summaryrefslogtreecommitdiff
path: root/third_party
AgeCommit message (Collapse)Author
2017-02-27LCMS upstream patch to fix integer overflowsNicolas Pena
Patch: https://github.com/mm2/Little-CMS/commit/9f427d5ff544ab1be37f485ac13b2419a1610cc3 BUG=696430 Change-Id: I20b8b4aad565d6f6aaed8c66be7e9709eec2b5ce Reviewed-on: https://pdfium-review.googlesource.com/2849 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-24Libtiff: fix leaking tables in tif_ojpeg.cNicolas Pena
Tables should be freed before they are reassigned. This CL fixes the three places where this is not happening. BUG=694599 Change-Id: I4e7cf1a6354b1129ecaf7ddcc74d8a36ba289df7 Reviewed-on: https://pdfium-review.googlesource.com/2830 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-22lcms upstream patches to fix security bugchromium/3021Nicolas Pena
Patch that fixes LUT consistency: https://github.com/mm2/Little-CMS/commit/9936ecf0745002cea8e46dc575079b4872e9af8c Patch that sanitizes MPE profiles: https://github.com/mm2/Little-CMS/commit/06662a755525586223efe1790da1497d5b2d9e67 BUG=675617 Change-Id: I9ccc4158432387360dcb358e2a015a9434df46e4 Reviewed-on: https://pdfium-review.googlesource.com/2820 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-02-21Convert more TransformPoint calls to TransformDan Sinclair
This Cl converts several uses of TransformPoint to use Transform(CFX_PointF). Change-Id: I9bc3c484e0a4304b904584218bd9e59dec7db727 Reviewed-on: https://pdfium-review.googlesource.com/2791 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Reviewed-by: Nicolás Peña <npm@chromium.org>
2017-02-17Libopenjpeg upstream fix for undefined shiftchromium/3019chromium/3018chromium/3017chromium/3016Nicolas Pena
Patch: https://github.com/uclouvain/openjpeg/commit/20789fed4ec7746e938dd2934a1fb5aa352f4d12 BUG=657440 Change-Id: Ic2320cd4baabbd7bc09ec428c5f49b7ab3e7eb66 Reviewed-on: https://pdfium-review.googlesource.com/2795 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-09Remove Transform in favour of TransformPointDan Sinclair
This CL removes the two Transform() overrides from CFX_Matrix and calls the TransformPoint methods directly. In the case of the 4 param version the values were assigned to the out values before calling. Change-Id: Id633826caec75b848774dcda6cfdcef2dbf5a7db Reviewed-on: https://pdfium-review.googlesource.com/2573 Reviewed-by: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
2017-02-09Libtiff upstream fix for large td_bitspersampleNicolas Pena
Commit: https://github.com/vadz/libtiff/commit/b5065f39ebc8b125aaa790f9003988c0d675f814 BUG=681305 Change-Id: I4e6c166f892bdac83b45e5518302bfd9cbcbd332 Reviewed-on: https://pdfium-review.googlesource.com/2571 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-02-08Libtiff upstream fix for TIFFFetchNormalTagchromium/3007Nicolas Pena
Upstream commits: https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e BUG=690124 Change-Id: I8388ae37e94f4e62cd8f9688baf9cf5416348d0c Reviewed-on: https://pdfium-review.googlesource.com/2558 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-26Fix leak in PredictorSetupDecode by calling tif_cleanup on failureNicolas Pena
tif_data and tif_cleanup are both set on the TIFFInit methods, see for instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was filled on tif_data should be cleaned up. The previous leak fix from PixarLogSetupDecode is no longer necessary. BUG=683834 Change-Id: Ib7dec3fb8addd56fa20f2e85c4ee918222a5f97e Reviewed-on: https://pdfium-review.googlesource.com/2432 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-25Prevent skew overflows in gtTileContigNicolas Pena
Using int64 to check whether uint32 operations have overflowed. BUG=681300 Change-Id: I4470d34f2e5e61c0bf96f1c8587cdb7805afe87b Reviewed-on: https://pdfium-review.googlesource.com/2355 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-25Use opj_uint_ceildiv where it is better than its int versionNicolas Pena
Replaced (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b) with opj_uint_ceildiv(a, b), which makes much more sense. BUG=683156 Change-Id: Ie9d6736f4ec0f16d14f203850a14f0dabd73ee38 Reviewed-on: https://pdfium-review.googlesource.com/2352 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-24Check m_data!=null when adding mctNicolas Pena
m_decorrelation_array and m_offset_array can be assigned to l_mct_data, which can be set in opj_j2k_read_mct. In this method, there can be an early true return before allocating m_data but after freeing it. BUG=678342 Change-Id: Id9ea3cc57a9a278deb1540e5db8a94db86018fd6 Reviewed-on: https://pdfium-review.googlesource.com/2350 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-01-23Update safe numerics package to get bitwise opstsepez
Fix callers conventions to avoid ambiguity. Fix bad bounds check unmasked by change. Directly include headers no longer pulled in by numerics itself. Review-Url: https://codereview.chromium.org/2640143003
2017-01-19Fix leak in PixarLogSetupDecodeNicolas Pena
The call may come from TIFFReadRGBAImageOriented, and there no cleanup is done. So free the memory allocation on failure. BUG=681301 Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870 Reviewed-on: https://pdfium-review.googlesource.com/2252 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-19Return error in opj_j2k_read_header_procedure if l_marker_size < 2Nicolas Pena
If we do not do this check, it will overflow to a huge unsigned int, so we will allocate a lot of memory etc. BUG=682182 Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff Reviewed-on: https://pdfium-review.googlesource.com/2272 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-12Fix leak in OJPEGReadHeaderInfoSecTablesAcTable when read fails.Nicolas Pena
If rb is allocated memory but p != q, then it will not be assigned to sp->actable[m], so it will leak. BUG=680520 Change-Id: Ib0b178b043b2a9821fb289d033ca0ab52e4cbe48 Reviewed-on: https://pdfium-review.googlesource.com/2176 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-12Prevent undefined shift in putagreytileNicolas Pena
Patch has been accepted upstream, see: http://bugzilla.maptools.org/show_bug.cgi?id=2658 BUG=655008 Change-Id: I7ef69e6f71e66bd7e0a4d334c4f8e60ed02213d2 Reviewed-on: https://pdfium-review.googlesource.com/2174 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
2017-01-11Really fix m_nb_mct_records calculation in opj_j2k_read_mctNicolas Pena
My previous attempt did not follow precisely the way m_nb_mcc_records is increased in opj_j2k_read_mcc. Previous: https://pdfium-review.googlesource.com/c/2165/ BUG=678461, 680102 Change-Id: I3e14c440e3a49b714f8cd82d44992fe647200336 Reviewed-on: https://pdfium-review.googlesource.com/2171 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-01-10Fix m_nb_mct_records calculation in opj_j2k_read_mctNicolas Pena
Now we update m_nb_mct_records only when there was a new mct record, and l_mct_data computations all went through. In previous version, the ++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that this is similar to the analoguous in opj_j2k_read_mcc. CL that changed the calculation: https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60 BUG=678461 Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662 Reviewed-on: https://pdfium-review.googlesource.com/2165 Commit-Queue: Nicolás Peña <npm@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2017-01-09[libtiff] Validate refblackwhite valuesDan Sinclair
The td_refblackwhite value is currently assigned without validation. This may pose an issue as the image can specify the value as nan. This will cause problems later when we use the nan in calcluations. This CL validates each of the float values are not nan and if they are sets them to the default provided by the TIFF spec v6. BUG=chromium:632883 Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c Reviewed-on: https://pdfium-review.googlesource.com/2151 Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org>
2017-01-05[libtiff] Fixup unitialized access issueDan Sinclair
This CL initializes the raw tif data to guard against unitialized memory access. BUG=chromium:677377 Change-Id: If272fafacd996c2e93a41fb6e477661dc0c5492c Reviewed-on: https://pdfium-review.googlesource.com/2150 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org>
2017-01-03Libtiff update with upstreamNicolas Pena
This CL makes the fix to the bug equal to that which has now been submitted upstream. Link: https://github.com/vadz/libtiff/commit/fa6b22a5135fdeabe860097c04f298ca0ae7f2e1 Our original CL for fixing the bug: https://codereview.chromium.org/2545723004/ BUG=657473 Change-Id: I52ae6a062ac07a0e20d0ba4ab823cbbf1d2b1ac1 Reviewed-on: https://pdfium-review.googlesource.com/2136 Commit-Queue: Nicolás Peña <npm@chromium.org> Commit-Queue: dsinclair <dsinclair@chromium.org> Reviewed-by: dsinclair <dsinclair@chromium.org>
2016-12-16lcms: Sanitize floating point readchromium/2956chromium/2955kcwu
This is partially backported from upstream https://github.com/mm2/Little-CMS/commit/4011a6e3 BUG=chromium:665054 Review-Url: https://codereview.chromium.org/2577963007
2016-12-07lcms: avoid fixed number LUT optimization on inf valueskcwu
BUG=chromium:666705 Review-Url: https://codereview.chromium.org/2538703002
2016-12-05Fix a leak when TIFFRGBAImageBegin failschromium/2943npm
The method to create image can fail even after ycbcr has been set, so the current way to release is not enough. TIFFRGBAImageEnd is safe in that it checks for existence before deleting, and deletes whatever has been created. BUG=657473 Review-Url: https://codereview.chromium.org/2545723004
2016-12-02Encode lcms files as utf-8Scott Graham
The diff isn't well displayed in Rietveld, and I had to do some interpretation here, as it wasn't clear what code page these files were pretending to use. The left quotes were 0x92, the right quote + \n had been converted to ?, and the negative infinity was 0x96. (I assume maybe Mac something.) In any case, I tried to interpret the comments and make them something sensible. In the worst case, it's "only" comments that are broken, as no actual code was modified. R=tsepez@chromium.org, brucedawson@chroium.org BUG=637203,454858 Review URL: https://codereview.chromium.org/2545593002 .
2016-11-16Create a subset of skia support for paths onlycaryclark
This is a continuation of https://codereview.chromium.org/2346483006/ This removes the need for agg, without providing full Skia support. It doesn't work yet, but it does compile and run for simple PDFs. R=dsinclair@google.com Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58 Review-Url: https://codereview.chromium.org/2491693002
2016-11-15Revert of Create a subset of skia support for paths only (patchset #10 ↵dsinclair
id:180001 of https://codereview.chromium.org/2491693002/ ) Reason for revert: Breaking the chrome roll. https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_compile_dbg_ng/builds/306015/steps/generate_build_files%20%28with%20patch%29/logs/stdio Original issue's description: > Create a subset of skia support for paths only > > This is a continuation of https://codereview.chromium.org/2346483006/ > > This removes the need for agg, without providing > full Skia support. > > It doesn't work yet, but it does compile and run > for simple PDFs. > > R=dsinclair@google.com > > Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58 TBR=dsinclair@google.com,caryclark@google.com # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true Review-Url: https://codereview.chromium.org/2503883003
2016-11-15Create a subset of skia support for paths onlycaryclark
This is a continuation of https://codereview.chromium.org/2346483006/ This removes the need for agg, without providing full Skia support. It doesn't work yet, but it does compile and run for simple PDFs. R=dsinclair@google.com Review-Url: https://codereview.chromium.org/2491693002
2016-11-07Force compiler to deduce src type for checked_cast<dst, src>.tsepez
Otherwise, we might be silently doing an unsafe cast before applying the check if the actual argument doesn't match the exact src type. Review-Url: https://codereview.chromium.org/2484953003
2016-11-07lcms: backport upstream commit c0a98d86kcwu
This fixed several issues. BUG=chromium:654265,chromium:657282,chromium:654676,chromium:654313 Review-Url: https://codereview.chromium.org/2482523003
2016-11-07lcms: Fix memory leak in ReadSegmentedCurvekcwu
BUG=chromium:658223 Review-Url: https://codereview.chromium.org/2480013002
2016-11-02Take more current safe_math_impl.h from upstream.chromium/2908tsepez
Corresponds to version dfd77a987650965071d0fddfbe0b806ce62ba337. Major change is to handle div by 0 without exceptions. Safe shift is not yet present. TBR=thestig@chromium.org TBR=jschuh@chromium.org Review-Url: https://codereview.chromium.org/2473513002
2016-10-26libtiff: Fix unsigned vs signed comparison warning.thestig
tif_pixarlog.c revision 1.45. commitid: IX5L3QQ5Qtzcofcz BUG=chromium:654172 Review-Url: https://codereview.chromium.org/2452293002
2016-10-26libtiff: Prevent a buffer overflow in function PixarLogDecode.stackexploit
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected images. The issue has been fixed in upstream (libtiff revision 1.44, author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800). This CL applies the official patch to tif_pixarlog.c. BUG=chromium:654172 R=dsinclair@chromium.org, thestig@chromium.org Review-Url: https://codereview.chromium.org/2453253003
2016-10-21Fix some div by 0s in safe_math_impl.hchromium/2898tsepez
The majority of these are already upstream in base/, the remainder will need upstreaming. Also pull some upstream changes to reduce diffing. Upstream CL is https://codereview.chromium.org/2440143003/ BUG=657436 Review-Url: https://chromiumcodereview.appspot.com/2441753003
2016-10-17lcms: Revise previous cmsStageAllocMatrix fixkcwu
Also fixed wrong patch file name. This is fixup of 958e57cb and d2023170 TEST=apply this change in lcms' repo and make check BUG=chromium:651849,chromium:654198 Review-Url: https://codereview.chromium.org/2424803002
2016-10-17lcms: reject NaN when reading float numberskcwu
LerpFloat functions expect input values are normal float. They first clamp values to the range of [0.0, 1.0] and then calculate interpolation with the input values. If the input value is NaN, it will lead to heap buffer overflow because the index to LutTable is calculated based on the said value and fclamp(NaN) is not in expected [0.0, 1.0] range. This patch rejects all NaN values earlier when reading float numbers. So it also changed behavior for cases other than LerpFloat. I think it is okay because NaN doesn't make sense for usual calculations. BUG=654676 Review-Url: https://codereview.chromium.org/2422553002
2016-10-12Fix else-line corrupted by non-ascii character when importkcwu
BUG=pdfium:619 Review-Url: https://codereview.chromium.org/2411123003
2016-10-11Fix cmdStageAllocMatrix parameter swap againkcwu
This is fixup of 958e57cb. BUG=chromium:651849,chromium:654198 Review-Url: https://codereview.chromium.org/2407113002
2016-10-10libtiff: Prevent a buffer overflow in function ChopUpSingleUncompressedStrip.stackexploit
The patch (https://codereview.chromium.org/2284063002) for Issue 618267 was insufficient. The integer overflow still could be triggered and could lead to heap buffer overflow. This CL strengthens integer overflow check in function _TIFFCheckRealloc. BUG=chromium:654169 R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org Review-Url: https://codereview.chromium.org/2405693002
2016-10-04Fix cmdStageAllocMatrix parameter swapkcwu
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is length of Offsets. The original code will allocate NewElem->Offset with length Cols=InputChans (cmslut.c:417). This results in heap buffer overflow later. BUG=chromium:651849 Review-Url: https://codereview.chromium.org/2384063006
2016-10-03Add ptr_util.h from base until std::make_unique<> availabletsepez
Review-Url: https://codereview.chromium.org/2386273004
2016-10-03Fix potentially uninitialized value.chromium/2880dsinclair
Depending on what ReadOK does it's possible for |dircount16| to be used without being initialized. The read code calls back into PDFium specific code which then calls into the stream reading code. Initialize the value to be sure it is set. BUG=chromium:651632 Review-Url: https://codereview.chromium.org/2389993002
2016-09-29Move core/fxcrt/include to core/fxcrtdsinclair
BUG=pdfium:611 Review-Url: https://codereview.chromium.org/2382723003
2016-09-26Fix memory leak in lcms, MPEmatrix_Readkcwu
BUG=650277 Review-Url: https://codereview.chromium.org/2371723003
2016-09-22Fix memory leaks in lcmskcwu
found by libfuzzer Review-Url: https://codereview.chromium.org/2359243003
2016-09-22Fix use uninitialized value and stack buffer overflow readkcwu
Found by libfuzzer Review-Url: https://codereview.chromium.org/2362813002
2016-09-22Fix infinite loop when calling GrowNamedColorListkcwu
Handle the case that GrowNamedColorList return fail when list is too long. Otherwise the loop never ends. Found by libfuzzer Review-Url: https://codereview.chromium.org/2365663002
2016-09-15Use safe math when rendering line segments in AGG.dsinclair
It is possible for the calculations in outline_aa::render_line to overflow as the |p| variable is calculated. This Cl updates the routine to use checked math when calculating the value of |p|. BUG=chromium:647026 Review-Url: https://codereview.chromium.org/2347603002