output_components == 1)
- colorspace = fz_device_gray;
- else if (cinfo.output_components == 3)
- colorspace = fz_device_rgb;
- else if (cinfo.output_components == 4)
- colorspace = fz_device_cmyk;
- else
- fz_throw(ctx, "bad number of components in jpeg: %d", cinfo.output_components);
+ if (cinfo.output_components == 1)
+ colorspace = fz_device_gray;
+ else if (cinfo.output_components == 3)
+ colorspace = fz_device_rgb;
+ else if (cinfo.output_components == 4)
+ colorspace = fz_device_cmyk;
+ else
+ fz_throw(ctx, "bad number of components in jpeg: %d", cinfo.output_components);
- fz_try(ctx)
- {
image = fz_new_pixmap(ctx, colorspace, cinfo.output_width, cinfo.output_height);
- }
- fz_catch(ctx)
- {
- jpeg_finish_decompress(&cinfo);
- jpeg_destroy_decompress(&cinfo);
- fz_throw(ctx, "out of memory");
- }
- if (cinfo.density_unit == 1)
- {
- image->xres = cinfo.X_density;
- image->yres = cinfo.Y_density;
- }
- else if (cinfo.density_unit == 2)
- {
- image->xres = cinfo.X_density * 254 / 100;
- image->yres = cinfo.Y_density * 254 / 100;
- }
+ if (cinfo.density_unit == 1)
+ {
+ image->xres = cinfo.X_density;
+ image->yres = cinfo.Y_density;
+ }
+ else if (cinfo.density_unit == 2)
+ {
+ image->xres = cinfo.X_density * 254 / 100;
+ image->yres = cinfo.Y_density * 254 / 100;
+ }
- if (image->xres <= 0) image->xres = 72;
- if (image->yres <= 0) image->yres = 72;
+ if (image->xres <= 0) image->xres = 72;
+ if (image->yres <= 0) image->yres = 72;
- fz_clear_pixmap(ctx, image);
+ fz_clear_pixmap(ctx, image);
- row[0] = fz_malloc(ctx, cinfo.output_components * cinfo.output_width);
- dp = image->samples;
- while (cinfo.output_scanline < cinfo.output_height)
- {
- jpeg_read_scanlines(&cinfo, row, 1);
- sp = row[0];
- for (x = 0; x < cinfo.output_width; x++)
+ row[0] = fz_malloc(ctx, cinfo.output_components * cinfo.output_width);
+ dp = image->samples;
+ while (cinfo.output_scanline < cinfo.output_height)
{
- for (k = 0; k < cinfo.output_components; k++)
- *dp++ = *sp++;
- *dp++ = 255;
+ jpeg_read_scanlines(&cinfo, row, 1);
+ sp = row[0];
+ for (x = 0; x < cinfo.output_width; x++)
+ {
+ for (k = 0; k < cinfo.output_components; k++)
+ *dp++ = *sp++;
+ *dp++ = 255;
+ }
}
}
- fz_free(ctx, row[0]);
-
- jpeg_finish_decompress(&cinfo);
- jpeg_destroy_decompress(&cinfo);
+ fz_always(ctx)
+ {
+ fz_free(ctx, row[0]);
+ row[0] = NULL;
+ jpeg_finish_decompress(&cinfo);
+ jpeg_destroy_decompress(&cinfo);
+ }
+ fz_catch(ctx)
+ {
+ fz_drop_pixmap(ctx, image);
+ fz_rethrow(ctx);
+ }
return image;
}
diff --git a/fitz/image_tiff.c b/fitz/image_tiff.c
index 2176062c..5b154c3e 100644
--- a/fitz/image_tiff.c
+++ b/fitz/image_tiff.c
@@ -27,6 +27,10 @@ struct tiff
/* colormap */
unsigned *colormap;
+ unsigned stripoffsetslen;
+ unsigned stripbytecountslen;
+ unsigned colormaplen;
+
/* assorted tags */
unsigned subfiletype;
unsigned photometric;
@@ -280,6 +284,9 @@ fz_expand_tiff_colormap(struct tiff *tiff)
if (tiff->bitspersample != 4 && tiff->bitspersample != 8)
fz_throw(tiff->ctx, "invalid number of bits for RGBPal");
+ if (tiff->colormaplen < (unsigned)maxval * 3)
+ fz_throw(tiff->ctx, "insufficient colormap data");
+
stride = tiff->imagewidth * (tiff->samplesperpixel + 2);
samples = fz_malloc(tiff->ctx, stride * tiff->imagelength);
@@ -336,9 +343,13 @@ fz_decode_tiff_strips(struct tiff *tiff)
unsigned strip;
unsigned i;
- if (!tiff->rowsperstrip || !tiff->stripoffsets || !tiff->rowsperstrip)
+ if (!tiff->rowsperstrip || !tiff->stripoffsets || !tiff->stripbytecounts)
fz_throw(tiff->ctx, "no image data in tiff; maybe it is tiled");
+ if (tiff->stripoffsetslen < (tiff->imagelength - 1) / tiff->rowsperstrip + 1 ||
+ tiff->stripbytecountslen < (tiff->imagelength - 1) / tiff->rowsperstrip + 1)
+ fz_throw(tiff->ctx, "insufficient strip offset data");
+
if (tiff->planar != 1)
fz_throw(tiff->ctx, "image data is not in chunky format");
@@ -657,16 +668,19 @@ fz_read_tiff_tag(struct tiff *tiff, unsigned offset)
case StripOffsets:
tiff->stripoffsets = fz_malloc_array(tiff->ctx, count, sizeof(unsigned));
fz_read_tiff_tag_value(tiff->stripoffsets, tiff, type, value, count);
+ tiff->stripoffsetslen = count;
break;
case StripByteCounts:
tiff->stripbytecounts = fz_malloc_array(tiff->ctx, count, sizeof(unsigned));
fz_read_tiff_tag_value(tiff->stripbytecounts, tiff, type, value, count);
+ tiff->stripbytecountslen = count;
break;
case ColorMap:
tiff->colormap = fz_malloc_array(tiff->ctx, count, sizeof(unsigned));
fz_read_tiff_tag_value(tiff->colormap, tiff, type, value, count);
+ tiff->colormaplen = count;
break;
case TileWidth:
diff --git a/pdf/pdf_cmap_parse.c b/pdf/pdf_cmap_parse.c
index 7f2587ec..b482dcb5 100644
--- a/pdf/pdf_cmap_parse.c
+++ b/pdf/pdf_cmap_parse.c
@@ -198,7 +198,8 @@ pdf_parse_bf_range_array(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_l
if (buf->len / 2)
{
- for (i = 0; i < buf->len / 2; i++)
+ int len = fz_mini(buf->len / 2, nelem(dst));
+ for (i = 0; i < len; i++)
dst[i] = pdf_code_from_string(&buf->scratch[i * 2], 2);
pdf_map_one_to_many(ctx, cmap, lo, dst, buf->len / 2);
@@ -248,7 +249,8 @@ pdf_parse_bf_range(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf
if (buf->len / 2)
{
- for (i = 0; i < buf->len / 2; i++)
+ int len = fz_mini(buf->len / 2, nelem(dststr));
+ for (i = 0; i < len; i++)
dststr[i] = pdf_code_from_string(&buf->scratch[i * 2], 2);
while (lo <= hi)
@@ -300,7 +302,8 @@ pdf_parse_bf_char(fz_context *ctx, pdf_cmap *cmap, fz_stream *file, pdf_lexbuf *
if (buf->len / 2)
{
- for (i = 0; i < buf->len / 2; i++)
+ int len = fz_mini(buf->len / 2, nelem(dst));
+ for (i = 0; i < len; i++)
dst[i] = pdf_code_from_string(&buf->scratch[i * 2], 2);
pdf_map_one_to_many(ctx, cmap, src, dst, i);
}
diff --git a/pdf/pdf_font.c b/pdf/pdf_font.c
index 6879d12b..34199e06 100644
--- a/pdf/pdf_font.c
+++ b/pdf/pdf_font.c
@@ -455,6 +455,7 @@ pdf_load_simple_font(pdf_document *xref, pdf_obj *dict)
{
fz_warn(ctx, "workaround for S22PDF lying about chinese font encodings");
pdf_drop_font(ctx, fontdesc);
+ fontdesc = NULL;
fontdesc = pdf_new_font_desc(ctx);
pdf_load_font_descriptor(fontdesc, xref, descriptor, "Adobe-GB1", cp936fonts[i+1]);
fontdesc->encoding = pdf_load_system_cmap(ctx, "GBK-EUC-H");
diff --git a/pdf/pdf_form.c b/pdf/pdf_form.c
index d532fcd3..ec2190f6 100644
--- a/pdf/pdf_form.c
+++ b/pdf/pdf_form.c
@@ -2519,7 +2519,8 @@ void pdf_field_set_text_color(pdf_document *doc, pdf_obj *field, pdf_obj *col)
parse_da(ctx, da, &di);
di.col_size = pdf_array_len(col);
- for (i = 0; i < di.col_size; i++)
+ len = fz_mini(di.col_size, nelem(di.col));
+ for (i = 0; i < len; i++)
di.col[i] = pdf_to_real(pdf_array_get(col, i));
fzbuf = fz_new_buffer(ctx, 0);
diff --git a/pdf/pdf_image.c b/pdf/pdf_image.c
index ead7db49..d71d974a 100644
--- a/pdf/pdf_image.c
+++ b/pdf/pdf_image.c
@@ -108,10 +108,11 @@ decomp_image_from_stream(fz_context *ctx, fz_stream *stm, pdf_image *image, int
int f = 1<<native_l2factor;
int w = (image->base.w + f-1) >> native_l2factor;
int h = (image->base.h + f-1) >> native_l2factor;
- pdf_image_key *key;
+ pdf_image_key *key = NULL;
fz_var(tile);
fz_var(samples);
+ fz_var(key);
fz_try(ctx)
{
diff --git a/pdf/pdf_stream.c b/pdf/pdf_stream.c
index 41e438ac..1efe116c 100644
--- a/pdf/pdf_stream.c
+++ b/pdf/pdf_stream.c
@@ -486,6 +486,7 @@ pdf_load_compressed_stream(pdf_document *xref, int num, int gen)
fz_catch(ctx)
{
fz_free(ctx, bc);
+ fz_rethrow(ctx);
}
return bc;
}
diff --git a/xps/xps_outline.c b/xps/xps_outline.c
index 5c5bdbc6..bd50dd35 100644
--- a/xps/xps_outline.c
+++ b/xps/xps_outline.c
@@ -66,7 +66,7 @@ xps_parse_document_structure(xps_document *doc, fz_xml *root)
if (!strcmp(fz_xml_tag(root), "DocumentStructure"))
{
node = fz_xml_down(root);
- if (!strcmp(fz_xml_tag(node), "DocumentStructure.Outline"))
+ if (node && !strcmp(fz_xml_tag(node), "DocumentStructure.Outline"))
{
node = fz_xml_down(node);
if (!strcmp(fz_xml_tag(node), "DocumentOutline"))
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-02 07:38:16 +0000