summaryrefslogtreecommitdiff
path: root/third_party
AgeCommit message (Collapse)Author
2017-01-25Prevent skew overflows in gtTileContigNicolas Pena
Using int64 to check whether uint32 operations have overflowed. BUG=681300 Change-Id: I4470d34f2e5e61c0bf96f1c8587cdb7805afe87b Reviewed-on: https://pdfium-review.googlesource.com/2355 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-25Use opj_uint_ceildiv where it is better than its int versionNicolas Pena
Replaced (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b) with opj_uint_ceildiv(a, b), which makes much more sense. BUG=683156 Change-Id: Ie9d6736f4ec0f16d14f203850a14f0dabd73ee38 Reviewed-on: https://pdfium-review.googlesource.com/2352 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-24Check m_data!=null when adding mctNicolas Pena
m_decorrelation_array and m_offset_array can be assigned to l_mct_data, which can be set in opj_j2k_read_mct. In this method, there can be an early true return before allocating m_data but after freeing it. BUG=678342 Change-Id: Id9ea3cc57a9a278deb1540e5db8a94db86018fd6 Reviewed-on: https://pdfium-review.googlesource.com/2350 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-01-23Update safe numerics package to get bitwise opstsepez
Fix callers conventions to avoid ambiguity. Fix bad bounds check unmasked by change. Directly include headers no longer pulled in by numerics itself. Review-Url: https://codereview.chromium.org/2640143003
2017-01-19Fix leak in PixarLogSetupDecodeNicolas Pena
The call may come from TIFFReadRGBAImageOriented, and there no cleanup is done. So free the memory allocation on failure. BUG=681301 Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870 Reviewed-on: https://pdfium-review.googlesource.com/2252 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-19Return error in opj_j2k_read_header_procedure if l_marker_size < 2Nicolas Pena
If we do not do this check, it will overflow to a huge unsigned int, so we will allocate a lot of memory etc. BUG=682182 Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff Reviewed-on: https://pdfium-review.googlesource.com/2272 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-12Fix leak in OJPEGReadHeaderInfoSecTablesAcTable when read fails.Nicolas Pena
If rb is allocated memory but p != q, then it will not be assigned to sp->actable[m], so it will leak. BUG=680520 Change-Id: Ib0b178b043b2a9821fb289d033ca0ab52e4cbe48 Reviewed-on: https://pdfium-review.googlesource.com/2176 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-12Prevent undefined shift in putagreytileNicolas Pena
Patch has been accepted upstream, see: http://bugzilla.maptools.org/show_bug.cgi?id=2658 BUG=655008 Change-Id: I7ef69e6f71e66bd7e0a4d334c4f8e60ed02213d2 Reviewed-on: https://pdfium-review.googlesource.com/2174 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-11Really fix m_nb_mct_records calculation in opj_j2k_read_mctNicolas Pena
My previous attempt did not follow precisely the way m_nb_mcc_records is increased in opj_j2k_read_mcc. Previous: https://pdfium-review.googlesource.com/c/2165/ BUG=678461, 680102 Change-Id: I3e14c440e3a49b714f8cd82d44992fe647200336 Reviewed-on: https://pdfium-review.googlesource.com/2171 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-01-10Fix m_nb_mct_records calculation in opj_j2k_read_mctNicolas Pena
Now we update m_nb_mct_records only when there was a new mct record, and l_mct_data computations all went through. In previous version, the ++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that this is similar to the analoguous in opj_j2k_read_mcc. CL that changed the calculation: https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60 BUG=678461 Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662 Reviewed-on: https://pdfium-review.googlesource.com/2165 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-01-09[libtiff] Validate refblackwhite valuesDan Sinclair
The td_refblackwhite value is currently assigned without validation. This may pose an issue as the image can specify the value as nan. This will cause problems later when we use the nan in calcluations. This CL validates each of the float values are not nan and if they are sets them to the default provided by the TIFF spec v6. BUG=chromium:632883 Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c Reviewed-on: https://pdfium-review.googlesource.com/2151 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-01-05[libtiff] Fixup unitialized access issueDan Sinclair
This CL initializes the raw tif data to guard against unitialized memory access. BUG=chromium:677377 Change-Id: If272fafacd996c2e93a41fb6e477661dc0c5492c Reviewed-on: https://pdfium-review.googlesource.com/2150 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
2017-01-03Libtiff update with upstreamNicolas Pena
This CL makes the fix to the bug equal to that which has now been submitted upstream. Link: https://github.com/vadz/libtiff/commit/fa6b22a5135fdeabe860097c04f298ca0ae7f2e1 Our original CL for fixing the bug: https://codereview.chromium.org/2545723004/ BUG=657473 Change-Id: I52ae6a062ac07a0e20d0ba4ab823cbbf1d2b1ac1 Reviewed-on: https://pdfium-review.googlesource.com/2136 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2016-12-16lcms: Sanitize floating point readchromium/2956chromium/2955kcwu
This is partially backported from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3 BUG=chromium:665054 Review-Url: https://codereview.chromium.org/2577963007
2016-12-07lcms: avoid fixed number LUT optimization on inf valueskcwu
BUG=chromium:666705 Review-Url: https://codereview.chromium.org/2538703002
2016-12-05Fix a leak when TIFFRGBAImageBegin failschromium/2943npm
The method to create image can fail even after ycbcr has been set, so the current way to release is not enough. TIFFRGBAImageEnd is safe in that it checks for existence before deleting, and deletes whatever has been created. BUG=657473 Review-Url: https://codereview.chromium.org/2545723004
2016-12-02Encode lcms files as utf-8Scott Graham
The diff isn't well displayed in Rietveld, and I had to do some interpretation here, as it wasn't clear what code page these files were pretending to use. The left quotes were 0x92, the right quote + \n had been converted to ?, and the negative infinity was 0x96. (I assume maybe Mac something.) In any case, I tried to interpret the comments and make them something sensible. In the worst case, it's "only" comments that are broken, as no actual code was modified. R=tsepez@chromium.org, brucedawson@chroium.org BUG=637203,454858 Review URL: https://codereview.chromium.org/2545593002 .
2016-11-16Create a subset of skia support for paths onlycaryclark
This is a continuation of https://codereview.chromium.org/2346483006/ This removes the need for agg, without providing full Skia support. It doesn't work yet, but it does compile and run for simple PDFs. R=dsinclair@google.com Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58 Review-Url: https://codereview.chromium.org/2491693002
2016-11-15Revert of Create a subset of skia support for paths only (patchset #10 ↵dsinclair
id:180001 of https://codereview.chromium.org/2491693002/ ) Reason for revert: Breaking the chrome roll. https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_compile_dbg_ng/builds/306015/steps/generate_build_files%20%28with%20patch%29/logs/stdio Original issue's description: > Create a subset of skia support for paths only > > This is a continuation of https://codereview.chromium.org/2346483006/ > > This removes the need for agg, without providing > full Skia support. > > It doesn't work yet, but it does compile and run > for simple PDFs. > > R=dsinclair@google.com > > Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58 TBR=dsinclair@google.com,caryclark@google.com # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review-Url: https://codereview.chromium.org/2503883003
2016-11-15Create a subset of skia support for paths onlycaryclark
This is a continuation of https://codereview.chromium.org/2346483006/ This removes the need for agg, without providing full Skia support. It doesn't work yet, but it does compile and run for simple PDFs. R=dsinclair@google.com Review-Url: https://codereview.chromium.org/2491693002
2016-11-07Force compiler to deduce src type for checked_cast<dst, src>.tsepez
Otherwise, we might be silently doing an unsafe cast before applying the check if the actual argument doesn't match the exact src type. Review-Url: https://codereview.chromium.org/2484953003
2016-11-07lcms: backport upstream commit c0a98d86kcwu
This fixed several issues. BUG=chromium:654265,chromium:657282,chromium:654676,chromium:654313 Review-Url: https://codereview.chromium.org/2482523003
2016-11-07lcms: Fix memory leak in ReadSegmentedCurvekcwu
BUG=chromium:658223 Review-Url: https://codereview.chromium.org/2480013002
2016-11-02Take more current safe_math_impl.h from upstream.chromium/2908tsepez
Corresponds to version dfd77a987650965071d0fddfbe0b806ce62ba337. Major change is to handle div by 0 without exceptions. Safe shift is not yet present. TBR=thestig@chromium.org TBR=jschuh@chromium.org Review-Url: https://codereview.chromium.org/2473513002
2016-10-26libtiff: Fix unsigned vs signed comparison warning.thestig
tif_pixarlog.c revision 1.45. commitid: IX5L3QQ5Qtzcofcz BUG=chromium:654172 Review-Url: https://codereview.chromium.org/2452293002
2016-10-26libtiff: Prevent a buffer overflow in function PixarLogDecode.stackexploit
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images. The issue has been fixed in upstream (libtiff revision 1.44, author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800). This CL applies the official patch to tif_pixarlog.c. BUG=chromium:654172 R=dsinclair@chromium.org, thestig@chromium.org Review-Url: https://codereview.chromium.org/2453253003
2016-10-21Fix some div by 0s in safe_math_impl.hchromium/2898tsepez
The majority of these are already upstream in base/, the remainder will need upstreaming. Also pull some upstream changes to reduce diffing. Upstream CL is https://codereview.chromium.org/2440143003/ BUG=657436 Review-Url: https://chromiumcodereview.appspot.com/2441753003
2016-10-17lcms: Revise previous cmsStageAllocMatrix fixkcwu
Also fixed wrong patch file name. This is fixup of 958e57cb and d2023170 TEST=apply this change in lcms' repo and make check BUG=chromium:651849,chromium:654198 Review-Url: https://codereview.chromium.org/2424803002
2016-10-17lcms: reject NaN when reading float numberskcwu
LerpFloat functions expect input values are normal float. They first clamp values to the range of [0.0, 1.0] and then calculate interpolation with the input values. If the input value is NaN, it will lead to heap buffer overflow because the index to LutTable is calculated based on the said value and fclamp(NaN) is not in expected [0.0, 1.0] range. This patch rejects all NaN values earlier when reading float numbers. So it also changed behavior for cases other than LerpFloat. I think it is okay because NaN doesn't make sense for usual calculations. BUG=654676 Review-Url: https://codereview.chromium.org/2422553002
2016-10-12Fix else-line corrupted by non-ascii character when importkcwu
BUG=pdfium:619 Review-Url: https://codereview.chromium.org/2411123003
2016-10-11Fix cmdStageAllocMatrix parameter swap againkcwu
This is fixup of 958e57cb. BUG=chromium:651849,chromium:654198 Review-Url: https://codereview.chromium.org/2407113002
2016-10-10libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.stackexploit
The patch (https://codereview.chromium.org/2284063002) for Issue 618267 was insufficient. The integer overflow still could be triggered and could lead to heap buffer overflow. This CL strengthens integer overflow check in function _TIFFCheckRealloc. BUG=chromium:654169 R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2405693002
2016-10-04Fix cmdStageAllocMatrix parameter swapkcwu
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is length of Offsets. The original code will allocate NewElem->Offset with length Cols=InputChans (cmslut.c:417). This results in heap buffer overflow later. BUG=chromium:651849 Review-Url: https://codereview.chromium.org/2384063006
2016-10-03Add ptr_util.h from base until std::make_unique<> availabletsepez
Review-Url: https://codereview.chromium.org/2386273004
2016-10-03Fix potentially uninitialized value.chromium/2880dsinclair
Depending on what ReadOK does it's possible for |dircount16| to be used without being initialized. The read code calls back into PDFium specific code which then calls into the stream reading code. Initialize the value to be sure it is set. BUG=chromium:651632 Review-Url: https://codereview.chromium.org/2389993002
2016-09-29Move core/fxcrt/include to core/fxcrtdsinclair
BUG=pdfium:611 Review-Url: https://codereview.chromium.org/2382723003
2016-09-26Fix memory leak in lcms, MPEmatrix_Readkcwu
BUG=650277 Review-Url: https://codereview.chromium.org/2371723003
2016-09-22Fix memory leaks in lcmskcwu
found by libfuzzer Review-Url: https://codereview.chromium.org/2359243003
2016-09-22Fix use uninitialized value and stack buffer overflow readkcwu
Found by libfuzzer Review-Url: https://codereview.chromium.org/2362813002
2016-09-22Fix infinite loop when calling GrowNamedColorListkcwu
Handle the case that GrowNamedColorList return fail when list is too long. Otherwise the loop never ends. Found by libfuzzer Review-Url: https://codereview.chromium.org/2365663002
2016-09-15Use safe math when rendering line segments in AGG.dsinclair
It is possible for the calculations in outline_aa::render_line to overflow as the |p| variable is calculated. This Cl updates the routine to use checked math when calculating the value of |p|. BUG=chromium:647026 Review-Url: https://codereview.chromium.org/2347603002
2016-09-12Make CFX_Obeservable::Observer into a pointer-ish type;tsepez
This may be a better design because it avoids having a level of indirection that the Observer required. Review-Url: https://codereview.chromium.org/2326763002
2016-09-06Fix gn --check complaints about fxcrt. (try 2)thestig
Previous attempt: https://codereview.chromium.org/2289263005 It failed for the PDFium inside Chromium use case. This time the paths are relative. Review-Url: https://codereview.chromium.org/2308873002
2016-09-06Avoid leaking params if any entry bad.dsinclair
The call to png_set_pCAL can call into png_error for several reasons. This CL verifies that the params are valid before calling into png_set_pCAL. BUG=chromium:636214 Review-Url: https://codereview.chromium.org/2292313003
2016-08-31Revert of Fix gn gn --check complaints about fxcrt. (patchset #1 id:1 of ↵thestig
https://codereview.chromium.org/2289263005/ ) Reason for revert: Breaking non-standalone builds. Original issue's description: > Fix gn gn --check complaints about fxcrt. > > Committed: https://pdfium.googlesource.com/pdfium/+/6f9ae19b9b125af868077f4eee80a13e0c29c61e TBR=dpranke@chromium.org,dsinclair@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review-Url: https://codereview.chromium.org/2301783002
2016-08-31Fix gn gn --check complaints about fxcrt.thestig
Review-Url: https://codereview.chromium.org/2289263005
2016-08-29Fix for #618267. Adding a method to determine if multiplication hastracy_jiang
overflow. BUG=618267 Review-Url: https://codereview.chromium.org/2284063002
2016-08-29openjpeg: Prevent an integer overflow in opj_jp2_apply_pclr.stackexploit
This patch also prevent a null pointer access problem. BUG=chromium:638829 R=ochang@chromium.org Review-Url: https://codereview.chromium.org/2270343002
2016-08-26Remove most things GYP.thestig
BUG=pdfium:559 Review-Url: https://codereview.chromium.org/2286653002
2016-08-19Introduce pdfium::FakeUniquePtr for keys to sets of unique ptrs.tsepez
Review-Url: https://codereview.chromium.org/2262473002