head 1.9; access; symbols pkgsrc-2017Q3:1.8.0.72 pkgsrc-2017Q3-base:1.8 pkgsrc-2017Q2:1.8.0.68 pkgsrc-2017Q2-base:1.8 pkgsrc-2017Q1:1.8.0.66 pkgsrc-2017Q1-base:1.8 pkgsrc-2016Q4:1.8.0.64 pkgsrc-2016Q4-base:1.8 pkgsrc-2016Q3:1.8.0.62 pkgsrc-2016Q3-base:1.8 pkgsrc-2016Q2:1.8.0.60 pkgsrc-2016Q2-base:1.8 pkgsrc-2016Q1:1.8.0.58 pkgsrc-2016Q1-base:1.8 pkgsrc-2015Q4:1.8.0.56 pkgsrc-2015Q4-base:1.8 pkgsrc-2015Q3:1.8.0.54 pkgsrc-2015Q3-base:1.8 pkgsrc-2015Q2:1.8.0.52 pkgsrc-2015Q2-base:1.8 pkgsrc-2015Q1:1.8.0.50 pkgsrc-2015Q1-base:1.8 pkgsrc-2014Q4:1.8.0.48 pkgsrc-2014Q4-base:1.8 pkgsrc-2014Q3:1.8.0.46 pkgsrc-2014Q3-base:1.8 pkgsrc-2014Q2:1.8.0.44 pkgsrc-2014Q2-base:1.8 pkgsrc-2014Q1:1.8.0.42 pkgsrc-2014Q1-base:1.8 pkgsrc-2013Q4:1.8.0.40 pkgsrc-2013Q4-base:1.8 pkgsrc-2013Q3:1.8.0.38 pkgsrc-2013Q3-base:1.8 pkgsrc-2013Q2:1.8.0.36 pkgsrc-2013Q2-base:1.8 pkgsrc-2013Q1:1.8.0.34 pkgsrc-2013Q1-base:1.8 pkgsrc-2012Q4:1.8.0.32 pkgsrc-2012Q4-base:1.8 pkgsrc-2012Q3:1.8.0.30 pkgsrc-2012Q3-base:1.8 pkgsrc-2012Q2:1.8.0.28 pkgsrc-2012Q2-base:1.8 pkgsrc-2012Q1:1.8.0.26 pkgsrc-2012Q1-base:1.8 pkgsrc-2011Q4:1.8.0.24 pkgsrc-2011Q4-base:1.8 pkgsrc-2011Q3:1.8.0.22 pkgsrc-2011Q3-base:1.8 pkgsrc-2011Q2:1.8.0.20 pkgsrc-2011Q2-base:1.8 pkgsrc-2011Q1:1.8.0.18 pkgsrc-2011Q1-base:1.8 pkgsrc-2010Q4:1.8.0.16 pkgsrc-2010Q4-base:1.8 pkgsrc-2010Q3:1.8.0.14 pkgsrc-2010Q3-base:1.8 pkgsrc-2010Q2:1.8.0.12 pkgsrc-2010Q2-base:1.8 pkgsrc-2010Q1:1.8.0.10 pkgsrc-2010Q1-base:1.8 pkgsrc-2009Q4:1.8.0.8 pkgsrc-2009Q4-base:1.8 pkgsrc-2009Q3:1.8.0.6 pkgsrc-2009Q3-base:1.8 pkgsrc-2009Q2:1.8.0.4 pkgsrc-2009Q2-base:1.8 pkgsrc-2009Q1:1.8.0.2 pkgsrc-2008Q4:1.7.0.24 pkgsrc-2008Q4-base:1.7 pkgsrc-2008Q3:1.7.0.22 pkgsrc-2008Q3-base:1.7 cube-native-xorg:1.7.0.20 cube-native-xorg-base:1.7 pkgsrc-2008Q2:1.7.0.18 pkgsrc-2008Q2-base:1.7 pkgsrc-2008Q1:1.7.0.16 pkgsrc-2008Q1-base:1.7 pkgsrc-2007Q4:1.7.0.14 pkgsrc-2007Q4-base:1.7 pkgsrc-2007Q3:1.7.0.12 pkgsrc-2007Q3-base:1.7 pkgsrc-2007Q2:1.7.0.10 pkgsrc-2007Q2-base:1.7 pkgsrc-2007Q1:1.7.0.8 pkgsrc-2007Q1-base:1.7 pkgsrc-2006Q4:1.7.0.6 pkgsrc-2006Q4-base:1.7 pkgsrc-2006Q3:1.7.0.4 pkgsrc-2006Q3-base:1.7 pkgsrc-2006Q2:1.7.0.2 pkgsrc-2006Q2-base:1.7 pkgsrc-2006Q1:1.5.0.8 pkgsrc-2006Q1-base:1.5 pkgsrc-2005Q4:1.5.0.6 pkgsrc-2005Q4-base:1.5 pkgsrc-2005Q3:1.5.0.4 pkgsrc-2005Q3-base:1.5 pkgsrc-2005Q2:1.5.0.2 pkgsrc-2005Q2-base:1.5 pkgsrc-2005Q1:1.4.0.2 pkgsrc-2005Q1-base:1.4 pkgsrc-2004Q4:1.3.0.8 pkgsrc-2004Q4-base:1.3 pkgsrc-2004Q3:1.3.0.6 pkgsrc-2004Q3-base:1.3 pkgsrc-2004Q2:1.3.0.4 pkgsrc-2004Q2-base:1.3 pkgsrc-2004Q1:1.3.0.2 pkgsrc-2004Q1-base:1.3 pkgsrc-2003Q4:1.2.0.2 pkgsrc-2003Q4-base:1.2 netbsd-1-6-1:1.1.1.1.0.4 netbsd-1-6-1-base:1.1 netbsd-1-6:1.1.1.1.0.6 netbsd-1-6-RELEASE-base:1.1 pkgviews:1.1.1.1.0.8 pkgviews-base:1.1 buildlink2-base:1.1.1.1 buildlink2:1.1.1.1.0.2 pkgsrc-base:1.1.1.1 TNF:1.1.1; locks; strict; comment @# @; 1.9 date 2017.09.26.10.27.03; author wiz; state dead; branches; next 1.8; commitid 9ARpkXTuh9Wg2H8A; 1.8 date 2009.06.03.12.29.43; author markd; state Exp; branches 1.8.2.1; next 1.7; 1.7 date 2006.06.01.14.19.08; author markd; state dead; branches; next 1.6; 1.6 date 2006.05.31.13.52.54; author tron; state Exp; branches; next 1.5; 1.5 date 2005.03.23.22.26.26; author markd; state dead; branches; next 1.4; 1.4 date 2005.01.20.12.39.56; author markd; state Exp; branches; next 1.3; 1.3 date 2004.02.05.01.32.47; author markd; state dead; branches 1.3.8.1; next 1.2; 1.2 date 2003.03.11.13.24.59; author markd; state Exp; branches; next 1.1; 1.1 date 2002.06.05.08.58.02; author skrll; state Exp; branches 1.1.1.1; next ; 1.8.2.1 date 2009.06.03.12.29.43; author tron; state dead; branches; next 1.8.2.2; 1.8.2.2 date 2009.06.04.16.49.30; author tron; state Exp; branches; next ; 1.3.8.1 date 2005.01.21.01.44.05; author snj; state Exp; branches; next ; 1.1.1.1 date 2002.06.05.08.58.02; author skrll; state Exp; branches 1.1.1.1.2.1; next ; 1.1.1.1.2.1 date 2002.06.05.08.58.02; author jlam; state dead; branches; next 1.1.1.1.2.2; 1.1.1.1.2.2 date 2002.06.23.18.46.29; author jlam; state Exp; branches; next ; desc @@ 1.9 log @*: remove qt3 and the packages using it, including KDE3 Announced in https://mail-index.netbsd.org/pkgsrc-users/2017/09/10/msg025556.html @ text @$NetBSD: patch-ac,v 1.8 2009/06/03 12:29:43 markd Exp $ xpdf 3.02pl3 by way of poppler git 9f1312f3d7dfa7e536606a7c7296b7c876b11c00 also poppler git 305af8cdb6822858e152e1f930bba2ce3904bf1b --- kpdf/xpdf/xpdf/JBIG2Stream.cc.orig 2008-08-20 06:12:37.000000000 +1200 +++ kpdf/xpdf/xpdf/JBIG2Stream.cc @@@@ -422,12 +422,14 @@@@ void JBIG2HuffmanDecoder::buildTable(JBI table[i] = table[len]; // assign prefixes - i = 0; - prefix = 0; - table[i++].prefix = prefix++; - for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { - prefix <<= table[i].prefixLen - table[i-1].prefixLen; - table[i].prefix = prefix++; + if (table[0].rangeLen != jbig2HuffmanEOT) { + i = 0; + prefix = 0; + table[i++].prefix = prefix++; + for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { + prefix <<= table[i].prefixLen - table[i-1].prefixLen; + table[i].prefix = prefix++; + } } } @@@@ -491,7 +493,7 @@@@ int JBIG2MMRDecoder::get2DCode() { } if (p->bits < 0) { error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); - return 0; + return EOF; } bufLen -= p->bits; return p->n; @@@@ -668,6 +670,7 @@@@ public: void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp); Guchar *getDataPtr() { return data; } int getDataSize() { return h * line; } + GBool isOk() { return data != NULL; } private: @@@@ -684,8 +687,9 @@@@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, h = hA; line = (wA + 7) >> 3; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { - data = NULL; - return; + // force a call to gmalloc(-1), which will throw an exception + h = -1; + line = 2; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); @@@@ -699,8 +703,9 @@@@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, h = bitmap->h; line = bitmap->line; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { - data = NULL; - return; + // force a call to gmalloc(-1), which will throw an exception + h = -1; + line = 2; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); @@@@ -755,6 +760,8 @@@@ void JBIG2Bitmap::clearToOne() { inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { if (y < 0 || y >= h || x >= w) { ptr->p = NULL; + ptr->shift = 0; // make gcc happy + ptr->x = 0; // make gcc happy } else if (x < 0) { ptr->p = &data[y * line]; ptr->shift = 7; @@@@ -799,6 +806,10 @@@@ void JBIG2Bitmap::combine(JBIG2Bitmap *b Guint src0, src1, src, dest, s1, s2, m1, m2, m3; GBool oneByte; + // check for the pathological case where y = -2^31 + if (y < -0x7fffffff) { + return; + } if (y < 0) { y0 = -y; } else { @@@@ -1012,8 +1023,13 @@@@ private: JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA): JBIG2Segment(segNumA) { + Guint i; + size = sizeA; bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *)); + for (i = 0; i < size; ++i) { + bitmaps[i] = NULL; + } genericRegionStats = NULL; refinementRegionStats = NULL; } @@@@ -1022,7 +1038,9 @@@@ JBIG2SymbolDict::~JBIG2SymbolDict() { Guint i; for (i = 0; i < size; ++i) { - delete bitmaps[i]; + if (bitmaps[i]) { + delete bitmaps[i]; + } } gfree(bitmaps); if (genericRegionStats) { @@@@ -1301,6 +1319,13 @@@@ void JBIG2Stream::readSegments() { // keep track of the start of the segment data segDataPos = getPos(); + // check for missing page information segment + if (!pageBitmap && ((segType >= 4 && segType <= 7) || + (segType >= 20 && segType <= 43))) { + error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); + goto syntaxError; + } + // read the segment data switch (segType) { case 0: @@@@ -1455,6 +1480,8 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui Guint i, j, k; Guchar *p; + symWidths = NULL; + // symbol dictionary flags if (!readUWord(&flags)) { goto eofError; @@@@ -1515,21 +1542,33 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui // part of it if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { - numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); + j = ((JBIG2SymbolDict *)seg)->getSize(); + if (numInputSyms > UINT_MAX - j) { + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); + delete codeTables; + goto eofError; + } + numInputSyms += j; } else if (seg->getType() == jbig2SegCodeTable) { codeTables->append(seg); } } else { + delete codeTables; return gFalse; } } + if (numInputSyms > UINT_MAX - numNewSyms) { + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); + delete codeTables; + goto eofError; + } // compute symbol code length - symCodeLen = 0; - i = 1; - while (i < numInputSyms + numNewSyms) { + symCodeLen = 1; + i = (numInputSyms + numNewSyms) >> 1; + while (i) { ++symCodeLen; - i <<= 1; + i >>= 1; } // get the input symbol bitmaps @@@@ -1541,11 +1580,12 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui k = 0; inputSymbolDict = NULL; for (i = 0; i < nRefSegs; ++i) { - seg = findSegment(refSegs[i]); - if (seg->getType() == jbig2SegSymbolDict) { - inputSymbolDict = (JBIG2SymbolDict *)seg; - for (j = 0; j < inputSymbolDict->getSize(); ++j) { - bitmaps[k++] = inputSymbolDict->getBitmap(j); + if ((seg = findSegment(refSegs[i]))) { + if (seg->getType() == jbig2SegSymbolDict) { + inputSymbolDict = (JBIG2SymbolDict *)seg; + for (j = 0; j < inputSymbolDict->getSize(); ++j) { + bitmaps[k++] = inputSymbolDict->getBitmap(j); + } } } } @@@@ -1560,6 +1600,9 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } else if (huffDH == 1) { huffDHTable = huffTableE; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDW == 0) { @@@@ -1567,17 +1610,26 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } else if (huffDW == 1) { huffDWTable = huffTableC; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffBMSize == 0) { huffBMSizeTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffBMSizeTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffAggInst == 0) { huffAggInstTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffAggInstTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } @@@@ -1610,7 +1662,6 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } // allocate symbol widths storage - symWidths = NULL; if (huff && !refAgg) { symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); } @@@@ -1652,6 +1703,10 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui goto syntaxError; } symWidth += dw; + if (i >= numNewSyms) { + error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); + goto syntaxError; + } // using a collective bitmap, so don't read a bitmap here if (huff && !refAgg) { @@@@ -1688,6 +1743,10 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui arithDecoder->decodeInt(&refDX, iardxStats); arithDecoder->decodeInt(&refDY, iardyStats); } + if (symID >= numInputSyms + i) { + error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); + goto syntaxError; + } refBitmap = bitmaps[symID]; bitmaps[numInputSyms + i] = readGenericRefinementRegion(symWidth, symHeight, @@@@ -1754,6 +1813,12 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } else { arithDecoder->decodeInt(&run, iaexStats); } + if (i + run > numInputSyms + numNewSyms || + (ex && j + run > numExSyms)) { + error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); + delete symbolDict; + goto syntaxError; + } if (ex) { for (cnt = 0; cnt < run; ++cnt) { symbolDict->setBitmap(j++, bitmaps[i++]->copy()); @@@@ -1763,6 +1828,11 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } ex = !ex; } + if (j != numExSyms) { + error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); + delete symbolDict; + goto syntaxError; + } for (i = 0; i < numNewSyms; ++i) { delete bitmaps[numInputSyms + i]; @@@@ -1785,6 +1855,10 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui return gTrue; + codeTableError: + error(getPos(), "Missing code table in JBIG2 symbol dictionary"); + delete codeTables; + syntaxError: for (i = 0; i < numNewSyms; ++i) { if (bitmaps[numInputSyms + i]) { @@@@ -1887,6 +1961,8 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } } else { error(getPos(), "Invalid segment reference in JBIG2 text region"); + delete codeTables; + return; } } symCodeLen = 0; @@@@ -1921,6 +1997,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffFS == 1) { huffFSTable = huffTableG; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDS == 0) { @@@@ -1930,6 +2009,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffDS == 2) { huffDSTable = huffTableJ; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDT == 0) { @@@@ -1939,6 +2021,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffDT == 2) { huffDTTable = huffTableM; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDW == 0) { @@@@ -1946,6 +2031,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDW == 1) { huffRDWTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDH == 0) { @@@@ -1953,6 +2041,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDH == 1) { huffRDHTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDX == 0) { @@@@ -1960,6 +2051,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDX == 1) { huffRDXTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDY == 0) { @@@@ -1967,11 +2061,17 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDY == 1) { huffRDYTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRSize == 0) { huffRSizeTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRSizeTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } @@@@ -2045,18 +2145,20 @@@@ void JBIG2Stream::readTextRegionSeg(Guin gfree(syms); - // combine the region bitmap into the page bitmap - if (imm) { - if (pageH == 0xffffffff && y + h > curPageH) { - pageBitmap->expand(y + h, pageDefPixel); - } - pageBitmap->combine(bitmap, x, y, extCombOp); - delete bitmap; + if (bitmap) { + // combine the region bitmap into the page bitmap + if (imm) { + if (pageH == 0xffffffff && y + h > curPageH) { + pageBitmap->expand(y + h, pageDefPixel); + } + pageBitmap->combine(bitmap, x, y, extCombOp); + delete bitmap; - // store the region bitmap - } else { - bitmap->setSegNum(segNum); - segments->append(bitmap); + // store the region bitmap + } else { + bitmap->setSegNum(segNum); + segments->append(bitmap); + } } // clean up the Huffman decoder @@@@ -2066,8 +2168,15 @@@@ void JBIG2Stream::readTextRegionSeg(Guin return; + codeTableError: + error(getPos(), "Missing code table in JBIG2 text region"); + gfree(codeTables); + delete syms; + return; + eofError: error(getPos(), "Unexpected EOF in JBIG2 stream"); + return; } JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, @@@@ -2102,6 +2211,10 @@@@ JBIG2Bitmap *JBIG2Stream::readTextRegion // allocate the bitmap bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) { + delete bitmap; + return NULL; + } if (defPixel) { bitmap->clearToOne(); } else { @@@@ -2178,73 +2291,84 @@@@ JBIG2Bitmap *JBIG2Stream::readTextRegion ri = 0; } if (ri) { + GBool decodeSuccess; if (huff) { - huffDecoder->decodeInt(&rdw, huffRDWTable); - huffDecoder->decodeInt(&rdh, huffRDHTable); - huffDecoder->decodeInt(&rdx, huffRDXTable); - huffDecoder->decodeInt(&rdy, huffRDYTable); - huffDecoder->decodeInt(&bmSize, huffRSizeTable); + decodeSuccess = huffDecoder->decodeInt(&rdw, huffRDWTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdh, huffRDHTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdx, huffRDXTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdy, huffRDYTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&bmSize, huffRSizeTable); huffDecoder->reset(); arithDecoder->start(); } else { - arithDecoder->decodeInt(&rdw, iardwStats); - arithDecoder->decodeInt(&rdh, iardhStats); - arithDecoder->decodeInt(&rdx, iardxStats); - arithDecoder->decodeInt(&rdy, iardyStats); + decodeSuccess = arithDecoder->decodeInt(&rdw, iardwStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdh, iardhStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdx, iardxStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats); + } + + if (decodeSuccess && syms[symID]) + { + refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; + refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; + + symbolBitmap = + readGenericRefinementRegion(rdw + syms[symID]->getWidth(), + rdh + syms[symID]->getHeight(), + templ, gFalse, syms[symID], + refDX, refDY, atx, aty); } - refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; - refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; - - symbolBitmap = - readGenericRefinementRegion(rdw + syms[symID]->getWidth(), - rdh + syms[symID]->getHeight(), - templ, gFalse, syms[symID], - refDX, refDY, atx, aty); //~ do we need to use the bmSize value here (in Huffman mode)? } else { symbolBitmap = syms[symID]; } - // combine the symbol bitmap into the region bitmap - //~ something is wrong here - refCorner shouldn't degenerate into - //~ two cases - bw = symbolBitmap->getWidth() - 1; - bh = symbolBitmap->getHeight() - 1; - if (transposed) { - switch (refCorner) { - case 0: // bottom left - bitmap->combine(symbolBitmap, tt, s, combOp); - break; - case 1: // top left - bitmap->combine(symbolBitmap, tt, s, combOp); - break; - case 2: // bottom right - bitmap->combine(symbolBitmap, tt - bw, s, combOp); - break; - case 3: // top right - bitmap->combine(symbolBitmap, tt - bw, s, combOp); - break; + if (symbolBitmap) { + // combine the symbol bitmap into the region bitmap + //~ something is wrong here - refCorner shouldn't degenerate into + //~ two cases + bw = symbolBitmap->getWidth() - 1; + bh = symbolBitmap->getHeight() - 1; + if (transposed) { + switch (refCorner) { + case 0: // bottom left + bitmap->combine(symbolBitmap, tt, s, combOp); + break; + case 1: // top left + bitmap->combine(symbolBitmap, tt, s, combOp); + break; + case 2: // bottom right + bitmap->combine(symbolBitmap, tt - bw, s, combOp); + break; + case 3: // top right + bitmap->combine(symbolBitmap, tt - bw, s, combOp); + break; + } + s += bh; + } else { + switch (refCorner) { + case 0: // bottom left + bitmap->combine(symbolBitmap, s, tt - bh, combOp); + break; + case 1: // top left + bitmap->combine(symbolBitmap, s, tt, combOp); + break; + case 2: // bottom right + bitmap->combine(symbolBitmap, s, tt - bh, combOp); + break; + case 3: // top right + bitmap->combine(symbolBitmap, s, tt, combOp); + break; + } + s += bw; } - s += bh; - } else { - switch (refCorner) { - case 0: // bottom left - bitmap->combine(symbolBitmap, s, tt - bh, combOp); - break; - case 1: // top left - bitmap->combine(symbolBitmap, s, tt, combOp); - break; - case 2: // bottom right - bitmap->combine(symbolBitmap, s, tt - bh, combOp); - break; - case 3: // top right - bitmap->combine(symbolBitmap, s, tt, combOp); - break; + if (ri) { + delete symbolBitmap; } - s += bw; - } - if (ri) { - delete symbolBitmap; + } else { + // NULL symbolBitmap only happens on error + delete bitmap; + return NULL; } } @@@@ -2374,8 +2498,8 @@@@ void JBIG2Stream::readHalftoneRegionSeg( error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } - seg = findSegment(refSegs[0]); - if (seg->getType() != jbig2SegPatternDict) { + if (!(seg = findSegment(refSegs[0])) || + seg->getType() != jbig2SegPatternDict) { error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } @@@@ -2533,7 +2657,9 @@@@ void JBIG2Stream::readGenericRegionSeg(G // read the bitmap bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, - NULL, atx, aty, mmr ? 0 : length - 18); + NULL, atx, aty, mmr ? length - 18 : 0); + if (!bitmap) + return; // combine the region bitmap into the page bitmap if (imm) { @@@@ -2555,6 +2681,43 @@@@ void JBIG2Stream::readGenericRegionSeg(G error(getPos(), "Unexpected EOF in JBIG2 stream"); } +inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels, + int *codingLine, int *a0i, int w) { + if (a1 > codingLine[*a0i]) { + if (a1 > w) { + error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); + a1 = w; + } + if ((*a0i & 1) ^ blackPixels) { + ++*a0i; + } + codingLine[*a0i] = a1; + } +} + +inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels, + int *codingLine, int *a0i, int w) { + if (a1 > codingLine[*a0i]) { + if (a1 > w) { + error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); + a1 = w; + } + if ((*a0i & 1) ^ blackPixels) { + ++*a0i; + } + codingLine[*a0i] = a1; + } else if (a1 < codingLine[*a0i]) { + if (a1 < 0) { + error(getPos(), "Invalid JBIG2 MMR code"); + a1 = 0; + } + while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) { + --*a0i; + } + codingLine[*a0i] = a1; + } +} + JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h, int templ, GBool tpgdOn, GBool useSkip, JBIG2Bitmap *skip, @@@@ -2567,9 +2730,13 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3; int *refLine, *codingLine; int code1, code2, code3; - int x, y, a0, pix, i, refI, codingI; + int x, y, a0i, b1i, blackPixels, pix, i; bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) { + delete bitmap; + return NULL; + } bitmap->clearToZero(); //----- MMR decode @@@@ -2577,9 +2744,18 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit if (mmr) { mmrDecoder->reset(); + if (w > INT_MAX - 2) { + error(getPos(), "Bad width in JBIG2 generic bitmap"); + // force a call to gmalloc(-1), which will throw an exception + w = -3; + } + // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w + // ---> max codingLine size = w + 1 + // refLine has one extra guard entry at the end + // ---> max refLine size = w + 2 + codingLine = (int *)gmallocn(w + 1, sizeof(int)); refLine = (int *)gmallocn(w + 2, sizeof(int)); - codingLine = (int *)gmallocn(w + 2, sizeof(int)); - codingLine[0] = codingLine[1] = w; + codingLine[0] = w; for (y = 0; y < h; ++y) { @@@@ -2587,128 +2763,157 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit for (i = 0; codingLine[i] < w; ++i) { refLine[i] = codingLine[i]; } - refLine[i] = refLine[i + 1] = w; + refLine[i++] = w; + refLine[i] = w; // decode a line - refI = 0; // b1 = refLine[refI] - codingI = 0; // a1 = codingLine[codingI] - a0 = 0; - do { + codingLine[0] = 0; + a0i = 0; + b1i = 0; + blackPixels = 0; + // invariant: + // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w + // exception at left edge: + // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible + // exception at right edge: + // refLine[b1i] = refLine[b1i+1] = w is possible + while (codingLine[a0i] < w) { code1 = mmrDecoder->get2DCode(); switch (code1) { case twoDimPass: - if (refLine[refI] < w) { - a0 = refLine[refI + 1]; - refI += 2; - } - break; + mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w); + if (refLine[b1i + 1] < w) { + b1i += 2; + } + break; case twoDimHoriz: - if (codingI & 1) { - code1 = 0; - do { - code1 += code3 = mmrDecoder->getBlackCode(); - } while (code3 >= 64); - code2 = 0; - do { - code2 += code3 = mmrDecoder->getWhiteCode(); - } while (code3 >= 64); - } else { - code1 = 0; - do { - code1 += code3 = mmrDecoder->getWhiteCode(); - } while (code3 >= 64); - code2 = 0; - do { - code2 += code3 = mmrDecoder->getBlackCode(); - } while (code3 >= 64); - } - if (code1 > 0 || code2 > 0) { - a0 = codingLine[codingI++] = a0 + code1; - a0 = codingLine[codingI++] = a0 + code2; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; - case twoDimVert0: - a0 = codingLine[codingI++] = refLine[refI]; - if (refLine[refI] < w) { - ++refI; - } - break; - case twoDimVertR1: - a0 = codingLine[codingI++] = refLine[refI] + 1; - if (refLine[refI] < w) { - ++refI; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; - case twoDimVertR2: - a0 = codingLine[codingI++] = refLine[refI] + 2; - if (refLine[refI] < w) { - ++refI; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; + code1 = code2 = 0; + if (blackPixels) { + do { + code1 += code3 = mmrDecoder->getBlackCode(); + } while (code3 >= 64); + do { + code2 += code3 = mmrDecoder->getWhiteCode(); + } while (code3 >= 64); + } else { + do { + code1 += code3 = mmrDecoder->getWhiteCode(); + } while (code3 >= 64); + do { + code2 += code3 = mmrDecoder->getBlackCode(); + } while (code3 >= 64); + } + mmrAddPixels(codingLine[a0i] + code1, blackPixels, + codingLine, &a0i, w); + if (codingLine[a0i] < w) { + mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1, + codingLine, &a0i, w); + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + break; case twoDimVertR3: - a0 = codingLine[codingI++] = refLine[refI] + 3; - if (refLine[refI] < w) { - ++refI; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; - case twoDimVertL1: - a0 = codingLine[codingI++] = refLine[refI] - 1; - if (refI > 0) { - --refI; - } else { - ++refI; - } - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - break; - case twoDimVertL2: - a0 = codingLine[codingI++] = refLine[refI] - 2; - if (refI > 0) { - --refI; - } else { - ++refI; - } - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - break; + mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertR2: + mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertR1: + mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVert0: + mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; case twoDimVertL3: - a0 = codingLine[codingI++] = refLine[refI] - 3; - if (refI > 0) { - --refI; - } else { - ++refI; - } - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - break; + mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + if (b1i > 0) { + --b1i; + } else { + ++b1i; + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertL2: + mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + if (b1i > 0) { + --b1i; + } else { + ++b1i; + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertL1: + mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + if (b1i > 0) { + --b1i; + } else { + ++b1i; + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case EOF: + mmrAddPixels(w, 0, codingLine, &a0i, w); + break; default: error(getPos(), "Illegal code in JBIG2 MMR bitmap data"); + mmrAddPixels(w, 0, codingLine, &a0i, w); break; } - } while (a0 < w); - codingLine[codingI++] = w; + } // convert the run lengths to a bitmap line i = 0; - while (codingLine[i] < w) { + while (1) { for (x = codingLine[i]; x < codingLine[i+1]; ++x) { bitmap->setPixel(x, y); } + if (codingLine[i+1] >= w || codingLine[i+2] >= w) { + break; + } i += 2; } } @@@@ -2756,7 +2961,9 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit ltp = !ltp; } if (ltp) { - bitmap->duplicateRow(y, y-1); + if (y > 0) { + bitmap->duplicateRow(y, y-1); + } continue; } } @@@@ -2959,8 +3166,8 @@@@ void JBIG2Stream::readGenericRefinementR return; } if (nRefSegs == 1) { - seg = findSegment(refSegs[0]); - if (seg->getType() != jbig2SegBitmap) { + if (!(seg = findSegment(refSegs[0])) || + seg->getType() != jbig2SegBitmap) { error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); return; } @@@@ -3014,6 +3221,11 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericRef int x, y, pix; bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) + { + delete bitmap; + return NULL; + } bitmap->clearToZero(); // set up the typical row context @@@@ -3054,6 +3266,10 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericRef tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + } else { + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; } for (x = 0; x < w; ++x) { @@@@ -3125,6 +3341,10 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericRef tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + } else { + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; } for (x = 0; x < w; ++x) { @@@@ -3189,6 +3409,11 @@@@ void JBIG2Stream::readPageInfoSeg(Guint curPageH = pageH; } pageBitmap = new JBIG2Bitmap(0, pageW, curPageH); + if (!pageBitmap->isOk()) { + delete pageBitmap; + pageBitmap = NULL; + return; + } // default pixel value if (pageDefPixel) { @ 1.8 log @Update kpdf to have the xpdf3.02pl patches for the vulnerabilities reported in CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182 and CVE-2009-1183. also some patches from poppler for postscript output generation problems seen here. @ text @d1 1 a1 1 $NetBSD$ @ 1.8.2.1 log @file patch-ac was added on branch pkgsrc-2009Q1 on 2009-06-04 16:49:30 +0000 @ text @d1 1015 @ 1.8.2.2 log @Pullup ticket #2784 - requested by markd kdegraphics3: security patch Revisions pulled up: - graphics/kdegraphics3/Makefile 1.81 via patch - graphics/kdegraphics3/distinfo 1.51 - graphics/kdegraphics3/patches/patch-aa 1.14 - graphics/kdegraphics3/patches/patch-ab 1.11 - graphics/kdegraphics3/patches/patch-ac 1.8 --- Module Name: pkgsrc Committed By: markd Date: Wed Jun 3 12:29:43 UTC 2009 Modified Files: pkgsrc/graphics/kdegraphics3: Makefile distinfo Added Files: pkgsrc/graphics/kdegraphics3/patches: patch-aa patch-ab patch-ac Log Message: Update kpdf to have the xpdf3.02pl patches for the vulnerabilities reported in CVE-2009-0146, CVE-2009-0147, CVE-2009-0166, CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180, CVE-2009-1181, CVE-2009-1182 and CVE-2009-1183. also some patches from poppler for postscript output generation problems seen here. @ text @a0 1015 $NetBSD$ xpdf 3.02pl3 by way of poppler git 9f1312f3d7dfa7e536606a7c7296b7c876b11c00 also poppler git 305af8cdb6822858e152e1f930bba2ce3904bf1b --- kpdf/xpdf/xpdf/JBIG2Stream.cc.orig 2008-08-20 06:12:37.000000000 +1200 +++ kpdf/xpdf/xpdf/JBIG2Stream.cc @@@@ -422,12 +422,14 @@@@ void JBIG2HuffmanDecoder::buildTable(JBI table[i] = table[len]; // assign prefixes - i = 0; - prefix = 0; - table[i++].prefix = prefix++; - for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { - prefix <<= table[i].prefixLen - table[i-1].prefixLen; - table[i].prefix = prefix++; + if (table[0].rangeLen != jbig2HuffmanEOT) { + i = 0; + prefix = 0; + table[i++].prefix = prefix++; + for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { + prefix <<= table[i].prefixLen - table[i-1].prefixLen; + table[i].prefix = prefix++; + } } } @@@@ -491,7 +493,7 @@@@ int JBIG2MMRDecoder::get2DCode() { } if (p->bits < 0) { error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); - return 0; + return EOF; } bufLen -= p->bits; return p->n; @@@@ -668,6 +670,7 @@@@ public: void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp); Guchar *getDataPtr() { return data; } int getDataSize() { return h * line; } + GBool isOk() { return data != NULL; } private: @@@@ -684,8 +687,9 @@@@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, h = hA; line = (wA + 7) >> 3; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { - data = NULL; - return; + // force a call to gmalloc(-1), which will throw an exception + h = -1; + line = 2; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); @@@@ -699,8 +703,9 @@@@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, h = bitmap->h; line = bitmap->line; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { - data = NULL; - return; + // force a call to gmalloc(-1), which will throw an exception + h = -1; + line = 2; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); @@@@ -755,6 +760,8 @@@@ void JBIG2Bitmap::clearToOne() { inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { if (y < 0 || y >= h || x >= w) { ptr->p = NULL; + ptr->shift = 0; // make gcc happy + ptr->x = 0; // make gcc happy } else if (x < 0) { ptr->p = &data[y * line]; ptr->shift = 7; @@@@ -799,6 +806,10 @@@@ void JBIG2Bitmap::combine(JBIG2Bitmap *b Guint src0, src1, src, dest, s1, s2, m1, m2, m3; GBool oneByte; + // check for the pathological case where y = -2^31 + if (y < -0x7fffffff) { + return; + } if (y < 0) { y0 = -y; } else { @@@@ -1012,8 +1023,13 @@@@ private: JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA): JBIG2Segment(segNumA) { + Guint i; + size = sizeA; bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *)); + for (i = 0; i < size; ++i) { + bitmaps[i] = NULL; + } genericRegionStats = NULL; refinementRegionStats = NULL; } @@@@ -1022,7 +1038,9 @@@@ JBIG2SymbolDict::~JBIG2SymbolDict() { Guint i; for (i = 0; i < size; ++i) { - delete bitmaps[i]; + if (bitmaps[i]) { + delete bitmaps[i]; + } } gfree(bitmaps); if (genericRegionStats) { @@@@ -1301,6 +1319,13 @@@@ void JBIG2Stream::readSegments() { // keep track of the start of the segment data segDataPos = getPos(); + // check for missing page information segment + if (!pageBitmap && ((segType >= 4 && segType <= 7) || + (segType >= 20 && segType <= 43))) { + error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); + goto syntaxError; + } + // read the segment data switch (segType) { case 0: @@@@ -1455,6 +1480,8 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui Guint i, j, k; Guchar *p; + symWidths = NULL; + // symbol dictionary flags if (!readUWord(&flags)) { goto eofError; @@@@ -1515,21 +1542,33 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui // part of it if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { - numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); + j = ((JBIG2SymbolDict *)seg)->getSize(); + if (numInputSyms > UINT_MAX - j) { + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); + delete codeTables; + goto eofError; + } + numInputSyms += j; } else if (seg->getType() == jbig2SegCodeTable) { codeTables->append(seg); } } else { + delete codeTables; return gFalse; } } + if (numInputSyms > UINT_MAX - numNewSyms) { + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); + delete codeTables; + goto eofError; + } // compute symbol code length - symCodeLen = 0; - i = 1; - while (i < numInputSyms + numNewSyms) { + symCodeLen = 1; + i = (numInputSyms + numNewSyms) >> 1; + while (i) { ++symCodeLen; - i <<= 1; + i >>= 1; } // get the input symbol bitmaps @@@@ -1541,11 +1580,12 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui k = 0; inputSymbolDict = NULL; for (i = 0; i < nRefSegs; ++i) { - seg = findSegment(refSegs[i]); - if (seg->getType() == jbig2SegSymbolDict) { - inputSymbolDict = (JBIG2SymbolDict *)seg; - for (j = 0; j < inputSymbolDict->getSize(); ++j) { - bitmaps[k++] = inputSymbolDict->getBitmap(j); + if ((seg = findSegment(refSegs[i]))) { + if (seg->getType() == jbig2SegSymbolDict) { + inputSymbolDict = (JBIG2SymbolDict *)seg; + for (j = 0; j < inputSymbolDict->getSize(); ++j) { + bitmaps[k++] = inputSymbolDict->getBitmap(j); + } } } } @@@@ -1560,6 +1600,9 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } else if (huffDH == 1) { huffDHTable = huffTableE; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDW == 0) { @@@@ -1567,17 +1610,26 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } else if (huffDW == 1) { huffDWTable = huffTableC; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffBMSize == 0) { huffBMSizeTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffBMSizeTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffAggInst == 0) { huffAggInstTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffAggInstTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } @@@@ -1610,7 +1662,6 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } // allocate symbol widths storage - symWidths = NULL; if (huff && !refAgg) { symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); } @@@@ -1652,6 +1703,10 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui goto syntaxError; } symWidth += dw; + if (i >= numNewSyms) { + error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); + goto syntaxError; + } // using a collective bitmap, so don't read a bitmap here if (huff && !refAgg) { @@@@ -1688,6 +1743,10 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui arithDecoder->decodeInt(&refDX, iardxStats); arithDecoder->decodeInt(&refDY, iardyStats); } + if (symID >= numInputSyms + i) { + error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); + goto syntaxError; + } refBitmap = bitmaps[symID]; bitmaps[numInputSyms + i] = readGenericRefinementRegion(symWidth, symHeight, @@@@ -1754,6 +1813,12 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } else { arithDecoder->decodeInt(&run, iaexStats); } + if (i + run > numInputSyms + numNewSyms || + (ex && j + run > numExSyms)) { + error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); + delete symbolDict; + goto syntaxError; + } if (ex) { for (cnt = 0; cnt < run; ++cnt) { symbolDict->setBitmap(j++, bitmaps[i++]->copy()); @@@@ -1763,6 +1828,11 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui } ex = !ex; } + if (j != numExSyms) { + error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); + delete symbolDict; + goto syntaxError; + } for (i = 0; i < numNewSyms; ++i) { delete bitmaps[numInputSyms + i]; @@@@ -1785,6 +1855,10 @@@@ GBool JBIG2Stream::readSymbolDictSeg(Gui return gTrue; + codeTableError: + error(getPos(), "Missing code table in JBIG2 symbol dictionary"); + delete codeTables; + syntaxError: for (i = 0; i < numNewSyms; ++i) { if (bitmaps[numInputSyms + i]) { @@@@ -1887,6 +1961,8 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } } else { error(getPos(), "Invalid segment reference in JBIG2 text region"); + delete codeTables; + return; } } symCodeLen = 0; @@@@ -1921,6 +1997,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffFS == 1) { huffFSTable = huffTableG; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDS == 0) { @@@@ -1930,6 +2009,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffDS == 2) { huffDSTable = huffTableJ; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDT == 0) { @@@@ -1939,6 +2021,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffDT == 2) { huffDTTable = huffTableM; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDW == 0) { @@@@ -1946,6 +2031,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDW == 1) { huffRDWTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDH == 0) { @@@@ -1953,6 +2041,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDH == 1) { huffRDHTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDX == 0) { @@@@ -1960,6 +2051,9 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDX == 1) { huffRDXTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDY == 0) { @@@@ -1967,11 +2061,17 @@@@ void JBIG2Stream::readTextRegionSeg(Guin } else if (huffRDY == 1) { huffRDYTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRSize == 0) { huffRSizeTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRSizeTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } @@@@ -2045,18 +2145,20 @@@@ void JBIG2Stream::readTextRegionSeg(Guin gfree(syms); - // combine the region bitmap into the page bitmap - if (imm) { - if (pageH == 0xffffffff && y + h > curPageH) { - pageBitmap->expand(y + h, pageDefPixel); - } - pageBitmap->combine(bitmap, x, y, extCombOp); - delete bitmap; + if (bitmap) { + // combine the region bitmap into the page bitmap + if (imm) { + if (pageH == 0xffffffff && y + h > curPageH) { + pageBitmap->expand(y + h, pageDefPixel); + } + pageBitmap->combine(bitmap, x, y, extCombOp); + delete bitmap; - // store the region bitmap - } else { - bitmap->setSegNum(segNum); - segments->append(bitmap); + // store the region bitmap + } else { + bitmap->setSegNum(segNum); + segments->append(bitmap); + } } // clean up the Huffman decoder @@@@ -2066,8 +2168,15 @@@@ void JBIG2Stream::readTextRegionSeg(Guin return; + codeTableError: + error(getPos(), "Missing code table in JBIG2 text region"); + gfree(codeTables); + delete syms; + return; + eofError: error(getPos(), "Unexpected EOF in JBIG2 stream"); + return; } JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, @@@@ -2102,6 +2211,10 @@@@ JBIG2Bitmap *JBIG2Stream::readTextRegion // allocate the bitmap bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) { + delete bitmap; + return NULL; + } if (defPixel) { bitmap->clearToOne(); } else { @@@@ -2178,73 +2291,84 @@@@ JBIG2Bitmap *JBIG2Stream::readTextRegion ri = 0; } if (ri) { + GBool decodeSuccess; if (huff) { - huffDecoder->decodeInt(&rdw, huffRDWTable); - huffDecoder->decodeInt(&rdh, huffRDHTable); - huffDecoder->decodeInt(&rdx, huffRDXTable); - huffDecoder->decodeInt(&rdy, huffRDYTable); - huffDecoder->decodeInt(&bmSize, huffRSizeTable); + decodeSuccess = huffDecoder->decodeInt(&rdw, huffRDWTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdh, huffRDHTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdx, huffRDXTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdy, huffRDYTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&bmSize, huffRSizeTable); huffDecoder->reset(); arithDecoder->start(); } else { - arithDecoder->decodeInt(&rdw, iardwStats); - arithDecoder->decodeInt(&rdh, iardhStats); - arithDecoder->decodeInt(&rdx, iardxStats); - arithDecoder->decodeInt(&rdy, iardyStats); + decodeSuccess = arithDecoder->decodeInt(&rdw, iardwStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdh, iardhStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdx, iardxStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats); + } + + if (decodeSuccess && syms[symID]) + { + refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; + refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; + + symbolBitmap = + readGenericRefinementRegion(rdw + syms[symID]->getWidth(), + rdh + syms[symID]->getHeight(), + templ, gFalse, syms[symID], + refDX, refDY, atx, aty); } - refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; - refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; - - symbolBitmap = - readGenericRefinementRegion(rdw + syms[symID]->getWidth(), - rdh + syms[symID]->getHeight(), - templ, gFalse, syms[symID], - refDX, refDY, atx, aty); //~ do we need to use the bmSize value here (in Huffman mode)? } else { symbolBitmap = syms[symID]; } - // combine the symbol bitmap into the region bitmap - //~ something is wrong here - refCorner shouldn't degenerate into - //~ two cases - bw = symbolBitmap->getWidth() - 1; - bh = symbolBitmap->getHeight() - 1; - if (transposed) { - switch (refCorner) { - case 0: // bottom left - bitmap->combine(symbolBitmap, tt, s, combOp); - break; - case 1: // top left - bitmap->combine(symbolBitmap, tt, s, combOp); - break; - case 2: // bottom right - bitmap->combine(symbolBitmap, tt - bw, s, combOp); - break; - case 3: // top right - bitmap->combine(symbolBitmap, tt - bw, s, combOp); - break; + if (symbolBitmap) { + // combine the symbol bitmap into the region bitmap + //~ something is wrong here - refCorner shouldn't degenerate into + //~ two cases + bw = symbolBitmap->getWidth() - 1; + bh = symbolBitmap->getHeight() - 1; + if (transposed) { + switch (refCorner) { + case 0: // bottom left + bitmap->combine(symbolBitmap, tt, s, combOp); + break; + case 1: // top left + bitmap->combine(symbolBitmap, tt, s, combOp); + break; + case 2: // bottom right + bitmap->combine(symbolBitmap, tt - bw, s, combOp); + break; + case 3: // top right + bitmap->combine(symbolBitmap, tt - bw, s, combOp); + break; + } + s += bh; + } else { + switch (refCorner) { + case 0: // bottom left + bitmap->combine(symbolBitmap, s, tt - bh, combOp); + break; + case 1: // top left + bitmap->combine(symbolBitmap, s, tt, combOp); + break; + case 2: // bottom right + bitmap->combine(symbolBitmap, s, tt - bh, combOp); + break; + case 3: // top right + bitmap->combine(symbolBitmap, s, tt, combOp); + break; + } + s += bw; } - s += bh; - } else { - switch (refCorner) { - case 0: // bottom left - bitmap->combine(symbolBitmap, s, tt - bh, combOp); - break; - case 1: // top left - bitmap->combine(symbolBitmap, s, tt, combOp); - break; - case 2: // bottom right - bitmap->combine(symbolBitmap, s, tt - bh, combOp); - break; - case 3: // top right - bitmap->combine(symbolBitmap, s, tt, combOp); - break; + if (ri) { + delete symbolBitmap; } - s += bw; - } - if (ri) { - delete symbolBitmap; + } else { + // NULL symbolBitmap only happens on error + delete bitmap; + return NULL; } } @@@@ -2374,8 +2498,8 @@@@ void JBIG2Stream::readHalftoneRegionSeg( error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } - seg = findSegment(refSegs[0]); - if (seg->getType() != jbig2SegPatternDict) { + if (!(seg = findSegment(refSegs[0])) || + seg->getType() != jbig2SegPatternDict) { error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } @@@@ -2533,7 +2657,9 @@@@ void JBIG2Stream::readGenericRegionSeg(G // read the bitmap bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, - NULL, atx, aty, mmr ? 0 : length - 18); + NULL, atx, aty, mmr ? length - 18 : 0); + if (!bitmap) + return; // combine the region bitmap into the page bitmap if (imm) { @@@@ -2555,6 +2681,43 @@@@ void JBIG2Stream::readGenericRegionSeg(G error(getPos(), "Unexpected EOF in JBIG2 stream"); } +inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels, + int *codingLine, int *a0i, int w) { + if (a1 > codingLine[*a0i]) { + if (a1 > w) { + error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); + a1 = w; + } + if ((*a0i & 1) ^ blackPixels) { + ++*a0i; + } + codingLine[*a0i] = a1; + } +} + +inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels, + int *codingLine, int *a0i, int w) { + if (a1 > codingLine[*a0i]) { + if (a1 > w) { + error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); + a1 = w; + } + if ((*a0i & 1) ^ blackPixels) { + ++*a0i; + } + codingLine[*a0i] = a1; + } else if (a1 < codingLine[*a0i]) { + if (a1 < 0) { + error(getPos(), "Invalid JBIG2 MMR code"); + a1 = 0; + } + while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) { + --*a0i; + } + codingLine[*a0i] = a1; + } +} + JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h, int templ, GBool tpgdOn, GBool useSkip, JBIG2Bitmap *skip, @@@@ -2567,9 +2730,13 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3; int *refLine, *codingLine; int code1, code2, code3; - int x, y, a0, pix, i, refI, codingI; + int x, y, a0i, b1i, blackPixels, pix, i; bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) { + delete bitmap; + return NULL; + } bitmap->clearToZero(); //----- MMR decode @@@@ -2577,9 +2744,18 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit if (mmr) { mmrDecoder->reset(); + if (w > INT_MAX - 2) { + error(getPos(), "Bad width in JBIG2 generic bitmap"); + // force a call to gmalloc(-1), which will throw an exception + w = -3; + } + // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w + // ---> max codingLine size = w + 1 + // refLine has one extra guard entry at the end + // ---> max refLine size = w + 2 + codingLine = (int *)gmallocn(w + 1, sizeof(int)); refLine = (int *)gmallocn(w + 2, sizeof(int)); - codingLine = (int *)gmallocn(w + 2, sizeof(int)); - codingLine[0] = codingLine[1] = w; + codingLine[0] = w; for (y = 0; y < h; ++y) { @@@@ -2587,128 +2763,157 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit for (i = 0; codingLine[i] < w; ++i) { refLine[i] = codingLine[i]; } - refLine[i] = refLine[i + 1] = w; + refLine[i++] = w; + refLine[i] = w; // decode a line - refI = 0; // b1 = refLine[refI] - codingI = 0; // a1 = codingLine[codingI] - a0 = 0; - do { + codingLine[0] = 0; + a0i = 0; + b1i = 0; + blackPixels = 0; + // invariant: + // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w + // exception at left edge: + // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible + // exception at right edge: + // refLine[b1i] = refLine[b1i+1] = w is possible + while (codingLine[a0i] < w) { code1 = mmrDecoder->get2DCode(); switch (code1) { case twoDimPass: - if (refLine[refI] < w) { - a0 = refLine[refI + 1]; - refI += 2; - } - break; + mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w); + if (refLine[b1i + 1] < w) { + b1i += 2; + } + break; case twoDimHoriz: - if (codingI & 1) { - code1 = 0; - do { - code1 += code3 = mmrDecoder->getBlackCode(); - } while (code3 >= 64); - code2 = 0; - do { - code2 += code3 = mmrDecoder->getWhiteCode(); - } while (code3 >= 64); - } else { - code1 = 0; - do { - code1 += code3 = mmrDecoder->getWhiteCode(); - } while (code3 >= 64); - code2 = 0; - do { - code2 += code3 = mmrDecoder->getBlackCode(); - } while (code3 >= 64); - } - if (code1 > 0 || code2 > 0) { - a0 = codingLine[codingI++] = a0 + code1; - a0 = codingLine[codingI++] = a0 + code2; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; - case twoDimVert0: - a0 = codingLine[codingI++] = refLine[refI]; - if (refLine[refI] < w) { - ++refI; - } - break; - case twoDimVertR1: - a0 = codingLine[codingI++] = refLine[refI] + 1; - if (refLine[refI] < w) { - ++refI; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; - case twoDimVertR2: - a0 = codingLine[codingI++] = refLine[refI] + 2; - if (refLine[refI] < w) { - ++refI; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; + code1 = code2 = 0; + if (blackPixels) { + do { + code1 += code3 = mmrDecoder->getBlackCode(); + } while (code3 >= 64); + do { + code2 += code3 = mmrDecoder->getWhiteCode(); + } while (code3 >= 64); + } else { + do { + code1 += code3 = mmrDecoder->getWhiteCode(); + } while (code3 >= 64); + do { + code2 += code3 = mmrDecoder->getBlackCode(); + } while (code3 >= 64); + } + mmrAddPixels(codingLine[a0i] + code1, blackPixels, + codingLine, &a0i, w); + if (codingLine[a0i] < w) { + mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1, + codingLine, &a0i, w); + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + break; case twoDimVertR3: - a0 = codingLine[codingI++] = refLine[refI] + 3; - if (refLine[refI] < w) { - ++refI; - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - } - break; - case twoDimVertL1: - a0 = codingLine[codingI++] = refLine[refI] - 1; - if (refI > 0) { - --refI; - } else { - ++refI; - } - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - break; - case twoDimVertL2: - a0 = codingLine[codingI++] = refLine[refI] - 2; - if (refI > 0) { - --refI; - } else { - ++refI; - } - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - break; + mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertR2: + mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertR1: + mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVert0: + mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; case twoDimVertL3: - a0 = codingLine[codingI++] = refLine[refI] - 3; - if (refI > 0) { - --refI; - } else { - ++refI; - } - while (refLine[refI] <= a0 && refLine[refI] < w) { - refI += 2; - } - break; + mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + if (b1i > 0) { + --b1i; + } else { + ++b1i; + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertL2: + mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + if (b1i > 0) { + --b1i; + } else { + ++b1i; + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case twoDimVertL1: + mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w); + blackPixels ^= 1; + if (codingLine[a0i] < w) { + if (b1i > 0) { + --b1i; + } else { + ++b1i; + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { + b1i += 2; + } + } + break; + case EOF: + mmrAddPixels(w, 0, codingLine, &a0i, w); + break; default: error(getPos(), "Illegal code in JBIG2 MMR bitmap data"); + mmrAddPixels(w, 0, codingLine, &a0i, w); break; } - } while (a0 < w); - codingLine[codingI++] = w; + } // convert the run lengths to a bitmap line i = 0; - while (codingLine[i] < w) { + while (1) { for (x = codingLine[i]; x < codingLine[i+1]; ++x) { bitmap->setPixel(x, y); } + if (codingLine[i+1] >= w || codingLine[i+2] >= w) { + break; + } i += 2; } } @@@@ -2756,7 +2961,9 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericBit ltp = !ltp; } if (ltp) { - bitmap->duplicateRow(y, y-1); + if (y > 0) { + bitmap->duplicateRow(y, y-1); + } continue; } } @@@@ -2959,8 +3166,8 @@@@ void JBIG2Stream::readGenericRefinementR return; } if (nRefSegs == 1) { - seg = findSegment(refSegs[0]); - if (seg->getType() != jbig2SegBitmap) { + if (!(seg = findSegment(refSegs[0])) || + seg->getType() != jbig2SegBitmap) { error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); return; } @@@@ -3014,6 +3221,11 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericRef int x, y, pix; bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) + { + delete bitmap; + return NULL; + } bitmap->clearToZero(); // set up the typical row context @@@@ -3054,6 +3266,10 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericRef tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + } else { + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; } for (x = 0; x < w; ++x) { @@@@ -3125,6 +3341,10 @@@@ JBIG2Bitmap *JBIG2Stream::readGenericRef tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + } else { + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; } for (x = 0; x < w; ++x) { @@@@ -3189,6 +3409,11 @@@@ void JBIG2Stream::readPageInfoSeg(Guint curPageH = pageH; } pageBitmap = new JBIG2Bitmap(0, pageW, curPageH); + if (!pageBitmap->isOk()) { + delete pageBitmap; + pageBitmap = NULL; + return; + } // default pixel value if (pageDefPixel) { @ 1.7 log @Update to KDE 3.5.3 Changes: * KPDF o Fix bug parsing some TOCs o Fix display of some JBIG2 files o Enable print action when opening files using drag and drop * KGhostView o Fix KGhostView .desktop files * Kuickshow o Fix remote browsing of http-urls o Don't display non-existing files @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.6 2006/05/31 13:52:54 tron Exp $ d3 40 a42 3 --- ksvg/plugin/backends/libart/GlyphTracerLibart.cpp.orig 2005-10-11 03:56:46.000000000 +1300 +++ ksvg/plugin/backends/libart/GlyphTracerLibart.cpp @@@@ -29,9 +29,17 @@@@ d44 1 a44 1 #include d46 49 a94 1 +#include d96 38 a133 5 +#if 1 /* def HAVE_FREETYPE_2_2_x */ + #define FT_VECTOR_PARAMETER const FT_Vector +#else + #define FT_VECTOR_PARAMETER FT_Vector +#endif d135 99 a233 1 using namespace T2P; d235 195 a429 7 -int traceMoveto(FT_Vector *to, void *obj) +int traceMoveto(FT_VECTOR_PARAMETER *to, void *obj) { Glyph *glyph = reinterpret_cast(obj); Affine &affine = glyph->affine(); @@@@ -52,7 +60,7 @@@@ int traceMoveto(FT_Vector *to, void *obj return 0; d432 176 a607 7 -int traceLineto(FT_Vector *to, void *obj) +int traceLineto(FT_VECTOR_PARAMETER *to, void *obj) { Glyph *glyph = reinterpret_cast(obj); Affine &affine = glyph->affine(); @@@@ -73,7 +81,7 @@@@ int traceLineto(FT_Vector *to, void *obj return 0; d610 403 a1012 8 -int traceConicBezier(FT_Vector *control, FT_Vector *to, void *obj) +int traceConicBezier(FT_VECTOR_PARAMETER *control, FT_VECTOR_PARAMETER *to, void *obj) { Glyph *glyph = reinterpret_cast(obj); Affine &affine = glyph->affine(); @@@@ -102,7 +110,7 @@@@ int traceConicBezier(FT_Vector *control, return 0; } d1014 2 a1015 5 -int traceCubicBezier(FT_Vector *control1, FT_Vector *control2, FT_Vector *to, void *obj) +int traceCubicBezier(FT_VECTOR_PARAMETER *control1, FT_VECTOR_PARAMETER *control2, FT_VECTOR_PARAMETER *to, void *obj) { Glyph *glyph = reinterpret_cast(obj); Affine &affine = glyph->affine(); @ 1.6 log @Make this package build with version 2.2.1 or newer of the "freetype2" package. Patch provided by Mark Davies. Bump package revision. @ text @d1 1 a1 1 $NetBSD$ @ 1.5 log @Update to KDE 3.4 Highlights at a glance * Text-to-speech system with support built into Konqueror, Kate, KPDF and the standalone application KSayIt * Support for text to speech synthesis is integrated with the desktop * Completely redesigned, more flexible trash system * Kicker with improved look and feel * KPDF now enables you to select, copy & paste text and images from PDFs, along with many other improvements * Kontact supports now various groupware servers, including eGroupware, GroupWise, Kolab, OpenGroupware.org and SLOX * Kopete supports Novell Groupwise and Lotus Sametime and gets integrated into Kontact * DBUS/HAL support allows to keep dynamic device icons in media:/ and on the desktop in sync with the state of all devices * KHTML has improved standard support and now close to full support for CSS 2.1 and the CSS 3 Selectors module * Better synchronization between 2 PCs * A new high contrast style and a complete monochrome icon set * An icon effect to paint all icons in two chosen colors, converting third party application icons into high contrast monochrome icons * Akregator allows you to read news from your favourite RSS-enabled websites in one application * Juk has now an album cover management via Google Image Search * KMail now stores passwords securely with KWallet * SVG files can now be used as wallpapers * KHTML plug-ins are now configurable, so the user can selectively disable ones that are not used. This does not include Netscape-style plug-ins. Netscape plug-in in CPU usage can be manually lowered, and plug-ins are more stable. * more than 6,500 bugs have been fixed * more than 1,700 wishes have been fullfilled * more than 80,000 contributions with several million lines of code and documentation added or changed @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.4 2005/01/20 12:39:56 markd Exp $ d3 48 a50 14 *** kpdf/xpdf/XRef.cc.orig Wed Jan 12 17:10:53 2005 --- kpdf/xpdf/XRef.cc Wed Jan 12 17:11:22 2005 *************** *** 793,798 **** --- 793,801 ---- } else { keyLength = 5; } + if (keyLength > 16) { + keyLength = 16; + } permFlags = permissions.getInt(); if (encVersion >= 1 && encVersion <= 2 && encRevision >= 2 && encRevision <= 3) { @ 1.4 log @add patch that was supposed to be in last commit. @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Update to KDE 3.2 Changes: Graphics KPDF * NEW IN KDE: PDF viewer based on XPDF Christophe Devriese KSVG * NEW IN KDE: Scalable Vector Graphics plugins for Konqueror Nikolas Zimmermann KFilePlugins * pcx: Displays width, height, bpp, dpi for PCX images Nadeem Hasan * dvi: show basic information Stefan Kebekus * pnm: Display format, dimension, bpp and comments of PBM, PGM and PPM images. Volker Krause KDVI * Function to embed external PostScript files into a DVI file Stefan Kebekus * support for colored fonts Stefan Kebekus * KDVI can now use Type1 and TrueType fonts in addition to PK fonts. This reduces waiting times for font generation to a minimum, and give easier access to fonts used in Asian languages Stefan Kebekus * massive performance improvement Stefan Kebekus * support for papersize specials Stefan Kebekus * usability enhancements (better statusbar display, reload button, 'read-up' feature, etc.) Stefan Kebekus kviewshell * FullScreen mode Stefan Kebekus * more intelligent handling of paper sizes/orientations Stefan Kebekus * usability enhancements Stefan Kebekus KView * autoscroll the image when creating a selection Matthias Kretz * drag and drop support Matthias Kretz * some basic image effects as a new plugin Matthias Kretz * open images from stdin Matthias Kretz KSnapshot * Window snapshots optionally don't include window decorations Lubos Lunak * Region snapshots. User interface makeover. Nadeem Hasan KGamma * NEW IN KDE: A KControl module for monitor gamma correction. Michael v.Ostheim KPovModeler * Basic plugin framework Andreas Zehender * The user is asked if pending changes should be saved before rendering Andreas Zehender * Control point selection in the properties view for bicubic patch, sor, lathe and prism Andreas Zehender * Export flag for graphical objects and the camera Andreas Zehender * Height field view structure Leon Pennington * Light object gained, parallel, circular and orient options Leon Pennington * Dispersion options are supported for interior Leon Pennington * Support for POV-Ray 3.5 noise generators Leon Pennington * New POV-Ray 3.5 warp types Leon Pennington * New POV-Ray 3.5 objects: isosurface, projected through, radiosity, global photons, photons, light groups, interior texture, mesh Leon Pennington, Andreas Zehender KGhostView * Thumbnail generation for all pages Albert Astals Cid, Luis Pedro Coelho @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.2 2003/03/11 13:24:59 markd Exp $ d3 14 a16 40 --- kview/Makefile.am.orig Sun Oct 27 11:15:54 2002 +++ kview/Makefile.am @@@@ -5,7 +5,7 @@@@ INCLUDES = -I$(top_srcdir)/kview $(all_i METASOURCES = AUTO bin_PROGRAMS = kview -lib_LTLIBRARIES = kview.la libkviewsupport.la +lib_LTLIBRARIES = libkview_main.la kview.la libkviewsupport.la noinst_HEADERS = kview.h kpreferencesdialog.h kpreferencesmodule.h kpluginselector.h kviewconfmodules.h @@@@ -13,13 +13,17 @@@@ libkviewsupport_la_SOURCES = kpreference libkviewsupport_la_LDFLAGS = $(all_libraries) -no-undefined -version-info 0:0 libkviewsupport_la_LIBADD = $(LIB_KDEUI) -kview_SOURCES = dummy.cpp +kview_SOURCES = kview_main.cpp kview_LDFLAGS = $(all_libraries) $(KDE_RPATH) -kview_LDADD = kview.la +kview_LDADD = libkview_main.la -kview_la_SOURCES = kviewconfmodules.cpp kview.cpp main.cpp +libkview_main_la_SOURCES = kviewconfmodules.cpp kview.cpp main.cpp +libkview_main_la_LDFLAGS = $(KDE_RPATH) $(all_libraries) +libkview_main_la_LIBADD = $(LIB_KPARTS) libkviewsupport.la + +kview_la_SOURCES = kview_main.cpp kview_la_LDFLAGS = $(KDE_RPATH) $(all_libraries) -module -avoid-version -kview_la_LIBADD = $(LIB_KPARTS) libkviewsupport.la +kview_la_LIBADD = libkview_main.la lnkdir = $(kde_appsdir)/Graphics lnk_DATA = kview.desktop @@@@ -32,6 +36,3 @@@@ rc_DATA = kviewui.rc messages: rc.cpp $(EXTRACTRC) kviewviewer/*.rc kviewviewer/*.ui >> rc.cpp $(XGETTEXT) kviewviewer/*.cpp kviewcanvas/*.cpp *.cpp *.h -o $(podir)/kview.pot - -dummy.cpp: - echo > dummy.cpp @ 1.3.8.1 log @Pullup ticket 234 - requested by Mark Davies security fix for kdegraphics3 Revisions pulled up: - pkgsrc/graphics/kdegraphics3/Makefile 1.45 - pkgsrc/graphics/kdegraphics3/distinfo 1.25 - pkgsrc/graphics/kdegraphics3/patches/patch-ac 1.4 Module Name: pkgsrc Committed By: markd Date: Thu Jan 20 12:36:58 UTC 2005 Modified Files: pkgsrc/graphics/kdegraphics3: Makefile distinfo Log Message: Latest xpdf vulnerability http://www.kde.org/info/security/advisory-20050119-1.txt Bump PKGREVISION. --- Module Name: pkgsrc Committed By: markd Date: Thu Jan 20 12:39:56 UTC 2005 Added Files: pkgsrc/graphics/kdegraphics3/patches: patch-ac Log Message: add patch that was supposed to be in last commit. @ text @d1 1 a1 1 $NetBSD: patch-ac,v 1.4 2005/01/20 12:39:56 markd Exp $ d3 40 a42 14 *** kpdf/xpdf/XRef.cc.orig Wed Jan 12 17:10:53 2005 --- kpdf/xpdf/XRef.cc Wed Jan 12 17:11:22 2005 *************** *** 793,798 **** --- 793,801 ---- } else { keyLength = 5; } + if (keyLength > 16) { + keyLength = 16; + } permFlags = permissions.getInt(); if (encVersion >= 1 && encVersion <= 2 && encRevision >= 2 && encRevision <= 3) { @ 1.2 log @Update KDE to 3.1. Many bugfixes and functionality enhancements including: kdegraphics KView: Added KImageViewer interface Added possibility for plugins Added Slideshow plugin Enhanced Mousewheel support Automatic resizing to fit images with varying size kviewshell: added statusbar kviewshell: usability improvements KuickShow: Digital camera jpeg images obey orientaion information KuickShow: General UI improvements, now features a menubar KuickShow: Ability to browse image collections on remote servers KuickShow: Digital camera jpeg images obey orientaion information KPovModeler: Implement support for the missing PovRAY 3.1 primitives, zehender at kde org. KFax: Rewrite all the UI code to be KDE standards compliant, cleanups. (Nadeem Hasan ) libkscan: support for halftoning scan mode where available kooka: thumbnail view of scanned images added kooka: ported to KDockWidgets to provide a customizable GUI kooka: inline image renaming and drag and drop NEW IN KDE:KPovModeler, a modeling and composition program for creating POV-Ray (tm) scenes @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @Initial revision @ text @d3 1 a3 1 --- kview/Makefile.am.orig Tue May 15 20:54:32 2001 d5 2 a6 1 @@@@ -7,25 +7,29 @@@@ d8 3 a10 1 METASOURCES = AUTO d12 1 a12 2 -lib_LTLIBRARIES = libkviewpart.la kview.la +lib_LTLIBRARIES = libkviewpart.la libkview_main.la kview.la d14 3 a16 3 libkviewpart_la_SOURCES = canvas.cpp kview_view.cc kview_asyncio.cc libkviewpart_la_LDFLAGS = $(all_libraries) -avoid-version -module -no-undefined libkviewpart_la_LIBADD = $(LIB_KFILE) $(LIB_KPARTS) -lkdeprint d18 1 a18 1 -kview_SOURCES = dummy.C d24 4 a27 12 -kview_la_SOURCES = main.cpp viewer.cpp kview.cpp colour.cpp \ +libkview_main_la_SOURCES = main.cpp viewer.cpp kview.cpp colour.cpp \ filter.cpp filtlist.cpp \ kcproc.cpp kviewconfdialog_base.ui kviewconfdialog.cpp \ imagelistdialog_base.ui imagelistdialog.cpp \ knumdialog_base.ui knumdialog.cpp \ kfilteraction.cpp infowin_base.ui infowin.cpp -kview_la_LDFLAGS = $(all_libraries) -module -avoid-version -kview_la_LIBADD = libkviewpart.la +libkview_main_la_LDFLAGS = $(all_libraries) +libkview_main_la_LIBADD = libkviewpart.la d30 2 a31 1 +kview_la_LDFLAGS = $(all_libraries) -avoid-version -module d34 6 a39 6 test_SOURCES = libkview.la test.cpp test_LDFLAGS = $(all_libraries) -module -avoid-version @@@@ -52,9 +56,6 @@@@ srcdoc: kdoc -a -p -H -d $(HOME)/web/src/kview kview *.h -lqt -lkdecore -lkdeui -lkfile d41 2 a42 5 -dummy.C: - echo > dummy.C ###KMAKE-start (don't edit or delete this block) @ 1.1.1.1 log @Initial import of a kdegraphics3 pkg. @ text @@ 1.1.1.1.2.1 log @file patch-ac was added on branch buildlink2 on 2002-06-23 18:46:29 +0000 @ text @d1 50 @ 1.1.1.1.2.2 log @Merge from pkgsrc-current to buildlink2 branch. @ text @a0 50 $NetBSD: patch-ac,v 1.1.1.1.2.1 2002/06/23 18:46:29 jlam Exp $ --- kview/Makefile.am.orig Tue May 15 20:54:32 2001 +++ kview/Makefile.am @@@@ -7,25 +7,29 @@@@ METASOURCES = AUTO -lib_LTLIBRARIES = libkviewpart.la kview.la +lib_LTLIBRARIES = libkviewpart.la libkview_main.la kview.la libkviewpart_la_SOURCES = canvas.cpp kview_view.cc kview_asyncio.cc libkviewpart_la_LDFLAGS = $(all_libraries) -avoid-version -module -no-undefined libkviewpart_la_LIBADD = $(LIB_KFILE) $(LIB_KPARTS) -lkdeprint -kview_SOURCES = dummy.C +kview_SOURCES = kview_main.cpp kview_LDFLAGS = $(all_libraries) $(KDE_RPATH) -kview_LDADD = kview.la +kview_LDADD = libkview_main.la -kview_la_SOURCES = main.cpp viewer.cpp kview.cpp colour.cpp \ +libkview_main_la_SOURCES = main.cpp viewer.cpp kview.cpp colour.cpp \ filter.cpp filtlist.cpp \ kcproc.cpp kviewconfdialog_base.ui kviewconfdialog.cpp \ imagelistdialog_base.ui imagelistdialog.cpp \ knumdialog_base.ui knumdialog.cpp \ kfilteraction.cpp infowin_base.ui infowin.cpp -kview_la_LDFLAGS = $(all_libraries) -module -avoid-version -kview_la_LIBADD = libkviewpart.la +libkview_main_la_LDFLAGS = $(all_libraries) +libkview_main_la_LIBADD = libkviewpart.la + +kview_la_SOURCES = kview_main.cpp +kview_la_LDFLAGS = $(all_libraries) -avoid-version -module +kview_la_LIBADD = libkview_main.la test_SOURCES = libkview.la test.cpp test_LDFLAGS = $(all_libraries) -module -avoid-version @@@@ -52,9 +56,6 @@@@ srcdoc: kdoc -a -p -H -d $(HOME)/web/src/kview kview *.h -lqt -lkdecore -lkdeui -lkfile - -dummy.C: - echo > dummy.C ###KMAKE-start (don't edit or delete this block) @