Age | Commit message (Collapse) | Author |
|
Using int64 to check whether uint32 operations have overflowed.
BUG=681300
Change-Id: I4470d34f2e5e61c0bf96f1c8587cdb7805afe87b
Reviewed-on: https://pdfium-review.googlesource.com/2355
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Replaced (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b) with
opj_uint_ceildiv(a, b), which makes much more sense.
BUG=683156
Change-Id: Ie9d6736f4ec0f16d14f203850a14f0dabd73ee38
Reviewed-on: https://pdfium-review.googlesource.com/2352
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
m_decorrelation_array and m_offset_array can be assigned to l_mct_data,
which can be set in opj_j2k_read_mct. In this method, there can be an
early true return before allocating m_data but after freeing it.
BUG=678342
Change-Id: Id9ea3cc57a9a278deb1540e5db8a94db86018fd6
Reviewed-on: https://pdfium-review.googlesource.com/2350
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
Fix callers conventions to avoid ambiguity.
Fix bad bounds check unmasked by change.
Directly include headers no longer pulled in by numerics itself.
Review-Url: https://codereview.chromium.org/2640143003
|
|
The call may come from TIFFReadRGBAImageOriented, and there no cleanup
is done. So free the memory allocation on failure.
BUG=681301
Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870
Reviewed-on: https://pdfium-review.googlesource.com/2252
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
If we do not do this check, it will overflow to a huge unsigned int, so
we will allocate a lot of memory etc.
BUG=682182
Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff
Reviewed-on: https://pdfium-review.googlesource.com/2272
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
If rb is allocated memory but p != q, then it will not be assigned to
sp->actable[m], so it will leak.
BUG=680520
Change-Id: Ib0b178b043b2a9821fb289d033ca0ab52e4cbe48
Reviewed-on: https://pdfium-review.googlesource.com/2176
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Patch has been accepted upstream, see:
http://bugzilla.maptools.org/show_bug.cgi?id=2658
BUG=655008
Change-Id: I7ef69e6f71e66bd7e0a4d334c4f8e60ed02213d2
Reviewed-on: https://pdfium-review.googlesource.com/2174
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
My previous attempt did not follow precisely the way m_nb_mcc_records
is increased in opj_j2k_read_mcc.
Previous: https://pdfium-review.googlesource.com/c/2165/
BUG=678461, 680102
Change-Id: I3e14c440e3a49b714f8cd82d44992fe647200336
Reviewed-on: https://pdfium-review.googlesource.com/2171
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
|
|
Now we update m_nb_mct_records only when there was a new mct record, and
l_mct_data computations all went through. In previous version, the
++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that
this is similar to the analoguous in opj_j2k_read_mcc.
CL that changed the calculation:
https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60
BUG=678461
Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662
Reviewed-on: https://pdfium-review.googlesource.com/2165
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
The td_refblackwhite value is currently assigned without validation. This
may pose an issue as the image can specify the value as nan. This will cause
problems later when we use the nan in calcluations.
This CL validates each of the float values are not nan and if they are sets
them to the default provided by the TIFF spec v6.
BUG=chromium:632883
Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c
Reviewed-on: https://pdfium-review.googlesource.com/2151
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
|
|
This CL initializes the raw tif data to guard against unitialized memory access.
BUG=chromium:677377
Change-Id: If272fafacd996c2e93a41fb6e477661dc0c5492c
Reviewed-on: https://pdfium-review.googlesource.com/2150
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
|
|
This CL makes the fix to the bug equal to that which has now been
submitted upstream. Link:
https://github.com/vadz/libtiff/commit/fa6b22a5135fdeabe860097c04f298ca0ae7f2e1
Our original CL for fixing the bug:
https://codereview.chromium.org/2545723004/
BUG=657473
Change-Id: I52ae6a062ac07a0e20d0ba4ab823cbbf1d2b1ac1
Reviewed-on: https://pdfium-review.googlesource.com/2136
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
This is partially backported from upstream
https://github.com/mm2/Little-CMS/commit/4011a6e3
BUG=chromium:665054
Review-Url: https://codereview.chromium.org/2577963007
|
|
BUG=chromium:666705
Review-Url: https://codereview.chromium.org/2538703002
|
|
The method to create image can fail even after ycbcr has been set, so
the current way to release is not enough. TIFFRGBAImageEnd is safe in
that it checks for existence before deleting, and deletes whatever has
been created.
BUG=657473
Review-Url: https://codereview.chromium.org/2545723004
|
|
The diff isn't well displayed in Rietveld, and I had to do some interpretation
here, as it wasn't clear what code page these files were pretending to use.
The left quotes were 0x92, the right quote + \n had been converted to ?, and
the negative infinity was 0x96. (I assume maybe Mac something.)
In any case, I tried to interpret the comments and make them something sensible.
In the worst case, it's "only" comments that are broken, as no actual code was
modified.
R=tsepez@chromium.org, brucedawson@chroium.org
BUG=637203,454858
Review URL: https://codereview.chromium.org/2545593002 .
|
|
This is a continuation of https://codereview.chromium.org/2346483006/
This removes the need for agg, without providing
full Skia support.
It doesn't work yet, but it does compile and run
for simple PDFs.
R=dsinclair@google.com
Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58
Review-Url: https://codereview.chromium.org/2491693002
|
|
id:180001 of https://codereview.chromium.org/2491693002/ )
Reason for revert:
Breaking the chrome roll.
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_compile_dbg_ng/builds/306015/steps/generate_build_files%20%28with%20patch%29/logs/stdio
Original issue's description:
> Create a subset of skia support for paths only
>
> This is a continuation of https://codereview.chromium.org/2346483006/
>
> This removes the need for agg, without providing
> full Skia support.
>
> It doesn't work yet, but it does compile and run
> for simple PDFs.
>
> R=dsinclair@google.com
>
> Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58
TBR=dsinclair@google.com,caryclark@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2503883003
|
|
This is a continuation of https://codereview.chromium.org/2346483006/
This removes the need for agg, without providing
full Skia support.
It doesn't work yet, but it does compile and run
for simple PDFs.
R=dsinclair@google.com
Review-Url: https://codereview.chromium.org/2491693002
|
|
Otherwise, we might be silently doing an unsafe cast before
applying the check if the actual argument doesn't match the
exact src type.
Review-Url: https://codereview.chromium.org/2484953003
|
|
This fixed several issues.
BUG=chromium:654265,chromium:657282,chromium:654676,chromium:654313
Review-Url: https://codereview.chromium.org/2482523003
|
|
BUG=chromium:658223
Review-Url: https://codereview.chromium.org/2480013002
|
|
Corresponds to version dfd77a987650965071d0fddfbe0b806ce62ba337.
Major change is to handle div by 0 without exceptions.
Safe shift is not yet present.
TBR=thestig@chromium.org
TBR=jschuh@chromium.org
Review-Url: https://codereview.chromium.org/2473513002
|
|
tif_pixarlog.c revision 1.45.
commitid: IX5L3QQ5Qtzcofcz
BUG=chromium:654172
Review-Url: https://codereview.chromium.org/2452293002
|
|
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected
images. The issue has been fixed in upstream (libtiff revision 1.44,
author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800).
This CL applies the official patch to tif_pixarlog.c.
BUG=chromium:654172
R=dsinclair@chromium.org, thestig@chromium.org
Review-Url: https://codereview.chromium.org/2453253003
|
|
The majority of these are already upstream in base/, the
remainder will need upstreaming. Also pull some upstream
changes to reduce diffing.
Upstream CL is https://codereview.chromium.org/2440143003/
BUG=657436
Review-Url: https://chromiumcodereview.appspot.com/2441753003
|
|
Also fixed wrong patch file name.
This is fixup of 958e57cb and d2023170
TEST=apply this change in lcms' repo and make check
BUG=chromium:651849,chromium:654198
Review-Url: https://codereview.chromium.org/2424803002
|
|
LerpFloat functions expect input values are normal float. They first
clamp values to the range of [0.0, 1.0] and then calculate interpolation
with the input values.
If the input value is NaN, it will lead to heap buffer overflow because
the index to LutTable is calculated based on the said value and
fclamp(NaN) is not in expected [0.0, 1.0] range.
This patch rejects all NaN values earlier when reading float numbers. So
it also changed behavior for cases other than LerpFloat. I think it is
okay because NaN doesn't make sense for usual calculations.
BUG=654676
Review-Url: https://codereview.chromium.org/2422553002
|
|
BUG=pdfium:619
Review-Url: https://codereview.chromium.org/2411123003
|
|
This is fixup of 958e57cb.
BUG=chromium:651849,chromium:654198
Review-Url: https://codereview.chromium.org/2407113002
|
|
The patch (https://codereview.chromium.org/2284063002) for Issue 618267
was insufficient. The integer overflow still could be triggered and could
lead to heap buffer overflow.
This CL strengthens integer overflow check in function _TIFFCheckRealloc.
BUG=chromium:654169
R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org
Review-Url: https://codereview.chromium.org/2405693002
|
|
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.
BUG=chromium:651849
Review-Url: https://codereview.chromium.org/2384063006
|
|
Review-Url: https://codereview.chromium.org/2386273004
|
|
Depending on what ReadOK does it's possible for |dircount16| to be used without
being initialized. The read code calls back into PDFium specific code which then
calls into the stream reading code.
Initialize the value to be sure it is set.
BUG=chromium:651632
Review-Url: https://codereview.chromium.org/2389993002
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2382723003
|
|
BUG=650277
Review-Url: https://codereview.chromium.org/2371723003
|
|
found by libfuzzer
Review-Url: https://codereview.chromium.org/2359243003
|
|
Found by libfuzzer
Review-Url: https://codereview.chromium.org/2362813002
|
|
Handle the case that GrowNamedColorList return fail when list is too
long. Otherwise the loop never ends.
Found by libfuzzer
Review-Url: https://codereview.chromium.org/2365663002
|
|
It is possible for the calculations in outline_aa::render_line to overflow
as the |p| variable is calculated. This Cl updates the routine to use
checked math when calculating the value of |p|.
BUG=chromium:647026
Review-Url: https://codereview.chromium.org/2347603002
|
|
This may be a better design because it avoids having a level
of indirection that the Observer required.
Review-Url: https://codereview.chromium.org/2326763002
|
|
Previous attempt: https://codereview.chromium.org/2289263005
It failed for the PDFium inside Chromium use case.
This time the paths are relative.
Review-Url: https://codereview.chromium.org/2308873002
|
|
The call to png_set_pCAL can call into png_error for several reasons. This CL
verifies that the params are valid before calling into png_set_pCAL.
BUG=chromium:636214
Review-Url: https://codereview.chromium.org/2292313003
|
|
https://codereview.chromium.org/2289263005/ )
Reason for revert:
Breaking non-standalone builds.
Original issue's description:
> Fix gn gn --check complaints about fxcrt.
>
> Committed: https://pdfium.googlesource.com/pdfium/+/6f9ae19b9b125af868077f4eee80a13e0c29c61e
TBR=dpranke@chromium.org,dsinclair@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2301783002
|
|
Review-Url: https://codereview.chromium.org/2289263005
|
|
overflow.
BUG=618267
Review-Url: https://codereview.chromium.org/2284063002
|
|
This patch also prevent a null pointer access problem.
BUG=chromium:638829
R=ochang@chromium.org
Review-Url: https://codereview.chromium.org/2270343002
|
|
BUG=pdfium:559
Review-Url: https://codereview.chromium.org/2286653002
|
|
Review-Url: https://codereview.chromium.org/2262473002
|