| Age | Commit message (Collapse) | Author |
|---|
|
Bug 693527 points out that we fail to spot Jpeg 2000 images that
have themselves as their own SMask and enter an infinite loop.
We extend the code by passing the forcemask parameter in exactly the
same way as the non-JPEG 2K code does.
Thanks to Jarkko Poyry for spotting this, reporting it, and suggesting
the fix.
|
|
When adding code to spot identical streams, I got the logic in
a test reversed as a result of a last minute change. Corrected here.
Thanks to zeniko for pointing this out.
|
|
When writing pdf files, we currently have the option to remove duplicate
copies of objects; all streams are treated as being different though.
Here we add the option to spot duplicate streams too.
Based on a patch submitted by Heng Liu. Many thanks!
|
|
If a PDF xref subsection is broken in the wrong place, we can get
NULL back from fz_strsep, which causes a SEGV when fed to atoi.
Add a new fz_atoi that copes with NULL to avoid this.
Problem found in a test file, 3959.pdf.SIGSEGV.ad4.3289 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
|
|
If a colorspace refers to itself as a base, we can get an infinite
recursion and hence stack overflow. Thanks to zeniko for pointing out
that this occurs in embedded CMAPs and stitching functions. Also
solved here.
To avoid having to keep a long list of the objects we've traversed
through, extend the pdf_dict_mark functions to work on all pdf objects,
and hence rename them as pdf_obj_mark etc. Thanks to zeniko again for
feedback on this way of working.
Problem found in a test file, 3882.pdf.SIGSEGV.99.3204 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
When parsing a (broken) PDF stream, we can forget an existing
parsed object when we parse another one. Check for us having
one and free it if we do.
Problem found in a test file, 3289.pdf.asan.77.2545 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
If the Function entry does not point to either a dictionary or an
array, we should give up, otherwise we deference a NULL pointer.
Problem found in a test file, 1013.pdf.SIGSEGV.8a7.18 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
|
|
When cleaning a file with a corrupt stream in it, historically mupdf
would give up when it encountered such a stream. This is often not
what is desired, as information can be lost.
The changes herein allow us to use our best efforts when reading
a stream, so that broken streams are reproduced in the output
cleaned file.
Problem found in a test file, pdf_001/2599.pdf.asan.58.1778 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
When reading a CMAP with values out of range, we can go into a
very long loop emitting the same pair of warnings.
Spot the error case earlier and this give a nicer report.
Problem found in a test file, 3192.pdf.SIGSEGV.b0.2438 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
An unused dictionary reference could be left dangling. Simple fix
is to drop the reference after use.
Problem found in a test file, 2785.pdf.asan.6d.1985 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
When running a softmask, we remove the softmask from the gstate,
then run the group contents, then put the softmask back.
If the gstate stack is moved in the meantime (due to it being
realloced for extension), we can end up with it being moved.
We therefore must recalculate gstate before writing again.
Problem found in a test file, pdf_001/2599.pdf.asan.58.1778 supplied
by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google
Security Team using Address Sanitizer. Many thanks!
|
|
While investigating samples_mupdf_001/2599.pdf.asan.58.1778, a leak
showed up while cleaning the file, due to not dropping an object in
an error case.
mutool clean -dif samples_mupdf_001/2599.pdf.asan.58.1778 leak.pdf
Simple Fix. Also extend PDF writing so that it can cope with skipping
errors so we at least get something out at the end.
Problem found in a test file supplied by Mateusz "j00ru" Jurczyk and
Gynvael Coldwind of the Google Security Team using Address Sanitizer.
Many thanks!
|
|
If an OCG refers to itself, we end up recursing forever and
eventually stack overflow. Fix with the pdf_dict_mark stuff.
Problem found in 1551.pdf.SIGSEGV.7fd.615, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
The pdf function code only expects a maximum of FZ_MAX_COLORS
component functions in a sampling function; more functions than
this causes a buffer overflow. Add some checks to avoid this.
Problem found in 1219.pdf.SIGSEGV.fc0.246, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
If the key length is specified too long (0x120 for example), we can
overrun the key buffer (32 bytes). Fix this with some explicit
checks.
Problem found in 2513.pdf.asan.73.1684, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
It is perfectly allowable to have type3 glyphs that refer to
other type3 glyphs in the same font (and in theory it's probably
even possible to have type3 glyphs that refer back and forth
between 2 or more type3 fonts).
The old code used to cope with this just fine, but with the change
to 'early loading' of the glyphs to display lists at interpret time
a problem has crept in. When we load the type 3 font, we load
each glyph in turn. If glyph 1 tries to use glyph 2, then we look
up the font, only to find that that the font has not been installed
yet, so we reload the entire font. This gets us into an infinite
loop.
As a fix for this, we split the loading of the type3 font into 2; we
load the font as normal, then allow the font to be inserted into
the list of current fonts. Then we run through the glyphs in the
font 'preparing' them (turning them into display lists).
This solves the infinite loop issue, but causes another problem;
recursive references (such as a font holding a display list that
contains a text node that contains a reference to the original font)
result in us never being able to free the structures.
To avoid this, we insist on never allowing type3 glyphs to be referenced
within a type3 display list. The display lists for all type3 glyphs
are therefore 'flat'. We achieve this by adding a 'nested' flag to
the pdf command stream interpreter structure, and setting this in the
case where we are running a glyph stream. We check for that flag in the
type3 glyph render function, and if present, we force the 'render_direct'
path to be used.
Finally, we ensure that fz_text groups are not needlessly created with
no contents.
Problem found in 2923.pdf.asan.22.2139, a test file supplied by
Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the Google Security
Team using Address Sanitizer. Many thanks!
|
|
We failed to detect a PDF sample function with a size of 0 as being
illegal. This lead us to continue through the code, and then access
out of bounds.
Issue found by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the
Google Security Team using Address Sanitizer. Many thanks!
|
|
If an illegal keysize is passed into the AES crypt filter, we
currently exit without setting up the AES context. This causes
us to fail in all manner of ways later on.
We now return failure and callers throw an exception.
This appears to solve all the SEGVs and memory exceptions found in
crypt_aes by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the
Google Security Team using Address Sanitizer. Many thanks!
|
|
Move the TR2 handling code. Thanks to zeniko for this.
|
|
Thanks to zeniko for pointing this out. If we encounter a new definition
for a given object (presumably due to a repair operation), we used to
throw the old one away, and keep the new one. This could cause any
current holders of the object to be left with a stale pointer.
Now we throw the new one away and keep the old one - with a warning
if they are different.
|
|
Thanks to zeniko for these.
|
|
The way the forms to be reset is specified is used also in form
submission. This commit pulls out that selection method as a
separate function that returns the set of affected forms as a
pdf array object.
|
|
Following on from the blend.ai.pdf disapparing text fix that went in
the other day, zeniko has pointed out that we should be using the
device space on entry to pdf_show_pattern too. Fixed here.
Many thanks.
|
|
When creating a group around text, the text bbox was being used as the
group bbox without transforming it. This results in missing text in
blends.
Various text sections are now appearing in some test files too.
|
|
Various changes from zeniko to make the pdf interpreter cope better
with malformed files.
When running subobjects, catch the thrown errors to avoid upsetting
the clip stack.
When running a content stream, ensure that we don't underflow the
graphics states (in case of mismatched q/Q's). Here our patch
differs slightly from zeniko's original, as we pop any extra
ones off before returning.
|
|
Fix an issue spotted by zeniko. The patch is slightly modified
from his supplied one to avoid problems with repeated freeing
of the buffer, and to avoid abusing fz_buffer, but is largely
based on his work.
Many thanks.
|
|
Thanks to zeniko for finding various problems and submitting a
patch that fixes them. This commit covers the simpler issues from
his patch; other commits will follow shortly.
* Out of range LZW codes.
* Buffer overflows and error handling in image_jpeg.c
* Buffer overflows in tiff handling
* buffer overflows in cmap parsing.
* Potential double free in font handling.
* Buffer overflow in pdf_form.c
* use of uninitialised value in error case in pdf_image.c
* NULL pointer dereference in xps_outline.c
|
|
|
|
Thanks to zeniko for these.
Use otf as extension for opentype fonts.
fz_clampi should take ints, not floats!
Fix typo in prototype.
Squash unwanted warning.
Remove magic number in favour of #define.
Reset generation numbers when renumbering.
|
|
All these leaks were spotted by zeniko, so credit/thanks to him.
|
|
Moritz Lipp points out that the check for opts being NULL in
pdf_write_document is unnecessary. Removing it brings the
function into line with the docs.
|
|
We still need to have the callback for type 3 fonts that are uncacheable.
With this change the callback is only ever called directly from the
interpreter in fz_prepare_t3_glyph and fz_render_t3_glyph_direct.
|
|
09+20computer+20fx-fo-dx-adr-mx.pdf has a "PROJECT TITLE" field that appears
on every page, but needs setting only on one page. This commit makes that
field update correctly.
|
|
A slip up in the previous whitespace fix commit removed a {. Put
it back.
|
|
|
|
When drawing images, if they are much bigger than we need, quickly
subsample them. Makes images much more cachable, reduces time spent
in expensive smooth scaler.
|
|
When calculating the factor to use for image downscales, calculate it
as a shift rather than a divisor.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also update pdf_dict_puts so that passing NULL to val deletes the terminal
key.
Update pdfapp.c to update the screen between passing a mouse event and
invoking a dialog box for value entry
Extend javascript wrapper to handle all color spaces
|
|
|
|
Regenerate dirty appearance streams and report changed annotations since
last call.
Also include a partial revert of changes in 96f335bc, that turn out not
to be necessary.
fz_update_page must now be called between each document-changing event and
the next render. pdfapp.c and the android app have been updated to do so,
but do not yet take advantage of the possibility to render only the updated
areas of the screen.
|
|
|
|
|
