Age | Commit message (Collapse) | Author |
|
Patch:
https://github.com/mm2/Little-CMS/commit/9f427d5ff544ab1be37f485ac13b2419a1610cc3
BUG=696430
Change-Id: I20b8b4aad565d6f6aaed8c66be7e9709eec2b5ce
Reviewed-on: https://pdfium-review.googlesource.com/2849
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Tables should be freed before they are reassigned. This CL fixes the three
places where this is not happening.
BUG=694599
Change-Id: I4e7cf1a6354b1129ecaf7ddcc74d8a36ba289df7
Reviewed-on: https://pdfium-review.googlesource.com/2830
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Patch that fixes LUT consistency:
https://github.com/mm2/Little-CMS/commit/9936ecf0745002cea8e46dc575079b4872e9af8c
Patch that sanitizes MPE profiles:
https://github.com/mm2/Little-CMS/commit/06662a755525586223efe1790da1497d5b2d9e67
BUG=675617
Change-Id: I9ccc4158432387360dcb358e2a015a9434df46e4
Reviewed-on: https://pdfium-review.googlesource.com/2820
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
This Cl converts several uses of TransformPoint to use Transform(CFX_PointF).
Change-Id: I9bc3c484e0a4304b904584218bd9e59dec7db727
Reviewed-on: https://pdfium-review.googlesource.com/2791
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Reviewed-by: Nicolás Peña <npm@chromium.org>
|
|
Patch:
https://github.com/uclouvain/openjpeg/commit/20789fed4ec7746e938dd2934a1fb5aa352f4d12
BUG=657440
Change-Id: Ic2320cd4baabbd7bc09ec428c5f49b7ab3e7eb66
Reviewed-on: https://pdfium-review.googlesource.com/2795
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
This CL removes the two Transform() overrides from CFX_Matrix and calls the
TransformPoint methods directly. In the case of the 4 param version the
values were assigned to the out values before calling.
Change-Id: Id633826caec75b848774dcda6cfdcef2dbf5a7db
Reviewed-on: https://pdfium-review.googlesource.com/2573
Reviewed-by: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
|
|
Commit:
https://github.com/vadz/libtiff/commit/b5065f39ebc8b125aaa790f9003988c0d675f814
BUG=681305
Change-Id: I4e6c166f892bdac83b45e5518302bfd9cbcbd332
Reviewed-on: https://pdfium-review.googlesource.com/2571
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Upstream commits:
https://github.com/vadz/libtiff/commit/30c9234c7fd0dd5e8b1e83ad44370c875a0270ed
https://github.com/vadz/libtiff/commit/89406285f318ffad27af4b200204394b2ee6ba5e
BUG=690124
Change-Id: I8388ae37e94f4e62cd8f9688baf9cf5416348d0c
Reviewed-on: https://pdfium-review.googlesource.com/2558
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
tif_data and tif_cleanup are both set on the TIFFInit methods, see for
instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was
filled on tif_data should be cleaned up. The previous leak fix from
PixarLogSetupDecode is no longer necessary.
BUG=683834
Change-Id: Ib7dec3fb8addd56fa20f2e85c4ee918222a5f97e
Reviewed-on: https://pdfium-review.googlesource.com/2432
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Using int64 to check whether uint32 operations have overflowed.
BUG=681300
Change-Id: I4470d34f2e5e61c0bf96f1c8587cdb7805afe87b
Reviewed-on: https://pdfium-review.googlesource.com/2355
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Replaced (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b) with
opj_uint_ceildiv(a, b), which makes much more sense.
BUG=683156
Change-Id: Ie9d6736f4ec0f16d14f203850a14f0dabd73ee38
Reviewed-on: https://pdfium-review.googlesource.com/2352
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
m_decorrelation_array and m_offset_array can be assigned to l_mct_data,
which can be set in opj_j2k_read_mct. In this method, there can be an
early true return before allocating m_data but after freeing it.
BUG=678342
Change-Id: Id9ea3cc57a9a278deb1540e5db8a94db86018fd6
Reviewed-on: https://pdfium-review.googlesource.com/2350
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
Fix callers conventions to avoid ambiguity.
Fix bad bounds check unmasked by change.
Directly include headers no longer pulled in by numerics itself.
Review-Url: https://codereview.chromium.org/2640143003
|
|
The call may come from TIFFReadRGBAImageOriented, and there no cleanup
is done. So free the memory allocation on failure.
BUG=681301
Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870
Reviewed-on: https://pdfium-review.googlesource.com/2252
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
If we do not do this check, it will overflow to a huge unsigned int, so
we will allocate a lot of memory etc.
BUG=682182
Change-Id: I24b6654860c43e5d4deea753868b9d842f859cff
Reviewed-on: https://pdfium-review.googlesource.com/2272
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
If rb is allocated memory but p != q, then it will not be assigned to
sp->actable[m], so it will leak.
BUG=680520
Change-Id: Ib0b178b043b2a9821fb289d033ca0ab52e4cbe48
Reviewed-on: https://pdfium-review.googlesource.com/2176
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
Patch has been accepted upstream, see:
http://bugzilla.maptools.org/show_bug.cgi?id=2658
BUG=655008
Change-Id: I7ef69e6f71e66bd7e0a4d334c4f8e60ed02213d2
Reviewed-on: https://pdfium-review.googlesource.com/2174
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
|
|
My previous attempt did not follow precisely the way m_nb_mcc_records
is increased in opj_j2k_read_mcc.
Previous: https://pdfium-review.googlesource.com/c/2165/
BUG=678461, 680102
Change-Id: I3e14c440e3a49b714f8cd82d44992fe647200336
Reviewed-on: https://pdfium-review.googlesource.com/2171
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
|
|
Now we update m_nb_mct_records only when there was a new mct record, and
l_mct_data computations all went through. In previous version, the
++l_tcp->m_nb_mcc_records was in the end, without the if. Notice that
this is similar to the analoguous in opj_j2k_read_mcc.
CL that changed the calculation:
https://github.com/uclouvain/openjpeg/commit/7a8cdc4bb071494fccf4714413191a52eb924b60
BUG=678461
Change-Id: I9a9e7eb03d1da085f8eb15a221a6bc0a91736662
Reviewed-on: https://pdfium-review.googlesource.com/2165
Commit-Queue: Nicolás Peña <npm@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
The td_refblackwhite value is currently assigned without validation. This
may pose an issue as the image can specify the value as nan. This will cause
problems later when we use the nan in calcluations.
This CL validates each of the float values are not nan and if they are sets
them to the default provided by the TIFF spec v6.
BUG=chromium:632883
Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c
Reviewed-on: https://pdfium-review.googlesource.com/2151
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
|
|
This CL initializes the raw tif data to guard against unitialized memory access.
BUG=chromium:677377
Change-Id: If272fafacd996c2e93a41fb6e477661dc0c5492c
Reviewed-on: https://pdfium-review.googlesource.com/2150
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
|
|
This CL makes the fix to the bug equal to that which has now been
submitted upstream. Link:
https://github.com/vadz/libtiff/commit/fa6b22a5135fdeabe860097c04f298ca0ae7f2e1
Our original CL for fixing the bug:
https://codereview.chromium.org/2545723004/
BUG=657473
Change-Id: I52ae6a062ac07a0e20d0ba4ab823cbbf1d2b1ac1
Reviewed-on: https://pdfium-review.googlesource.com/2136
Commit-Queue: Nicolás Peña <npm@chromium.org>
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: dsinclair <dsinclair@chromium.org>
|
|
This is partially backported from upstream
https://github.com/mm2/Little-CMS/commit/4011a6e3
BUG=chromium:665054
Review-Url: https://codereview.chromium.org/2577963007
|
|
BUG=chromium:666705
Review-Url: https://codereview.chromium.org/2538703002
|
|
The method to create image can fail even after ycbcr has been set, so
the current way to release is not enough. TIFFRGBAImageEnd is safe in
that it checks for existence before deleting, and deletes whatever has
been created.
BUG=657473
Review-Url: https://codereview.chromium.org/2545723004
|
|
The diff isn't well displayed in Rietveld, and I had to do some interpretation
here, as it wasn't clear what code page these files were pretending to use.
The left quotes were 0x92, the right quote + \n had been converted to ?, and
the negative infinity was 0x96. (I assume maybe Mac something.)
In any case, I tried to interpret the comments and make them something sensible.
In the worst case, it's "only" comments that are broken, as no actual code was
modified.
R=tsepez@chromium.org, brucedawson@chroium.org
BUG=637203,454858
Review URL: https://codereview.chromium.org/2545593002 .
|
|
This is a continuation of https://codereview.chromium.org/2346483006/
This removes the need for agg, without providing
full Skia support.
It doesn't work yet, but it does compile and run
for simple PDFs.
R=dsinclair@google.com
Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58
Review-Url: https://codereview.chromium.org/2491693002
|
|
id:180001 of https://codereview.chromium.org/2491693002/ )
Reason for revert:
Breaking the chrome roll.
https://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_compile_dbg_ng/builds/306015/steps/generate_build_files%20%28with%20patch%29/logs/stdio
Original issue's description:
> Create a subset of skia support for paths only
>
> This is a continuation of https://codereview.chromium.org/2346483006/
>
> This removes the need for agg, without providing
> full Skia support.
>
> It doesn't work yet, but it does compile and run
> for simple PDFs.
>
> R=dsinclair@google.com
>
> Committed: https://pdfium.googlesource.com/pdfium/+/5d223298b26c9b2b6284cba9a51521d3873b6e58
TBR=dsinclair@google.com,caryclark@google.com
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
Review-Url: https://codereview.chromium.org/2503883003
|
|
This is a continuation of https://codereview.chromium.org/2346483006/
This removes the need for agg, without providing
full Skia support.
It doesn't work yet, but it does compile and run
for simple PDFs.
R=dsinclair@google.com
Review-Url: https://codereview.chromium.org/2491693002
|
|
Otherwise, we might be silently doing an unsafe cast before
applying the check if the actual argument doesn't match the
exact src type.
Review-Url: https://codereview.chromium.org/2484953003
|
|
This fixed several issues.
BUG=chromium:654265,chromium:657282,chromium:654676,chromium:654313
Review-Url: https://codereview.chromium.org/2482523003
|
|
BUG=chromium:658223
Review-Url: https://codereview.chromium.org/2480013002
|
|
Corresponds to version dfd77a987650965071d0fddfbe0b806ce62ba337.
Major change is to handle div by 0 without exceptions.
Safe shift is not yet present.
TBR=thestig@chromium.org
TBR=jschuh@chromium.org
Review-Url: https://codereview.chromium.org/2473513002
|
|
tif_pixarlog.c revision 1.45.
commitid: IX5L3QQ5Qtzcofcz
BUG=chromium:654172
Review-Url: https://codereview.chromium.org/2452293002
|
|
Fix potential buffer write overrun in PixarLogDecode() on corrupted/unexpected
images. The issue has been fixed in upstream (libtiff revision 1.44,
author: erouault, commitid: 2SqWSFG5a8Ewffcz, date: 2016-06-28 23:12:19 +0800).
This CL applies the official patch to tif_pixarlog.c.
BUG=chromium:654172
R=dsinclair@chromium.org, thestig@chromium.org
Review-Url: https://codereview.chromium.org/2453253003
|
|
The majority of these are already upstream in base/, the
remainder will need upstreaming. Also pull some upstream
changes to reduce diffing.
Upstream CL is https://codereview.chromium.org/2440143003/
BUG=657436
Review-Url: https://chromiumcodereview.appspot.com/2441753003
|
|
Also fixed wrong patch file name.
This is fixup of 958e57cb and d2023170
TEST=apply this change in lcms' repo and make check
BUG=chromium:651849,chromium:654198
Review-Url: https://codereview.chromium.org/2424803002
|
|
LerpFloat functions expect input values are normal float. They first
clamp values to the range of [0.0, 1.0] and then calculate interpolation
with the input values.
If the input value is NaN, it will lead to heap buffer overflow because
the index to LutTable is calculated based on the said value and
fclamp(NaN) is not in expected [0.0, 1.0] range.
This patch rejects all NaN values earlier when reading float numbers. So
it also changed behavior for cases other than LerpFloat. I think it is
okay because NaN doesn't make sense for usual calculations.
BUG=654676
Review-Url: https://codereview.chromium.org/2422553002
|
|
BUG=pdfium:619
Review-Url: https://codereview.chromium.org/2411123003
|
|
This is fixup of 958e57cb.
BUG=chromium:651849,chromium:654198
Review-Url: https://codereview.chromium.org/2407113002
|
|
The patch (https://codereview.chromium.org/2284063002) for Issue 618267
was insufficient. The integer overflow still could be triggered and could
lead to heap buffer overflow.
This CL strengthens integer overflow check in function _TIFFCheckRealloc.
BUG=chromium:654169
R=ochang@chromium.org, tsepez@chromium.org, dsinclair@chromium.org
Review-Url: https://codereview.chromium.org/2405693002
|
|
For cmdStageAllocMatrix, InputChans is length of Matrix, OutputChans is
length of Offsets. The original code will allocate NewElem->Offset with
length Cols=InputChans (cmslut.c:417). This results in heap buffer
overflow later.
BUG=chromium:651849
Review-Url: https://codereview.chromium.org/2384063006
|
|
Review-Url: https://codereview.chromium.org/2386273004
|
|
Depending on what ReadOK does it's possible for |dircount16| to be used without
being initialized. The read code calls back into PDFium specific code which then
calls into the stream reading code.
Initialize the value to be sure it is set.
BUG=chromium:651632
Review-Url: https://codereview.chromium.org/2389993002
|
|
BUG=pdfium:611
Review-Url: https://codereview.chromium.org/2382723003
|
|
BUG=650277
Review-Url: https://codereview.chromium.org/2371723003
|
|
found by libfuzzer
Review-Url: https://codereview.chromium.org/2359243003
|
|
Found by libfuzzer
Review-Url: https://codereview.chromium.org/2362813002
|
|
Handle the case that GrowNamedColorList return fail when list is too
long. Otherwise the loop never ends.
Found by libfuzzer
Review-Url: https://codereview.chromium.org/2365663002
|
|
It is possible for the calculations in outline_aa::render_line to overflow
as the |p| variable is calculated. This Cl updates the routine to use
checked math when calculating the value of |p|.
BUG=chromium:647026
Review-Url: https://codereview.chromium.org/2347603002
|