head	1.4;
access;
symbols
	pkgsrc-2013Q2:1.4.0.8
	pkgsrc-2013Q2-base:1.4
	pkgsrc-2012Q4:1.4.0.6
	pkgsrc-2012Q4-base:1.4
	pkgsrc-2011Q4:1.4.0.4
	pkgsrc-2011Q4-base:1.4
	pkgsrc-2011Q2:1.4.0.2
	pkgsrc-2011Q2-base:1.4
	pkgsrc-2010Q3:1.3.0.2
	pkgsrc-2010Q3-base:1.3
	pkgsrc-2010Q2:1.2.0.6
	pkgsrc-2010Q2-base:1.2
	pkgsrc-2010Q1:1.2.0.4
	pkgsrc-2010Q1-base:1.2
	pkgsrc-2009Q4:1.2.0.2
	pkgsrc-2009Q4-base:1.2;
locks; strict;
comment	@# @;


1.4
date	2010.11.02.15.45.12;	author drochner;	state dead;
branches;
next	1.3;

1.3
date	2010.10.01.21.32.34;	author spz;	state Exp;
branches;
next	1.2;

1.2
date	2009.11.20.15.59.59;	author drochner;	state Exp;
branches;
next	1.1;

1.1
date	2009.11.19.17.58.41;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.4
log
@update to 0.14.4
changes:
-bugfixes (in particular for security issues which were patched in pkgsrc)
-fixed memory leaks
@
text
@$NetBSD: patch-ap,v 1.3 2010/10/01 21:32:34 spz Exp $

https://bugs.freedesktop.org/show_bug.cgi?id=25189
plus security fixes for http://secunia.com/advisories/41596/
taken from http://cgit.freedesktop.org/poppler/

- Make sure obj1 is a num before reading it
- Fix crash in broken pdf (parser->getStream() is 0)
- Properly initialize parser
- Give a value to color.c[i]

--- poppler/Gfx.cc.orig	2010-08-11 19:20:32.000000000 +0000
+++ poppler/Gfx.cc
@@@@ -536,6 +536,7 @@@@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, i
   drawText = gFalse;
   maskHaveCSPattern = gFalse;
   mcStack = NULL;
+  parser = NULL;
 
   // start the resource stack
   res = new GfxResources(xref, resDict, NULL);
@@@@ -590,6 +591,7 @@@@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, D
   drawText = gFalse;
   maskHaveCSPattern = gFalse;
   mcStack = NULL;
+  parser = NULL;
 
   // start the resource stack
   res = new GfxResources(xref, resDict, NULL);
@@@@ -1531,6 +1533,8 @@@@ void Gfx::opSetFillColorN(Object args[],
       for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) {
 	if (args[i].isNum()) {
 	  color.c[i] = dblToCol(args[i].getNum());
+        } else {
+          color.c[i] = 0; // TODO Investigate if this is what Adobe does
 	}
       }
       state->setFillColor(&color);
@@@@ -1550,6 +1554,8 @@@@ void Gfx::opSetFillColorN(Object args[],
     for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) {
       if (args[i].isNum()) {
 	color.c[i] = dblToCol(args[i].getNum());
+      } else {
+        color.c[i] = 0; // TODO Investigate if this is what Adobe does
       }
     }
     state->setFillColor(&color);
@@@@ -1574,6 +1580,8 @@@@ void Gfx::opSetStrokeColorN(Object args[
       for (i = 0; i < numArgs - 1 && i < gfxColorMaxComps; ++i) {
 	if (args[i].isNum()) {
 	  color.c[i] = dblToCol(args[i].getNum());
+        } else {
+          color.c[i] = 0; // TODO Investigate if this is what Adobe does
 	}
       }
       state->setStrokeColor(&color);
@@@@ -1593,6 +1601,8 @@@@ void Gfx::opSetStrokeColorN(Object args[
     for (i = 0; i < numArgs && i < gfxColorMaxComps; ++i) {
       if (args[i].isNum()) {
 	color.c[i] = dblToCol(args[i].getNum());
+      } else {
+        color.c[i] = 0; // TODO Investigate if this is what Adobe does
       }
     }
     state->setStrokeColor(&color);
@@@@ -2421,7 +2431,7 @@@@ static void bubbleSort(double array[])
 void Gfx::doAxialShFill(GfxAxialShading *shading) {
   double xMin, yMin, xMax, yMax;
   double x0, y0, x1, y1;
-  double dx, dy, mul;
+  double dx, dy, len2;
   GBool dxZero, dyZero;
   double bboxIntersections[4];
   double tMin, tMax, tx, ty;
@@@@ -2443,16 +2453,18 @@@@ void Gfx::doAxialShFill(GfxAxialShading 
   shading->getCoords(&x0, &y0, &x1, &y1);
   dx = x1 - x0;
   dy = y1 - y0;
-  dxZero = fabs(dx) < 0.01;
-  dyZero = fabs(dy) < 0.01;
-  if (dxZero && dyZero) {
-    tMin = tMax = 0;
+  dxZero = (dx == 0.0);
+  dyZero = (dy == 0.0);
+  len2 = dx * dx + dy * dy;
+  if (len2 == 0.0) {
+    /* invalid? */
+    tMin = 0;
+    tMax = 1;
   } else {
-    mul = 1 / (dx * dx + dy * dy);
-    bboxIntersections[0] = ((xMin - x0) * dx + (yMin - y0) * dy) * mul;
-    bboxIntersections[1] = ((xMin - x0) * dx + (yMax - y0) * dy) * mul;
-    bboxIntersections[2] = ((xMax - x0) * dx + (yMin - y0) * dy) * mul;
-    bboxIntersections[3] = ((xMax - x0) * dx + (yMax - y0) * dy) * mul;
+    bboxIntersections[0] = ((xMin - x0) * dx + (yMin - y0) * dy) / len2;
+    bboxIntersections[1] = ((xMin - x0) * dx + (yMax - y0) * dy) / len2;
+    bboxIntersections[2] = ((xMax - x0) * dx + (yMin - y0) * dy) / len2;
+    bboxIntersections[3] = ((xMax - x0) * dx + (yMax - y0) * dy) / len2;
     bubbleSort(bboxIntersections);
     tMin = bboxIntersections[0];
     tMax = bboxIntersections[3];
@@@@ -4225,8 +4237,14 @@@@ void Gfx::doForm(Object *str) {
   }
   for (i = 0; i < 4; ++i) {
     bboxObj.arrayGet(i, &obj1);
-    bbox[i] = obj1.getNum();
-    obj1.free();
+    if (likely(obj1.isNum())) {
+      bbox[i] = obj1.getNum();
+      obj1.free();
+    } else {
+      obj1.free();
+      error(getPos(), "Bad form bounding box value");
+      return;
+    }
   }
   bboxObj.free();
 
@@@@ -4449,8 +4467,13 @@@@ Stream *Gfx::buildImageStream() {
   obj.free();
 
   // make stream
-  str = new EmbedStream(parser->getStream(), &dict, gFalse, 0);
-  str = str->addFilters(&dict);
+  if (parser->getStream()) {
+    str = new EmbedStream(parser->getStream(), &dict, gFalse, 0);
+    str = str->addFilters(&dict);
+  } else {
+    str = NULL;
+    dict.free();
+  }
 
   return str;
 }
@@@@ -4651,8 +4674,14 @@@@ void Gfx::drawAnnot(Object *str, AnnotBo
     }
     for (i = 0; i < 4; ++i) {
       bboxObj.arrayGet(i, &obj1);
-      bbox[i] = obj1.getNum();
-      obj1.free();
+      if (likely(obj1.isNum())) {
+        bbox[i] = obj1.getNum();
+        obj1.free();
+      } else {
+        obj1.free();
+        error(getPos(), "Bad form bounding box value");
+        return;
+      }
     }
     bboxObj.free();
 
@


1.3
log
@security fixes from and for http://secunia.com/advisories/41596/ plus
the necessary backporting to poppler-0.14.2 (and a pkgrev bump):

poppler/Form.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=473de6f88a055bb03470b4af5fa584be8cb5fda4
Fix memory leak if obj2 is not a dict

poppler/Dict.h poppler/Form.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=d2578bd66129466b2dd114b6407c147598e09d2b
Avoid loops in Form::fieldLookup

poppler/Stream.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c6a091512745771894b54a71613fd6b5ca1adcb3
Fix memory leak

fofi/FoFiType1.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473
Fix crash in broken pdf (code < 0)

poppler/Decrypt.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=a2dab0238a69240dad08eca2083110b52ce488b7
Initialize properly charactersRead

poppler/Gfx.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=2fe825deac055be82b220d0127169cb3d61387a8
Make sure obj1 is a num before reading it

poppler/Gfx.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=3422638b2a39cbdd33a114a7d7debc0a5f688501
Fix crash in broken pdf (parser->getStream() is 0)

poppler/Gfx.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf
Properly initialize parser

poppler/Gfx.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=dfdf3602bde47d1be7788a44722c258bfa0c6d6e
Give a value to color.c[i]

poppler/Function.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=bf2055088a3a2d3bb3d3c37d464954ec1a25771f
Properly initialize stack

poppler/Function.cc
http://cgit.freedesktop.org/poppler/poppler/commit/?id=26a5817ffec9f05ac63db6c5cd5b1f0871d271c7
Fix crash when idx is out of range
@
text
@d1 1
a1 1
$NetBSD$
@


1.2
log
@do the fix for possible division by zero more elegant, and add
a reference to the upstream bug report
@
text
@d4 2
d7 6
a12 1
--- poppler/Gfx.cc.orig	2009-10-23 21:44:04.000000000 +0200
d14 53
a66 1
@@@@ -2367,7 +2367,7 @@@@ static void bubbleSort(double array[])
d75 1
a75 1
@@@@ -2389,16 +2389,18 @@@@ void Gfx::doAxialShFill(GfxAxialShading 
d103 50
@


1.1
log
@The code which calculates linear gradients divides by zero under some
circumstances. This leads to NaNs passed to cairo which makes that
literally "nan" is inserted into the output file when printing. The
resulting file crashes ghostscript, and also poppler when it is fed
to it again.
I didn't read PDF specs yet to understand where the math is failing,
just avoided the division by zero.
@
text
@d3 3
a5 1
--- poppler/Gfx.cc.orig	2009-09-09 23:25:11.000000000 +0200
d7 37
a43 28
@@@@ -2462,7 +2462,10 @@@@ void Gfx::doAxialShFill(GfxAxialShading 
   if (out->useFillColorStop()) {
     // make sure we add stop color when t = tMin
     state->setFillColor(&color0);
-    out->updateFillColorStop(state, (tt - tMin)/(tMax - tMin));
+    if (tMax == tMin)
+	out->updateFillColorStop(state, tMin);
+    else
+    	out->updateFillColorStop(state, (tt - tMin)/(tMax - tMin));
   }
 
   // compute the coordinates of the point on the t axis at t = tMin;
@@@@ -2602,9 +2605,12 @@@@ void Gfx::doAxialShFill(GfxAxialShading 
 
     // set the color
     state->setFillColor(&color0);
-    if (out->useFillColorStop())
-      out->updateFillColorStop(state, (ta[j] - tMin)/(tMax - tMin));
-    else
+    if (out->useFillColorStop()) {
+      if (tMax == tMin)
+	out->updateFillColorStop(state, tMin);
+      else
+        out->updateFillColorStop(state, (ta[j] - tMin)/(tMax - tMin));
+    } else
       out->updateFillColor(state);
 
     if (needExtend) {
@