Age | Commit message (Collapse) | Author |
|
The mupdf build included an implimentation of the pkcs7 functions that
are needed for signing documents and verifying signatures, the
implementation being either an openssl-based one, or a stub that returned
errors. This commit removes the pkcs7 functions from the main mupdf
library.
For the sake of verification, there wasn't really a need for the pkcs7
functions to be part of mupdf. It was only the checking function that used
them. The checking function is now provided as a helper, outside of the
main build. The openssl-based pkcs7 functions area also supplied as a
helper. Users wishing to verify signatures can either use the checking
function directly, or use the source on which to base their own.
Document signing requires more integration between mupdf and pkcs7
because part of the process is performed at time of signing and part when
saving the document. Mupdf already had a pdf_pkcs7_signer object that
kept information between the two phases. That object has now been extended
to include the pkcs7 functions involved in signing, and the signing
function now requires such an object, rather than a file path to a
certificate. The openssl-based pkcs7 helper provides a function that, given
the path to a certificate, will return a pdf_pkcs7_signer object.
The intention is that different implementations can be produced for
different platforms, based on cryptographic routines built into the
operationg system. In each case, for the sake of document signing, the
routines would be wrapped up as a pdf_pkcs7_signer object.
|
|
|
|
Rather than provide a stream and an explicitly defined set of byte ranges
within that stream, provide a stream that gives access to just the bytes in
the ranges.
|
|
This is needed to simplify the way the bytes for hashing are
passed to pkcs7 functions.
|
|
Previously, pdf-pkcs7.c contained mishmash of functions required
for creating and checking signatures, with no separation between
the parts relating to pdf and those relating to pkcs7. This
commit introduces pdf_signature.c which contains the pdf
specifics, leaving pdf-pkcs7.c to be purely pkcs7 functions.
This should more easily allow the use of pkcs7 solutions other
than openssl. The pkcs7 api is declared in pdf-pkcs7.h. It is
entirely free of mupdf specifics, other than using an fz_stream
to specify the bytes to be hashed.
|
|
Previously, errors were reported with a boolean function return
with a char buffer filled out with the reason in the failure
case. Now an enum is used to report the various failure cases.
The function pdf_check_signature has been left as is so that
existing apps will not need changing.
|
|
The openssl function we were using checked both trust and the
digest. Annoyingly, it checked trust first, so some trickery
had to be used to check the digest for self-signed certificates.
Now we make use of parts of the functions we were calling to
provide the two parts of the check as separate functions.
|
|
|
|
For TIFF it was not just the colorspace, but other data as well.
|
|
|
|
|
|
|
|
|
|
Previously repair might end up increasing xref_len, but the lists
were not correspodingly expanded, leading to ASAN complaints.
|
|
If there were indirect references in the object stream dictionary and
one of those indirect references referred to an object inside the object
stream itself, mupdf would previously enter recursion only bounded by the
exception stack. After this commit the object stream is checked if it is
marked immediately after being loaded. If it is marked then we terminate
the recursion at this point, if it is not marked then mark it and
attempt to load the desired object within. We also take care to unmark
the stream object when done or upon exception.
|
|
Under normal conditions where fz_keep_stream() is called inside
fz_try() we may call fz_drop_stream() in fz_catch() upon exceptions.
The issue comes when fz_keep_stream() has not yet been called but is
dropped in fz_catch(). This happens in the PDF from the bug when
fz_try() runs out of exception stack, and next the code in fz_catch()
runs, dropping the caller's reference to the filter chain stream!
The simplest way of fixing this it to always keep the filter chain
stream before fz_try() is called. That way fz_catch() may drop the
stream whether an exception has occurred or if the fz_try() ran out of
exception stack.
|
|
|
|
|
|
|
|
Also return PDF_TOK_ERROR instead of swallowing string opening quotes in
pdf_lex_no_string.
Also fix the repair code to not skip an extra byte whenever it scans an error
token.
|
|
|
|
|
|
And 'tofumax' to build without even the base14 PDF fonts.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A lot of EPUB pool allocated data is much smaller than the default size,
leading to a lot of wasted memory.
|
|
|
|
|
|
The bug reports a buffer overflow, but after that was fixed this leak
was reported by ASAN.
|
|
Opening in append mode was used before commit
c4d3a9142761a567fce9f66946a917e087c0de67
when the same file was reopened multiple times for formats that
support it. Nowadays the files is only opened once anyway so there
is no reason to use append mode.
|
|
|
|
This will allow us to read and write documents using I/O written
in Java, exposed by SeekableInputStream and SeekableOutputStream.
We supply an example FileStream which implements seekable streams
backed by a RandomAccessFile.
|
|
|
|
|
|
If fz_new_pixmap_with_bbox() threw conv would be NULL and temp would
be pointing to a pixmap that would be dropped 2 times.
If fz_clone_pixmap_area_with_different_seps() threw temp and conv
would be pointing to the same pixmap that would be dropped 3 times.
|
|
Without this change future calls to fz_fin_cached_color_converter()
will try to dereference the already freed pointer.
|
|
Without this change a resized cmap splay tree leads to using stale pointers.
|
|
|
|
Thanks to oss-fuzz for reporting this.
|
|
|
|
|
|
|
|
|
|
An earlier commit changed the mode used to open a file for saving so that
it could also be read from. The mode used was rb+ independently of whether
the saving mode was incremental or not. Doing so neglected that for
non-incemental saves the file may not already exist in which case opening
rb+ will fail. This commit arranges that wb+ is used in the non-incremental
case.
|
|
|
|
Don't output linewidth as mitrerlimit. This confuses Acrobat.
|