Age | Commit message (Collapse) | Author |
|
fx_codec_icc.cpp specify default number of color components as 3 for
unknown profiles. However, lcms may know such profile with different
number of components. The inconsistency may lead to array access
violation.
This CL uses cmsChannelsOf() from lcms to ensure consistency. And
rejects unexpected number according to PDF spec.
BUG=chromium:667694
Original-Review-Url: https://codereview.chromium.org/2522933002
(cherry picked from commit 89a2d92549d25df6786d53de5671eb141e1fd3e2)
TBR=thestig@chromium.org,tsepez@chromium.org
Review URL: https://codereview.chromium.org/2535663005 .
|
|
It looks like sometimes there are rounding errors in the display
pipeline when displaying / hiding popup annotations. Compensate by
rouding up the damaged rect slightly.
BUG=chromium:662804
Review-Url: https://codereview.chromium.org/2492733002
(cherry picked from commit c75dcd253d75ea93608410d90a3ce1b605590af0)
Review URL: https://codereview.chromium.org/2523023002 .
|
|
This fixed several issues.
BUG=chromium:654265,chromium:657282,chromium:654676,chromium:654313
Review-Url: https://codereview.chromium.org/2482523003
(cherry picked from commit 413e3518ce390860cb5560720e5fba3ca7c8f764)
R=dsinclair@chromium.org
Review URL: https://codereview.chromium.org/2514563002 .
|
|
BUG=chromium:663294
Review-Url: https://codereview.chromium.org/2482143002
(cherry picked from commit 7b3252fa1f282c01707fc53d0ac347878dd0aebb)
Review URL: https://codereview.chromium.org/2488253004 .
|
|
LerpFloat functions expect input values are normal float. They first
clamp values to the range of [0.0, 1.0] and then calculate interpolation
with the input values.
If the input value is NaN, it will lead to heap buffer overflow because
the index to LutTable is calculated based on the said value and
fclamp(NaN) is not in expected [0.0, 1.0] range.
This patch rejects all NaN values earlier when reading float numbers. So
it also changed behavior for cases other than LerpFloat. I think it is
okay because NaN doesn't make sense for usual calculations.
BUG=654676
Review-Url: https://codereview.chromium.org/2422553002
(cherry picked from commit 85fcf94eeae589641213c4301bbb16b44b10a282)
Review URL: https://codereview.chromium.org/2462243002 .
|
|
Notice that this is just making it analoguous to how it works when the
font is positive: the b and d components are reversed. Currently, when
the font is negative, only the a component is reversed. The c one needs
to be reversed as well.
BUG=chromium:653941
Review-Url: https://codereview.chromium.org/2411833002
(cherry picked from commit 4ea4281ad5775686317ef53f48eab39898d13d23)
R=dsinclair@chromium.org
TBR=dsinclair
Review URL: https://codereview.chromium.org/2469443002 .
|
|
When CGFontGetGlyphWithGlyphName returns 0, it means the glyph name
was not recognized. In this case, try using the glyph index to load the
glyph.
BUG=pdfium:625
Review-Url: https://codereview.chromium.org/2445933002
(cherry picked from commit 4ee6139e8cfecab9e181115894b26131ad6de09a)
R=thestig@chromium.org
Review URL: https://codereview.chromium.org/2460993002 .
|
|
The CPDF_Page::GetDisplayMatrix expects to set float values into the
|display_matrix| but all of the input values are currently int. It is possible
to overflow the int values, so this CL changes the variables to be int which
closer reflects what they're being used for.
BUG=chromium:652038
Review-Url: https://codereview.chromium.org/2412983002
(cherry picked from commit 798e18f5e5cfb672c7f3186f6358b84c5ff7785b)
Review URL: https://codereview.chromium.org/2456943002 .
|
|
The CFFL_InteractiveFormFiller must be cleaned up before the environment because
the destruction of the formfiller will trigger the destruction of the formfiller
widgets. Some of those widgets may require stopping timers, which requires
accessing the environment.
BUG=chromium:654272, chromium:653459
TBR=tsepez@chromium.org
Review-Url: https://codereview.chromium.org/2408163003
(cherry picked from commit 709f5a9301e91365ab87610993c497e386504ead)
Review URL: https://codereview.chromium.org/2445873002 .
|
|
This CL implemented a better version of CWeightTable::GetPixelWeightSize(), which will calculate the size of array PixelWeight.m_Weights correctly to prevent potential heap buffer overflow conditions.
BUG=chromium:654183
TBR=tsepez@chromium.org
Review-Url: https://codereview.chromium.org/2404453003
(cherry picked from commit 05923132ae08d45fbe957219775a48c55ee57aef)
Review URL: https://codereview.chromium.org/2448613002 .
|
|
This reverts commit b69a98cf50537130f88ce3a799117f2ca8353ac5.
Reason for revert: crashes on mac.
BUG=654387
TBR=thestig@chromium.org
Review-Url: https://codereview.chromium.org/2410483002
(cherry picked from commit 5609f39c9d4534733f04a2be631da56948c2e96f)
Review URL: https://codereview.chromium.org/2415823002 .
|
|
The position indexes of color elements must be monotonic increasing.
Bail out if the decoded index is less or equal to the previous index.
BUG=pdfium:615
Review-Url: https://codereview.chromium.org/2398033002
|
|
BUG=chromium:653044
Review-Url: https://codereview.chromium.org/2397783002
|
|
Instead of relying on ' ' to determine whether the CFX_Bytestring
is added on one place or another, use another vector. When trying
to match fonts from the fontmapper, compare with both vectors.
BUG=pdfium:510
Review-Url: https://codereview.chromium.org/2395883002
|
|
Skia's interface to transfer modes is
not described by an enum instead
of a class.
R=reed@google.com, dsinclair@chromium.org
Review-Url: https://codereview.chromium.org/2394683004
|
|
The embeddertests were closing the document before the formfill environment.
This caused a use-after-free as we try to use the document during formfill
destruction.
This Cl fixes the destruction order in the embedder tests. As well, a few guards
are put in place to keep the system from crashing if the wrong destruction
order is called.
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/2398063002 .
|
|
Unused, remove.
Review-Url: https://codereview.chromium.org/2397513003
|
|
Rename CPDFSDK_Environment to make it explicit that this is part of the formfill
system.
Review-Url: https://codereview.chromium.org/2391313002
|
|
This CL updates CPDFXFA_Document so it never owns the CPDFSDK_Document. The
CPDFSDK_Document is now always owned by the CPDFXFA_Environment. This also
cleans up the strange need to reverse the order of document and form destruction
when using XFA.
Review-Url: https://codereview.chromium.org/2397473006
|
|
- Remove some unused stuff from pageint.h.
- Replace some FX_BOOL with bool in pageint.h, and related.
- Replace some "protected" with "private" in pageint.h.
- Move 2 methods into namespace in fpdf_page_parser_old.cpp.
Review-Url: https://codereview.chromium.org/2399573002
|
|
This reverts commit b73c99335bfbd158ad16dd59c9c52396ffd2b54b.
TBR=thestig@chromium.org
Review-Url: https://codereview.chromium.org/2393783004
|
|
This avoids a re-assignment that can otherwise cause a later fault.
BUG=pdfium:607
Review-Url: https://codereview.chromium.org/2393953002
|
|
This Cl cleans up the code regarding CPDFSDK_Annots in CPDFSDK_PageView.
This includes:
* Makes DeleteAnnot XFA only and wraps at the call site.
* Removes unused methods
* Replaces use of CountAnnots and GetAnnot with vector iteration
* Removes {Set|Kill}FocusAnnot from CPDFSDK_PageView
* Renames m_fxAnnotArray to m_SDKAnnotArray
Review-Url: https://codereview.chromium.org/2384323005
|
|
FX_BOOL can be replaced by bool. Also replaced in a couple other places
so that Winbots pass.
Review-Url: https://codereview.chromium.org/2395803002
|
|
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.
BUG=chromium:651849
Review-Url: https://codereview.chromium.org/2384063006
|
|
There's no way to take ownership back from the CPDF_Array
without deleting the object, so add a new primitive to make
elements become indirect rather than manipulating them
outside the class.
This should solve the ASSERT(objnum == 0) issue that
blocked the previous roll.
Review-Url: https://codereview.chromium.org/2391883003
|
|
Each of these files contains a single class, rename the file to match the
internal class name.
Review-Url: https://codereview.chromium.org/2385423004
|
|
Remove redundant DEPS files and DEPS file entries.
Review-Url: https://codereview.chromium.org/2390833003
|
|
Missed these again. Scripting fail.
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2393433003
|
|
- Added private method to avoid duplicated code.
- If the unicode calculation overflows, 0 is used instead of crashing.
Review-Url: https://codereview.chromium.org/2392103002
|
|
When fuzzing the image formats, its possible to get a read request which
would go negative. Handle the request and return FALSE for the read.
BUG=chromium:621836
Review-Url: https://codereview.chromium.org/2386343002
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2393593002
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2392603004
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2386423004
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2392773003
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2386263003
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2391013002
|
|
m_Map maps to unsigned integer, but m_MultiCharBuf.GetLength() returns
an integer. There will be integer overflow if the length is big, and
UBSAN will complain. Thus, using FX_SAFE_UINT32. Replacing with uint32
would work as well: the point is to consider the length as uint instead
of int.
BUG=chromium:652232
Review-Url: https://codereview.chromium.org/2393573002
|
|
Review-Url: https://codereview.chromium.org/2387333002
|
|
Update clip to use intersect verb
from canvas.
R=dsinclair@chromium.org
Review-Url: https://codereview.chromium.org/2384283002
|
|
id:120001 of https://codereview.chromium.org/2375343004/ )
Reason for revert:
Broke PDFExtensionTest when rolling DEPS in Chromium.
Original issue's description:
> Assert that only 0-numbered objects are Released()
>
> This condition holds because numbered objects are brute-force
> deleted by the indirect object holder, rather than being
> released.
>
> Be careful about recursive deletion, check before advancing,
> since we no longer count on Release() doing this for us.
> Fix a few tests where the test was violating ownership rules.
>
> This should be the last step before completely removing Release()
> in favor of direct delete everywhere.
>
> Committed: https://pdfium.googlesource.com/pdfium/+/aba528a362248a54b27a7e9e046e2b65ab83f624
TBR=tsepez@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2387193003
|
|
The test file for fixing bug chromium:651304.
Review-Url: https://codereview.chromium.org/2392553004
|
|
This condition holds because numbered objects are brute-force
deleted by the indirect object holder, rather than being
released.
Be careful about recursive deletion, check before advancing,
since we no longer count on Release() doing this for us.
Fix a few tests where the test was violating ownership rules.
This should be the last step before completely removing Release()
in favor of direct delete everywhere.
Review-Url: https://codereview.chromium.org/2375343004
|
|
Review-Url: https://codereview.chromium.org/2386273004
|
|
Depending on what ReadOK does it's possible for |dircount16| to be used without
being initialized. The read code calls back into PDFium specific code which then
calls into the stream reading code.
Initialize the value to be sure it is set.
BUG=chromium:651632
Review-Url: https://codereview.chromium.org/2389993002
|
|
|Clear| is too easily mistaken for "clear this pointer only."
Review-Url: https://codereview.chromium.org/2385303002
|
|
This CL adds a |IsBeingDestroyed| flag into the CPDFSDK_PageView. We then
bail out of the pageview removal code early if the flag is set.
BUG=chromium:652103
Review-Url: https://codereview.chromium.org/2384243002
|
|
The original way of detecting loops was passing a level parameter
through various functions. This missed some cases which also lead
to load type3 font char, for example, FindFont() may call
CheckType3FontMetrics() which may eventually lead to LoadChar().
The new way is to store the char loading depth, and abort when the depth
exceeds the max.
BUG=chromium:651304
Review-Url: https://codereview.chromium.org/2384853002
|
|
Method is not called, removing.
Review-Url: https://codereview.chromium.org/2391663002
|
|
All the files are already excluded by the build system.
Review-Url: https://codereview.chromium.org/2387863002
|