Age | Commit message (Collapse) | Author |
|
This CL updates the Huffman decoder in the JBig2 codex to check the low field
does not overflow.
BUG=chromium:675236
Change-Id: I7f5f6fe8329df4ece6f317fac521fe2373686479
Reviewed-on: https://pdfium-review.googlesource.com/2131
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
|
|
Review-Url: https://codereview.chromium.org/2578663002
|
|
Be suspicious of |new|. This removes some of the
easy cases.
Review-Url: https://codereview.chromium.org/2571913002
|
|
Review-Url: https://codereview.chromium.org/2572843002
|
|
While decoding among instances, variable "FIRSTS" should hold its
value, not be reset. This was accidently changed by earlier
refactoring.
BUG=chromium:625848,pdfium:636
Review-Url: https://codereview.chromium.org/2569023002
|
|
We can remove a lot of "bOwnsStream" logic in the process.
Always pass these by const reference, in case the called method
wants to hang on to the stream (one exception is where we stick
a raw pointer into a void* slot in a context from another layer).
Review-Url: https://codereview.chromium.org/2451493002
|
|
Because that's what clone does. Perform immediate release
in some spots to avoid disrupting too much at once.
Review-Url: https://codereview.chromium.org/2534953004
|
|
|code_size_cur| could be larger than |code_size|, so |code| could be
larger than |code_end|. If this happens, early return, since the Decode
has failed.
BUG=659417
Review-Url: https://codereview.chromium.org/2542673004
|
|
The width and compress flag are read, so returning with error is more
appropriate than having an ASSERT.
BUG=659497
Review-Url: https://codereview.chromium.org/2535863002
|
|
BUG=667074
Review-Url: https://codereview.chromium.org/2520253003
|
|
fx_codec_icc.cpp specify default number of color components as 3 for
unknown profiles. However, lcms may know such profile with different
number of components. The inconsistency may lead to array access
violation.
This CL uses cmsChannelsOf() from lcms to ensure consistency. And
rejects unexpected number according to PDF spec.
BUG=chromium:667694
Review-Url: https://codereview.chromium.org/2522933002
|
|
Review-Url: https://codereview.chromium.org/2514173002
|
|
The -build/include setting was masking out build/include_what_you_use. This CL
restores them, fixes any build errors, and adds NOLINT as needed. As well,
the runtime/explicit and runtime/printf flags are aslo enabled and NOLINT'd.
lint cleanups
Change-Id: Ib013b3eb29c8d0e48cad74c5df9028684130719f
Reviewed-on: https://pdfium-review.googlesource.com/2030
Reviewed-by: Tom Sepez <tsepez@chromium.org>
|
|
Previously the log just made sure the colorspace and the image have
exact matches for the number of colorspace components. Now, for some
colorspace types, check the type and make sure the number of
components meets or exceeds what is required by the spec.
Also do some refactoring.
BUG=chromium:650230
Review-Url: https://codereview.chromium.org/2486123002
|
|
None of the decodes in the method are currently being checked. This is
causing pdfium to take a long time rendering corrupted files. Thus, I
added a couple of early returns to help prevent this from happening.
BUG=450971
Review-Url: https://codereview.chromium.org/2493633002
|
|
https://codereview.chromium.org/2482663002/ )
Reason for revert:
Max cmsChannelsOf() is 15, which is larger than expectation of existing code and cause crashes (at least the fuzzer).
BUG=chromium:663240
Original issue's description:
> Clean up fx_codec_icc.cpp
>
> Committed: https://pdfium.googlesource.com/pdfium/+/a94fc11866adb1b9ca4a4e1afb4fb574ed472e07
TBR=dsinclair@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
Review-Url: https://codereview.chromium.org/2485363002
|
|
Review-Url: https://codereview.chromium.org/2482663002
|
|
Review-Url: https://codereview.chromium.org/2477443002
|
|
An optimization to speed up float-to-int rounding caused a different
result for one input value. This tweaks the conversion constant so
that the results are identical across the entire valid range, and
adds a test that checks the part of the range that is most sensitive
to errors.
BUG=pdfium:624
Review-Url: https://codereview.chromium.org/2466203002
|
|
Review-Url: https://codereview.chromium.org/2450393004
|
|
Review-Url: https://codereview.chromium.org/2454263002
|
|
Review-Url: https://codereview.chromium.org/2457943002
|
|
Review-Url: https://codereview.chromium.org/2461543002
|
|
Replace most of these with ints since the are used in integer
operations. If it walks like a duck, and quacks like a duck
... despite what the hungarian notation might say.
Review-Url: https://codereview.chromium.org/2455523005
|
|
Review-Url: https://codereview.chromium.org/2459673002
|
|
BUG=chromium:659519
Review-Url: https://codereview.chromium.org/2456553002
|
|
NEXTBIT() is particularly pernicious in that it isn't syntactically
an expression, but rather two expressions. Replace it with an inline
along the way.
Review-Url: https://codereview.chromium.org/2452123002
|
|
It's been troubling for some time that an IFX_FileStream might
actually be an in-memory buffer with no backing file.
Review-Url: https://codereview.chromium.org/2443723002
|
|
Currently the JBig2 decoder can leak subimages in the case where we mark
more items in EXFLAGS then we have SDNUMEXSYMS. This Cl checks for this
condition and fails the decode if it happens.
BUG=chromium:654365
Review-Url: https://codereview.chromium.org/2419553002
|
|
The position indexes of color elements must be monotonic increasing.
Bail out if the decoded index is less or equal to the previous index.
BUG=pdfium:615
Review-Url: https://codereview.chromium.org/2398033002
|
|
BUG=chromium:653044
Review-Url: https://codereview.chromium.org/2397783002
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2392603004
|
|
BUG=pdfium:603
Review-Url: https://codereview.chromium.org/2386423004
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2377393002
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2382723003
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2381063002
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2383543002
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2379033002
|
|
Review-Url: https://codereview.chromium.org/2357173005
|
|
BUG=648935,649436
Review-Url: https://codereview.chromium.org/2360283004
|
|
TEST=build pdfium and chromium
BUG=pdfium:599
Review-Url: https://codereview.chromium.org/2355523002
|
|
BUG=648127
Review-Url: https://codereview.chromium.org/2351623002
|
|
The fx_codec_jpx_opj code will attempt to do a 1 << (prec - 1). If the prec
value is >=32 then that shift will overflow the int value. This CL adds a check
that prec is < 32 before attempting the shift.
BUG=chromium:633208
Review-Url: https://codereview.chromium.org/2334823002
|
|
BUG=645186
Review-Url: https://codereview.chromium.org/2326103002
|
|
BUG=627399
Review-Url: https://codereview.chromium.org/2328003002
|
|
We allocate the GifPlainText object on line ~685 inside GIF_D_STATUS_EXT_PTE.
We cleanup the internal pointers in the gif_destroy_decompress() but we
failed to cleanup the pointer itself.
This CL frees the allocated pointer once the data is cleaned up.
BUG=chromium:638499
Review-Url: https://codereview.chromium.org/2291143003
|
|
The JPX decoder needs to verify there is data associated with an image channel
before access. This was already done in one side of the if() but seems to be
missing from the other.
This Cl updates the loop to check the existance of channel data and to continue
iteration if none found.
BUG=chromium:637232
Review-Url: https://codereview.chromium.org/2291813002
|
|
overflow.
BUG=618267
Review-Url: https://codereview.chromium.org/2284063002
|
|
to fix bug 617135
617135 described an exploit against pdfium using a malformed gif.
This fix introduced a couple edge case handling lines to address
the OOB issue.
BUG= 617135
Review-Url: https://codereview.chromium.org/2230683002
|
|
If the width of the CJBig2_Image is set to 0 then the stride_pixels will be
zero and when we divide we'll get a floating point exception.
If the width or height are zero then we can exit early without proceeding with
the rest of the constructor.
BUG=chromium:635008
Review-Url: https://codereview.chromium.org/2222843004
|