Age | Commit message (Collapse) | Author |
|
root object
Before this fix, the root will be released when an indirect object has the
same object number with the root. However, the root object is loaded when
the trailer is parsed. It shall not be updated or replaced anymore.
BUG=425040
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/803103002
(cherry picked from commit dba5bfd174589ad08c4231b039297b59fa2ccc3b)
Review URL: https://codereview.chromium.org/792013005
|
|
BUG=414036, 425151
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/688633003
(cherry picked from commit 2b327f83ffcceca1911479c4afddafe51f0e37ba)
Review URL: https://codereview.chromium.org/788983004
|
|
BUG=438421
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/790363002
(cherry picked from commit 869517236c27b92b7060da7f44a0b01e252e8211)
Review URL: https://codereview.chromium.org/806133002
|
|
BUG=429139,430566,431288
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/758593002
(cherry picked from commit 4643533ca3dabe945fd174caf892a3ccb6cf2fd6)
Review URL: https://codereview.chromium.org/804173004
|
|
BUG=429134
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/791223002
(cherry picked from commit 381b911795bb42295e61976b0df3d7e46b780d02)
Review URL: https://codereview.chromium.org/807093002
|
|
Before this fix, PDF parser aborts the parsering process when detecting an error.
For this case, PDF parser just gives up parsering when it detects that the length of
image stream is incorrect. The solution to this case is to find the tag "endstream"
and "endobj" to calculate the length rather than aborting the parsering process.
BUG=433339
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/743263002
(cherry picked from commit ef619d0562b39f30943cfdc4985a0df233d00e42)
Review URL: https://codereview.chromium.org/776833002
|
|
BUG=418976, 425150, 414525
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/671943002
|
|
pTransfer function is released in pDocRender cleanup but is still being accessed in
~CPDF_GeneralStateData in pDocPage cleanup.
BUG=419320
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/662063003
|
|
BUG=414089, 414310, 414606
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/670813002
|
|
This patch is supplementary to issue 418881
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/645793007
|
|
This is a re-landing of the changes in https://pdfium.googlesource.com/pdfium/+/6387aff
which were lost during a libopenjpeg library roll.
TBR=thestig@chromium.org
Review URL: https://codereview.chromium.org/661463003
|
|
CPDF_Pattern objects are counted and maintained in m_PatternedMap.
When a CPDF_Pattern object "pattern" is deleted, it's address is marked as NULL in m_PatternMap.
This patch stores the address of CPDF_Pattern's adderss in all objects that references "pattern",
to ensure valid referencing after deletion.
BUG=416319, 419976, 418392
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/656753002
|
|
CPDF_StreamContentParser::Parse.
This is just a bit of defensive programming; I'm not sure the situation can
occur in the current code, but the following code is likely to set off a red
flag to anyone who reads it:
CPDF_StreamParser syntax(pData, dwSize);
m_pSyntax = &syntax;
since the extent of the local |syntax| is far less than the pointer member
|m_pSyntax|. NULL it out before syntax goes out of scope.
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/652063002
|
|
Glyph index shall be less than number of glyphs.
BUG=418585
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/652363002
|
|
BUG=421196
R=bo_xu@foxitsoftware.com
Review URL: https://codereview.chromium.org/656463006
|
|
BUG=418881
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/648823002
|
|
BUG=413375
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/624023003
|
|
BUG=407964, 414182, 413447
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/589243004
|
|
BUG=408532
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/524443002
|
|
Images are basic resource and are referred or used by other objects in some cases. Images should be released after the objects who uses these objects. In this case, an image object is accessed in the process of CPDF_TilingPattern's destroy. Unlikely, this image has been destroyed before.
BUG=414046
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/582993002
|
|
This was introduced at PDFium revision 12a9940. There was a subtle logic
change for null |parray|.
BUG=415438
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/579363002
|
|
pattern
BUG=414661
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/572853006
|
|
Before this fix, only |gindex < face->num_locations| is checked. However, the pointer, p, will be moved to next location in the first FT_NEXT_ULONG or FT_NEXT_USHORT. It may cause a crashier. So a boundary check is needed before the second FT_NEXT_ULONG or FT_NEXT_USHORT.
BUG=412457
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/571833002
|
|
BUG=414155
R=thakis@chromium.org
Review URL: https://codereview.chromium.org/574463002
|
|
There is an image object and text objects in this document, but the character in each text object is reversed.
When rendering, the image object is shown.
However, when highlighting, the text object is selected, resulting in text index issue.
Moreover, the character in the document is in reading order, which is different from normal document.
BUG=pdfium:43
R=jbreiden@google.com
Review URL: https://codereview.chromium.org/484503002
|
|
BUG=387970
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/551503003
|
|
m_pDocument in CPDF_Color
If not forced clear, the counter of CPDF_Pattern will take care the count of referenced instance.
When forced clear, clear color first to make sure pattern still exists when referencing it.
BUG=411154
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/554913003
|
|
BUG=411163
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/551513005
|
|
BUG=
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/534363002
|
|
When |m_nComponents| is changed from loading stream information,
previously allocated memory that depends on |m_nComponents| needes to be freed
and allocated again to enforce memory size consistency.
BUG=409695
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/528163002
|
|
BUG=409692
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/534763002
|
|
This will prevent using freed pattern object.
This is a better solution than https://pdfium.googlesource.com/pdfium/+/1b9c5c4dc41956b8c5ab17b9a882adf8a2513768
and in essence revert that patch
BUG=409373
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/522483003
|
|
This is code cleanup rather than bug fixing.
The motivation for this was to fix the casts at line 97 of the original file. These are wrong; you cannot correct via casting a function signature mismatch when passing a function as an argument. In theory, there's no reason to believe that the compiler will pass args in the same manner for a function of type (void*, size_t, void*) as for a function of type (void*, size_t, some_struct*). The cast will suppress the compile error, but you can't be assured the call will work as intended. In practice, it does, since the last architecture where a void* had a different representation than a struct* went extinct in the late 80s.
In the functions themselves, note that we currently bail out if srcData->offset >= srcData->src_size, so the expression
bufferLength = (OPJ_SIZE_T)(srcData->src_size - srcData->offset)
will always be > 0. Hence the check
if(bufferLength <= 0)
is pointless, esp. since bufferLength is a signed type and < 0 makes no sense.
The opj_seek_from_memory() has a bool return value, so returning -1 on error doesn't seem reasonable. Change this to TRUE/FALSE, and return false on seek past end.
If we're truly passing readonly data, then perhaps it makes sense to make the write() function always return -1. I didn't do this.
Lastly, I capitalize "DecodeData" so that it looks like a struct, and change its members to be size_t's to avoid casting back and forth.
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/507273003
|
|
m_bpc is assigned.
The problem of using GetValidBpc() in each function call is it could result in mismatch as seen in this case:
in ContinueToLoadMask(), m_bpc is re-assigned to 1 if m_bImageMask==1 regardless of the value from GetValidBpc().
This will result in mismatch if another function use the value from GetValidBpc().
The solution could be checking m_bImageMask in another function to make sure m_bpc is consistent, but that makes the code too cumbersome.
Also, we have to bring and are bringing in more and more GetValidBpc check, and this will continue with other buggy documents. So better to fix it now.
The original rational to use GetValidBpc() in where m_bpc is used is to respect the "raw" data from parsing.
However, if it will be ignored anyway and using value from GetValidBpc(), we'd better correct it at the very beginning.
BUG=408541
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/518443002
|
|
Edge closer to getting PDFium to build in chromium_code mode.
BUG=https://code.google.com/p/pdfium/issues/detail?id=29
R=bo_xu@foxitsoftware.com
Review URL: https://codereview.chromium.org/437343002
|
|
CPDF_DocPageData::~CPDF_DocPageData() will force to release all resources, so no need to do it here, which can result in heap-use-after-free trouble.
BUG=408164
R=jun_fang@foxitsoftware.com, tsepez@chromium.org
Review URL: https://codereview.chromium.org/513063003
|
|
There is not strict way to limit invalid value of |Colors| from dictionary. We can make sure |index| does not go out of boundary of row_size.
BUG=407614
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/509993003
|
|
BUG=408141, 408147
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/508253003
|
|
BUG=408154
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/509613005
|
|
BUG=407476
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/489703004
|
|
BUG=406868
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/504993002
|
|
BUG=406591
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/501823003
|
|
BUG=406806
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/503883002
|
|
BUG=406908
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/504673002
|
|
BUG=406600, 406895
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/497733005
|
|
(patchset #1 of https://codereview.chromium.org/493163003/)
Reason for revert:
Needs to address comments before landing
Original issue's description:
> Use number of components from ICC profile and alternate color space
>
> BUG=406806
>
> Committed: https://pdfium.googlesource.com/pdfium/+/be83103
TBR=tsepez@chromium.org,jun_fang@foxitsoftware.com
NOTREECHECKS=true
NOTRY=true
BUG=406806
Review URL: https://codereview.chromium.org/504883003
|
|
BUG=406806
Review URL: https://codereview.chromium.org/493163003
|
|
BUG=387983
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/454283002
|
|
Pdfium reads the page number from the field of '/Count' but it can't
load the number assigned by this field due to the damaged data. Add a
check to ensure that the required page should be one of loaded pages.
BUG=406090
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/477873003
|
|
Add a check to CFX_Font::LoadGlyphPath() similar to the one that exists
in CFX_FaceCache::RenderGlyph().
Also replace some scattered magic numbers in the file with constants,
and make arrays not used outside this file be statically scoped.
BUG=406144
R=jun_fang@foxitsoftware.com
Review URL: https://codereview.chromium.org/497863002
|