| Age | Commit message (Collapse) | Author |
|---|
|
When reading a CMAP with values out of range, we can go into a
very long loop emitting the same pair of warnings.
Spot the error case earlier and this give a nicer report.
Problem found in a test file, 3192.pdf.SIGSEGV.b0.2438 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
An unused dictionary reference could be left dangling. Simple fix
is to drop the reference after use.
Problem found in a test file, 2785.pdf.asan.6d.1985 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
When running a softmask, we remove the softmask from the gstate,
then run the group contents, then put the softmask back.
If the gstate stack is moved in the meantime (due to it being
realloced for extension), we can end up with it being moved.
We therefore must recalculate gstate before writing again.
Problem found in a test file, pdf_001/2599.pdf.asan.58.1778 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
While investigating samples_mupdf_001/2599.pdf.asan.58.1778, a leak
showed up while cleaning the file, due to not dropping an object in
an error case.
mutool clean -dif samples_mupdf_001/2599.pdf.asan.58.1778 leak.pdf
Simple Fix. Also extend PDF writing so that it can cope with skipping
errors so we at least get something out at the end.
Problem found in a test file supplied by Mateusz "j00ru" Jurczyk and
Gynvael Coldwind of the Google Security Team using Address Sanitizer.
Many thanks!
|
|
If an OCG refers to itself, we end up recursing forever and
eventually stack overflow. Fix with the pdf_dict_mark stuff.
Problem found in 1551.pdf.SIGSEGV.7fd.615, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
The pdf function code only expects a maximum of FZ_MAX_COLORS
component functions in a sampling function; more functions than
this causes a buffer overflow. Add some checks to avoid this.
Problem found in 1219.pdf.SIGSEGV.fc0.246, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
If the key length is specified too long (0x120 for example), we can
overrun the key buffer (32 bytes). Fix this with some explicit
checks.
Problem found in 2513.pdf.asan.73.1684, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
It is perfectly allowable to have type3 glyphs that refer to
other type3 glyphs in the same font (and in theory it's probably
even possible to have type3 glyphs that refer back and forth
between 2 or more type3 fonts).
The old code used to cope with this just fine, but with the change
to 'early loading' of the glyphs to display lists at interpret time
a problem has crept in. When we load the type 3 font, we load
each glyph in turn. If glyph 1 tries to use glyph 2, then we look
up the font, only to find that that the font has not been installed
yet, so we reload the entire font. This gets us into an infinite
loop.
As a fix for this, we split the loading of the type3 font into 2; we
load the font as normal, then allow the font to be inserted into
the list of current fonts. Then we run through the glyphs in the
font 'preparing' them (turning them into display lists).
This solves the infinite loop issue, but causes another problem;
recursive references (such as a font holding a display list that
contains a text node that contains a reference to the original font)
result in us never being able to free the structures.
To avoid this, we insist on never allowing type3 glyphs to be referenced
within a type3 display list. The display lists for all type3 glyphs
are therefore 'flat'. We achieve this by adding a 'nested' flag to
the pdf command stream interpreter structure, and setting this in the
case where we are running a glyph stream. We check for that flag in the
type3 glyph render function, and if present, we force the 'render_direct'
path to be used.
Finally, we ensure that fz_text groups are not needlessly created with
no contents.
Problem found in 2923.pdf.asan.22.2139, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
We failed to detect a PDF sample function with a size of 0 as being
illegal. This lead us to continue through the code, and then access
out of bounds.
Issue found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the
Google Security Team using Address Sanitizer. Many thanks!
|
|
If an illegal keysize is passed into the AES crypt filter, we
currently exit without setting up the AES context. This causes
us to fail in all manner of ways later on.
We now return failure and callers throw an exception.
This appears to solve all the SEGVs and memory exceptions found in
crypt_aes by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the
Google Security Team using Address Sanitizer. Many thanks!
|
|
Move the TR2 handling code. Thanks to zeniko for this.
|
|
Thanks to zeniko for pointing this out. If we encounter a new definition
for a given object (presumably due to a repair operation), we used to
throw the old one away, and keep the new one. This could cause any
current holders of the object to be left with a stale pointer.
Now we throw the new one away and keep the old one - with a warning
if they are different.
|
|
Thanks to zeniko for these.
|
|
The way the forms to be reset is specified is used also in form
submission. This commit pulls out that selection method as a
separate function that returns the set of affected forms as a
pdf array object.
|
|
Following on from the blend.ai.pdf disapparing text fix that went in
the other day, zeniko has pointed out that we should be using the
device space on entry to pdf_show_pattern too. Fixed here.
Many thanks.
|
|
When creating a group around text, the text bbox was being used as the
group bbox without transforming it. This results in missing text in
blends.
Various text sections are now appearing in some test files too.
|
|
Various changes from zeniko to make the pdf interpreter cope better
with malformed files.
When running subobjects, catch the thrown errors to avoid upsetting
the clip stack.
When running a content stream, ensure that we don't underflow the
graphics states (in case of mismatched q/Q's). Here our patch
differs slightly from zeniko's original, as we pop any extra
ones off before returning.
|
|
Fix an issue spotted by zeniko. The patch is slightly modified
from his supplied one to avoid problems with repeated freeing
of the buffer, and to avoid abusing fz_buffer, but is largely
based on his work.
Many thanks.
|
|
Thanks to zeniko for finding various problems and submitting a
patch that fixes them. This commit covers the simpler issues from
his patch; other commits will follow shortly.
* Out of range LZW codes.
* Buffer overflows and error handling in image_jpeg.c
* Buffer overflows in tiff handling
* buffer overflows in cmap parsing.
* Potential double free in font handling.
* Buffer overflow in pdf_form.c
* use of uninitialised value in error case in pdf_image.c
* NULL pointer dereference in xps_outline.c
|
|
|
|
Thanks to zeniko for these.
Use otf as extension for opentype fonts.
fz_clampi should take ints, not floats!
Fix typo in prototype.
Squash unwanted warning.
Remove magic number in favour of #define.
Reset generation numbers when renumbering.
|
|
All these leaks were spotted by zeniko, so credit/thanks to him.
|
|
Moritz Lipp points out that the check for opts being NULL in
pdf_write_document is unnecessary. Removing it brings the
function into line with the docs.
|
|
We still need to have the callback for type 3 fonts that are uncacheable.
With this change the callback is only ever called directly from the
interpreter in fz_prepare_t3_glyph and fz_render_t3_glyph_direct.
|
|
09+20computer+20fx-fo-dx-adr-mx.pdf has a "PROJECT TITLE" field that appears
on every page, but needs setting only on one page. This commit makes that
field update correctly.
|
|
A slip up in the previous whitespace fix commit removed a {. Put
it back.
|
|
|
|
When drawing images, if they are much bigger than we need, quickly
subsample them. Makes images much more cachable, reduces time spent
in expensive smooth scaler.
|
|
When calculating the factor to use for image downscales, calculate it
as a shift rather than a divisor.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also update pdf_dict_puts so that passing NULL to val deletes the terminal
key.
Update pdfapp.c to update the screen between passing a mouse event and
invoking a dialog box for value entry
Extend javascript wrapper to handle all color spaces
|
|
|
|
Regenerate dirty appearance streams and report changed annotations since
last call.
Also include a partial revert of changes in 96f335bc, that turn out not
to be necessary.
fz_update_page must now be called between each document-changing event and
the next render. pdfapp.c and the android app have been updated to do so,
but do not yet take advantage of the possibility to render only the updated
areas of the screen.
|
|
|
|
|
|
Only Fade, Wipe and Blinds supported so far.
Hit 'p' in the viewer to go into 'presentation' mode. Page swaps
then transition from page to page. Pages auto advance until key
or mouse is used.
|
|
Add pdf_update_annot, which is called before rendering an annotation, and
checks that the annotation structure has correct information. There are
three reasons the information can be out of date.
Attributes of a field may have been changed such that its appearance
stream needs updating. In this case the field will have have "Dirty"
added to its dictionary
The mouse may have changed state over the field, and a different
appearance stream needs selecting. The annotation structure now records
the mouse states for which the current appearance stream is acceptable.
The field may have changed state as recorded by its "AS" value, and a
different appearance stream needs selecting.
|
|
Also add a function to report whether the core has javascript support,
so that the additional features can be enabled only when the javascript
engine is present
|
|
|
|
On the whole we avoid using const within MuPDF, but bug 693350
highlights cases where this can cause a problem with C++.
In C, if you do: foo("bar"); then "bar" has type char *.
In C++, if you do foo("bar"); then "bar" has type const char *.
This means that any calls to the MuPDF library from C++ that take
strings give warnings.
The fix is simple, so it seems to be worthwhile adding a few consts.
None of our internal data structures are affected in any way by
this change.
Thanks to Franz Fellner for pointing out this issue.
|
|
This reduces memory use by another 10% on the 2 testfiles mentioned
in the previous commit (see bug 693330).
|
|
Refactor 'short stopped' image stream loading into fz_compressed_buffer
loading. Nicer overall, and reflects the fact that this can be used
for non-image streams that we want to hold compressed in memory (for
instance for shading streams).
This is a preparatory step for pdfwrite, and enables further shading
memory use optimisations.
Remove unused jbig2 function pointer from the fz_compression_params
(previously fz_image_params) structure to avoid confusion.
|
|
Thanks to Sebras for pointing out our schitzophrenia here.
|
|
The rest of the shading code and source code for other cases already handles
malformed entries in the same way.
|
|
|
