| Age | Commit message (Collapse) | Author |
|---|
|
In the existing code, if build_filter fails, chain will be freed. If
pdf_array_get fails however, it will leak.
Rectify this. No specific bug or example file, just observation arising
from discussions about previous commit.
|
|
pdf_open_raw_renumbered_stream and pdf_open_image_stream both have the
same issue that 98a111c8e49916f8f5ac21d11f4627540f9ddd49 fixes.
|
|
When constructing a filter chain, we pass ownership of 'chain' inwards.
This means we need to be careful not to double close chain.
This fixes:
5df97f8539d31745f1c45cc9e1468825_asan_heap-oob_a59afe_1862_225.pdf
a736faf6f4a34b7ad8eff207ba52aa57_asan_heap-oob_a59dd9_5744_4860.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the fuzzing files.
|
|
Bad annotation appearance streams can cause font_recs to have invalid
values in. Avoid this partly by hardening the code against duff values,
and partly by setting sane defaults before the parsing.
This can be seen in:
33bfbe117bfef7fafc3f927acf50a2e7_signal_sigsegv_81dd96_6257_5205.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
|
|
pdf_load_obj_stm may resize the xref if it finds further objects in the
stream, that might however invalidate any pdf_xref_entry hold such as
the one in pdf_cache_object. This can be seen e.g. with
7ac3ad9ddad98d10b947a43cf640062f_asan_heap-uaf_930b78_1007_1675.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
|
|
(Second part of Simons patch - apologies for missing this the first time).
This correctly enables the sanitization of the key length needed for
90db34f64037e2a8a5c3b6a518ba4153_asan_heap-oob_9b117e_1197_1802.pdf
Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
|
|
This correctly enables the sanitization of the key length needed for
90db34f64037e2a8a5c3b6a518ba4153_asan_heap-oob_9b117e_1197_1802.pdf
|
|
We define a document handler for each file type (2 in the case of PDF, one
to handle files with the ability to 'run' them, and one without).
We then register these handlers with the context at startup, and then
call fz_open_document... as usual. This enables people to select the
document types they want at will (and even to extend the library with more
document types should they wish).
|
|
Certain optimized documents use a rather large common symbol dictionary
for all JBIG2 images. Caching these JBIG2Globals speeds up loading and
rendering of such documents.
|
|
At https://code.google.com/p/sumatrapdf/issues/detail?id=2460 , there's
a file with missing /Type keys in the page tree nodes. In that case,
leaf nodes and intermediary nodes have to be distinguished in a
different way.
|
|
These warnings are caused by casting function pointers to void*
instead of proper function types.
|
|
Some warnings we'd like to enable for MuPDF and still be able to
compile it with warnings as errors using MSVC (2008 to 2013):
* C4115: 'timeval' : named type definition in parentheses
* C4204: nonstandard extension used : non-constant aggregate initializer
* C4295: 'hex' : array is too small to include a terminating null character
* C4389: '==' : signed/unsigned mismatch
* C4702: unreachable code
* C4706: assignment within conditional expression
Also, globally disable C4701 which is frequently caused by MSVC not
being able to correctly figure out fz_try/fz_catch code flow.
And don't define isnan for VS2013 and later where that's no longer needed.
|
|
The SVG device needs rebinding as it holds a file. The PDF device needs
to rebind the underlying pdf document.
All documents need to rebind their underlying streams.
|
|
When we meet a broken PDF file, we attempt to repair it. We do this by
reading tokens from the file and attempting to interpret them as a
normal PDF stream.
Unfortunately, if the file is corrupt enough so that we start to read
from the middle of a stream, and we happen to hit an '(' character,
we can go into string reading mode. We can then end up skipping over
vast swathes of file that we could otherwise repair.
We fix this here by using a new version of the pdf_lex function that
refuses to ever return a string. This means we may take more time
over skipping things than we did before, but are less likely to
skip stuff.
We also tweak other parts of the pdf repair logic here. If we hit a
badly formed piece of data, clear the num/gen we have stored so that
the next plausible piece we get does not get assigned to a random
object number.
|
|
Remove code that's not used any more as a result of the previous
fix, plus some code that was unused anyway.
|
|
The 0 null object is leaked if a document refers to 0 0 obj before
requiring a delayed reparation (seen e.g. with 3324.pdf.asan.3.2585).
|
|
Thanks to Simon for spotting the original problem. This is a slight
tweak on the patch he supplied.
|
|
Replace an explicit i = i by a comment in a for loop where i is
already at the correct starting value.
|
|
Use round caps and joins so as to better match the result of drawing, and also
so that single dots display. Thanks to Michael Cadilhac for the suggestion.
|
|
At https://code.google.com/p/sumatrapdf/issues/detail?id=2436 , there's
a document with an empty xref section which since recently causes a
repair to be triggered. Repairs then stop when pdf_repair_obj_stms fails
on an object which isn't even required for the document to render. Such
broken object streams should rather be ignored same as broken objects
are ignored in pdf_init_document.
|
|
Avoid recursion to avoid stack overflows.
|
|
Currently, if we spot a bad xref as we are reading a PDF in, we can
repair that PDF by doing a long exhaustive read of the file. This
reconstructs the information that was in the xref, and the file can
be opened (and later saved) as normal.
If we hit an object that is not in the expected place however, we
cannot trigger a repair at that point - so xrefs with duff offsets
in (within the bounds of the file) will never be repaired.
This commit solves that by triggering a repair (just once) whenever
we fail to parse an object in the expected place.
|
|
Empty Contents streams are not valid - they need a length at least.
The alternative approach would be to put /Length 0 and update it
later.
|
|
Thanks to Michael Cadilhac for spotting this.
|
|
Previously we were setting blendmode in the created form XObjects
transparency group definition. This didn't work as PDF readers don't
look for it there.
Now we set it in the calling stream's resources, and set it before
calling the group.
|
|
Thanks to Makoto Fujiwara for spotting this.
|
|
If we have a NULL page, don't attempt to pass events to it.
|
|
Unused field. Also tweak some comments for clarity.
|
|
|
|
|
|
A poorly formed string can cause us to overrun the end of the buffer.
Now we check the end of the string at each stage to avoid this.
|
|
We were miscalculating the offsets into a sampled functions table,
causing us to overrun the end. Fixed here.
|
|
fz_new_font_from_buffer keeps the buffer for the font, so callers which
no longer need the data have to drop the buffer themselves explicitly.
|
|
I believe the implementation for revision 3 is wrong.
From pdf_reference17.pdf, step 5 of Algorithm 3.5 says:
5. Do the following 19 times: Take the output from the
previous invocation of the RC4 function and pass it
as input to a new invocation of the function; use an
encryption key generated by taking each byte of the
original encryption key (obtained in step 1) and
performing an XOR (exclusive or) operation between
that byte and the single-byte value of the iteration
counter (from 1 to 19).
"the original encryption key (obtained in step 1)" is pwbuf
(32 bytes) not key. Even if it was key, it wouldn't be n
bytes long, but only 16.
|
|
In case of an unknown function type, we free 'func'. Then we later
read func->type out of the block, and drop the block.
Simple solution is not to free the block initially and to let the
drop of the block do it for us.
|
|
|
|
|
|
pdf_load_annots was leaving the tail pointer pointing at the
automatic variable head in the case of the page having no
annotations.
|
|
|
|
Use fz_buffer to wrap and reference count data used in font.
|
|
|
|
|
|
|
|
|
|
This fixes bug 694755. Thank you to Michael Cadihac for the patch
|
|
Zero and one-point case both lead to an empty rectangle, but the one-point case
needs expanding but wasn't because fz_expand_rect treats an empty rectangle
as a special case (as it should)
|
|
|
|
Thanks to Micha for spotting this.
|
|
When putting store objects into the store, ensure that they do cannot
collide across documents.
|
|
|
