packages/ghostscript
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync some patches from community

Browse Source
This commit is contained in:
wangchen2020 2020-09-03 15:54:45 +08:00
parent e0a9c656b6
commit 2562b03d38
25 changed files with 1435 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch Normal file
View File

@ -0,0 +1,44 @@
From efd0b47fe66a99097e200d76be1a4846ae2ef692 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 6 May 2020 18:01:07 +0100
Subject: [PATCH] Bug 697545 : Prevent memory leak in gx_path_assign_free.
Prevent memory leak by freeing path on all errors.
Error created using :-
MEMENTO_FAILAT=16246 ./membin/gpcl6 -sDEVICE=pbmraw -o /dev/null ./tests_private/pcl/pcl5cfts/fts.2120
---
base/gxpath.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/base/gxpath.c b/base/gxpath.c
index 4593d67..ffdea76 100644
--- a/base/gxpath.c
+++ b/base/gxpath.c
@@ -323,6 +323,7 @@ gx_path_assign_preserve(gx_path * ppto, gx_path * ppfrom)
int
gx_path_assign_free(gx_path * ppto, gx_path * ppfrom)
{
+ int code = 0;
/*
* Detect the special case where both paths have non-shared local
* segments, since we can avoid allocating new segments in this case.
@@ -349,13 +350,10 @@ gx_path_assign_free(gx_path * ppto, gx_path * ppfrom)
#undef tosegs
} else {
/* In all other cases, just do assign + free. */
- int code = gx_path_assign_preserve(ppto, ppfrom);
-
- if (code < 0)
- return code;
+ code = gx_path_assign_preserve(ppto, ppfrom);
}
gx_path_free(ppfrom, "gx_path_assign_free");
- return 0;
+ return code;
}
/*
--
1.8.3.1

105
Bug-697545-Prevent-numerous-memory-leaks.patch Normal file
View File

@ -0,0 +1,105 @@
From 9e553991e4c99814eb342d83b4fb42b5af457390 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Fri, 8 May 2020 21:50:30 +0100
Subject: [PATCH] Bug 697545 : Prevent numerous memory leaks.
Prevent memory leaks by propagating error codes and freeing loose objects.
Also resolve some compiler warnings.
Error created using :-
EMENTO_FAILAT=19484 ./membin/gpcl6 -sDEVICE=pbmraw -o /dev/null ./tests_private/pcl/pcl5efts/fts.0051
---
base/gscspace.c | 11 +++++++----
base/gxclrast.c | 10 ++++++++--
base/gxcpath.c | 4 +++-
3 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/base/gscspace.c b/base/gscspace.c
index aa3e3cf..f00bdba 100644
--- a/base/gscspace.c
+++ b/base/gscspace.c
@@ -329,8 +329,11 @@ gx_install_DeviceGray(gs_color_space * pcs, gs_gstate * pgs)
return 0;
/* If we haven't initialised the iccmanager, do it now. */
- if (pgs->icc_manager->default_gray == NULL)
- gsicc_init_iccmanager(pgs);
+ if (pgs->icc_manager->default_gray == NULL) {
+ int code = gsicc_init_iccmanager(pgs);
+ if (code < 0)
+ return code;
+ }
/* pcs takes a reference to the default_gray profile data */
pcs->cmm_icc_profile_data = pgs->icc_manager->default_gray;
@@ -677,7 +680,7 @@ int gx_set_overprint_cmyk(const gs_color_space * pcs, gs_gstate * pgs)
}
if_debug1m(gs_debug_flag_overprint, pgs->memory,
- "[overprint] gx_set_overprint_cmyk. drawn_comps = 0x%x\n", drawn_comps);
+ "[overprint] gx_set_overprint_cmyk. drawn_comps = 0x%x\n", (uint)drawn_comps);
if (drawn_comps == 0)
return gx_spot_colors_set_overprint(pcs, pgs);
@@ -760,7 +763,7 @@ int gx_set_overprint_cmyk(const gs_color_space * pcs, gs_gstate * pgs)
if_debug2m(gs_debug_flag_overprint, pgs->memory,
"[overprint] gx_set_overprint_cmyk. retain_any_comps = %d, drawn_comps = 0x%x\n",
- params.retain_any_comps, params.drawn_comps);
+ params.retain_any_comps, (uint)(params.drawn_comps));
/* We are in CMYK, the profiles match and overprint is true. Set effective
overprint mode to overprint mode but only if effective has not already
diff --git a/base/gxclrast.c b/base/gxclrast.c
index 4e75d3e..65df9bd 100644
--- a/base/gxclrast.c
+++ b/base/gxclrast.c
@@ -612,6 +612,8 @@ in: /* Initialize for a new page. */
memset(&gs_gstate, 0, sizeof(gs_gstate));
GS_STATE_INIT_VALUES_CLIST((&gs_gstate));
code = gs_gstate_initialize(&gs_gstate, mem);
+ if (code < 0)
+ goto out;
gs_gstate.device = tdev;
gs_gstate.view_clip = NULL; /* Avoid issues in pdf14 fill stroke */
gs_gstate.clip_path = &clip_path;
@@ -620,7 +622,9 @@ in: /* Initialize for a new page. */
code = gs_note_error(gs_error_VMerror);
goto out;
}
- pcs->type->install_cspace(pcs, &gs_gstate);
+ code = pcs->type->install_cspace(pcs, &gs_gstate);
+ if (code < 0)
+ goto out;
gs_gstate.color[0].color_space = pcs;
rc_increment_cs(pcs);
gs_gstate.color[1].color_space = pcs;
@@ -2383,6 +2387,8 @@ idata: data_size = 0;
if (code < 0) {
if (pfs.dev != NULL)
term_patch_fill_state(&pfs);
+ gs_free_object(mem, pcs, "clist_playback_band(pcs)");
+ gs_free_object(mem, cbuf_storage, "clist_playback_band(cbuf_storage)");
gx_cpath_free(&clip_path, "clist_playback_band");
if (pcpath != &clip_path)
gx_cpath_free(pcpath, "clist_playback_band");
diff --git a/base/gxcpath.c b/base/gxcpath.c
index d9518b8..082c389 100644
--- a/base/gxcpath.c
+++ b/base/gxcpath.c
@@ -403,8 +403,10 @@ gx_cpath_path_list_new(gs_memory_t *mem, gx_clip_path *pcpath, int rule,
rc_init_free(pcplist, mem, 1, rc_free_cpath_path_list);
if (pcpath!=NULL && !pcpath->path_valid) {
code = gx_path_init_contained_shared(&pcplist->path, NULL, mem, cname);
- if (code < 0)
+ if (code < 0) {
+ gs_free_object(mem, pcplist, "gx_cpath_path_list_new");
return code;
+ }
code = gx_cpath_to_path(pcpath, &pcplist->path);
} else {
gx_path_init_local(&pcplist->path, mem);
--
1.8.3.1

40
Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch Normal file
View File

@ -0,0 +1,40 @@
From ea9b3a676a516a603fabb593085d14a67356db6f Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 17 Oct 2019 01:48:00 +0200
Subject: [PATCH] Bug 701721: jbig2dec: Fix under/overflow handling in
arithmetic integer decoder.
The previous detection logic caused GCC's -Wlogical-op to trip.
Not only that, but the detection logic never took into account
that underflow is not possible (the worst case is V == INT32_MIN,
but offset is always > 0, so underflow cannot happen), nor take
varying offset values into account (hardcoded limits meant that
the offset was ignored even if it could not cause an overflow),
but instead could cause non-clamped values to be emitted.
This corrected logic adheres to the Annex A. Table A.1 in the specification.
---
jbig2dec/jbig2_arith_int.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/jbig2dec/jbig2_arith_int.c b/jbig2dec/jbig2_arith_int.c
index 7ad47ad..20b62df 100644
--- a/jbig2dec/jbig2_arith_int.c
+++ b/jbig2dec/jbig2_arith_int.c
@@ -130,8 +130,11 @@ jbig2_arith_int_decode(Jbig2Ctx *ctx, Jbig2ArithIntCtx *actx, Jbig2ArithState *a
V = (V << 1) | bit;
}
- /* make sure not to underflow/overflow 32 bit value */
- if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436)
+ /* offset is always >=0, so underflow can't happen. */
+ /* avoid overflow by clamping 32 bit value. */
+ if (V > INT32_MAX - offset)
+ V = INT32_MAX;
+ else
V += offset;
V = S ? -V : V;
*p_result = V;
--
1.8.3.1

122
Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch Normal file
View File

@ -0,0 +1,122 @@
From 9dc0eb31d79bf819c97420aaf2f6fc5cf3a52c10 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Wed, 18 Mar 2020 15:11:01 +0000
Subject: [PATCH] Bug 702196: Fix incorrect detection of "thin" lines while
stroking.
When stroking lines, we spot whether a line is 'thin' (i.e. the
perpendicular width of the line is less than 1 pixel), and handle
those cases specially by using custom 'thin line' routines. This
gives more pleasing results than slavishly following the 'any part
of a pixel' rule.
The current code makes this determination in 2 places. Firstly,
we calculate 'always_thin', by scaling the perpendicular vector
and seeing if all possible lines will be 'thin'. Secondly, in
the case when we aren't 'always_thin', we calculate it for each
line segment in turn by calling 'width_is_thin'.
Unfortunately, the threshold used for the simple early rejection
test in 'width_is_thin' is wrong. Rather than checking against
0.5, we should be checking against sqrt(1/8). This causes lines
near 45 degrees to be improperly treated as thin. This is a
simple fix.
This gives lots of progressions - so many that you wonder how we
never spotted this before.
Unfortunately, buried in these progressions, there are a few files
which, while improved, are still imperfect.
In some files, that use 'non-uniform' scales, (such as
(53 0 0 21 0 0 )) a stroke of constant width can 'pop' between
thick and thin as we move around the path; a near vertical
line segment may be thin, whereas a near horizontal line segment
might be thick due to the difference in scale. This is visually
jarring.
To fix this, therefore, we'd need to modify the width_is_thin
testing in non-uniform cases, so that it gives us the same results
all the way around. Doing this would be complex, and ultimately
actually ends up equivalent to us just relying on "always_thin"
(with the exception of strictly vertical and horizontal line
segements). We therefore disable the non-orthogonal test in
'width_is_thin' entirely.
---
base/gxstroke.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 47 insertions(+), 5 deletions(-)
diff --git a/base/gxstroke.c b/base/gxstroke.c
index 52c1543..399c914 100644
--- a/base/gxstroke.c
+++ b/base/gxstroke.c
@@ -1093,12 +1093,51 @@ width_is_thin(pl_ptr plp)
if ((dx = plp->vector.x) == 0)
return any_abs(wx) < fixed_half;
- /*
- * If both horizontal and vertical widths are less than
- * 0.5, the line is thin.
+ /* For the longest time, we used to have a test here that
+ * attempted to trivially accept diagonal lines as being
+ * thin based on the components of the perpendicular
+ * width vector in device space as both being less than 0.5.
+ * Bug 702196 showed some examples where this was clearly
+ * wrong.
+ *
+ * The cause for this bug was that the 0.5 figure was wrong.
+ * For the point to be less than 1/2 a pixel perpendicular
+ * distant from the line, we'd need x^2 + y^2 < .5^2.
+ * For a 45 degree line, that'd be 2(x^2) < 1/4 = x^2 < 1/8
+ * or x < sqr(1/8). 45 degree line is the "worst case", so
+ * if both horizontal and vertical widths are less than
+ * sqr(1/8), the line is thin. sqr(1/8) = 0.35355339059.
+ * So, we should be using sqr(1/8) rather than 0.5.
+ *
+ * Fixing this did indeed produce many many progressions,
+ * but left just the odd file still showing problems.
+ *
+ * Further investigations show that those cases were due to
+ * the use of "non-uniform" scaling matrices, for example
+ * (83 0 0 51 0 0). With such matrices, it's possible for
+ * nearly horizontal lines to be thin, but nearly vertical
+ * ones to be thick (or vice versa). Having the style of
+ * line "pop" between thick and thin in a single stroke
+ * looks very noticeable.
+ *
+ * We could change the trivial optimisation below to only
+ * apply in the 'uniform' case, but that would never actually
+ * trigger (as tested on the cluster), because all such
+ * cases are caught by the "always_thin" condition in the
+ * caller.
+ *
+ * Just removing the trivial test and leaving the 'complicated'
+ * test below us would leave us vulnerable to "popping",
+ * so we disable both. In practice this makes no difference
+ * to the number of tests showing diffs in the cluster.
*/
- if (any_abs(wx) < fixed_half && any_abs(wy) < fixed_half)
- return true;
+#if 0 /* DISABLED TEST, see above */
+ {
+ /* thin_threshold = fixed sqr(1/8) - see above. */
+ const fixed thin_threshold = float2fixed(0.35355339059f);
+ if (any_abs(wx) < thin_threshold && any_abs(wy) < thin_threshold)
+ return true;
+ }
/*
* We have to do this the hard way, by actually computing the
@@ -1116,6 +1155,9 @@ width_is_thin(pl_ptr plp)
/* so we don't need to do any de-scaling for the test. */
return fabs(num) < denom * 0.5;
}
+#else
+ return false;
+#endif
}
/* Adjust the endpoints and width of a stroke segment along a specified axis */
--
1.8.3.1

54
Bug-702320-Valgrind-complains-about-UMR.patch Normal file
View File

@ -0,0 +1,54 @@
From b503c46c124cf5aaa82a71e28f624f2ef2b71e71 Mon Sep 17 00:00:00 2001
From: ray <Ray.Johnston@artifex.com>
Date: Fri, 10 Apr 2020 15:35:02 -0700
Subject: [PATCH] Bug 702320: Valgrind complains about UMR.
The file for this bug does show that the stroke_color stack based struct
in not initialized. Init fill_color and stroke_color. This is probably a
bug tail from the fill_stroke commit.
Also explicitly set 'zeros' to 0 to clarify the expected contents.
---
base/gxclbits.c | 3 +--
base/gxclrast.c | 4 ++--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/base/gxclbits.c b/base/gxclbits.c
index 3c65af9..519cdac 100644
--- a/base/gxclbits.c
+++ b/base/gxclbits.c
@@ -82,7 +82,7 @@ go_process(stream_state * st, stream_cursor_read *pr, stream_cursor_write *pw, b
return -1;
return 0;
}
-static byte zeros[1<<align_bitmap_mod];
+static byte zeros[1<<align_bitmap_mod] = { 0, };
static int
cmd_compress_bitmap(stream_state * st, const byte * data, uint width_bits,
uint raster, uint height, stream_cursor_write * pw)
@@ -110,7 +110,6 @@ cmd_compress_bitmap(stream_state * st, const byte * data, uint width_bits,
byte b = r.ptr[1] & mask;
r2.limit = &b;
r2.ptr = r2.limit-1;
-
status = go_process(st, &r2, pw, false);
if (status)
break;
diff --git a/base/gxclrast.c b/base/gxclrast.c
index 4d91fa4..4e75d3e 100644
--- a/base/gxclrast.c
+++ b/base/gxclrast.c
@@ -510,8 +510,8 @@ clist_playback_band(clist_playback_action playback_action,
} clip_save;
bool in_clip = false;
gs_gstate gs_gstate;
- gx_device_color fill_color;
- gx_device_color stroke_color;
+ gx_device_color fill_color = { 0 };
+ gx_device_color stroke_color = { 0 };
float dash_pattern[cmd_max_dash];
gx_fill_params fill_params;
gx_stroke_params stroke_params;
--
1.8.3.1

39
Bug-702322-fix-uninitalized-data-reads.patch Normal file
View File

@ -0,0 +1,39 @@
From 87688cd48fb52c305e159b785bd184232426a766 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 9 Apr 2020 09:40:05 +0100
Subject: [PATCH] Bug 702322: fix uninitalized data reads
gs_scan_token() keeps a local copy of the scanner state, and copies from and to
the scanner state that is passed into it. There are several code paths that
can leave some important entries in the structure uninitalized when we copy the
local copy to the parameter.
This just ensures those specific entries are always set to *something* sane.
---
psi/iscan.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/psi/iscan.c b/psi/iscan.c
index 9b7151a..32d910f 100644
--- a/psi/iscan.c
+++ b/psi/iscan.c
@@ -535,6 +535,16 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate)
return_error(gs_error_Fatal);
}
}
+ else {
+ /* We *may* use these in the event of returning to this function after
+ * a interruption, but not every code path below sets them. Set them
+ * to sane values here for safety. We can write the contents of sstate
+ * (back) to pstate before returning.
+ */
+ sstate.s_da.base = sstate.s_da.next = &(sstate.s_da.buf[0]);
+ sstate.s_da.limit = sstate.s_da.next;
+ sstate.s_da.is_dynamic = false;
+ }
/* Fetch any state variables that are relevant even if */
/* sstate.s_scan_type == scanning_none. */
sstate.s_pstack = pstate->s_pstack;
--
1.8.3.1

46
Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch Normal file
View File

@ -0,0 +1,46 @@
From 60a535f9f49fece2761a1c0c8069f87f7514182c Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Fri, 17 Apr 2020 16:22:06 +0800
Subject: [PATCH] Bug 702335: jbig2dec: Refill input buffer upon failure to
parse segment header.
Before commit 2b2dcf4ccf401ed210f03c858b304994749fd2b3 there was
a debug message when attempting to parse a a segment header and
the data supplied to jbig2dec was not enough. Commit 2b2dcf4
incorrectly changed the debug message into a fatal error message,
due misinterpreting the message text as something that warranted
a fatal error.
When data was supplied in chunks to jbig2_data_in() in repeated
calls such that a segment header's referred-to segment numbers
field straddled a chunk boundary then jbig2dec would indicate a
fatal error. The file in bug 702335 caused this to happen.
Instead jbig2dec should be asking the caller for more data so
that the entire segment header can be parsed during a single call
to jbig2_data_in().
By convering the fatal error back to a a debug message the problem
is resolved. The message itself is also rewored to clearly
indicate that the situation is non-fatal and that the caller will
be asked to provide more data.
---
jbig2dec/jbig2_segment.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c
index f901a03..d5c4075 100644
--- a/jbig2dec/jbig2_segment.c
+++ b/jbig2dec/jbig2_segment.c
@@ -88,7 +88,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
referred_to_segment_size = result->number <= 256 ? 1 : result->number <= 65536 ? 2 : 4; /* 7.2.5 */
pa_size = result->flags & 0x40 ? 4 : 1; /* 7.2.6 */
if (offset + referred_to_segment_count * referred_to_segment_size + pa_size + 4 > buf_size) {
- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, result->number, "insufficient data to parse segment header");
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, result->number, "attempted to parse segment header with insufficient data, asking for more data");
jbig2_free(ctx->allocator, result);
return NULL;
}
--
1.8.3.1

27
Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch Normal file
View File

@ -0,0 +1,27 @@
From b8bda01581b94e9159533460cfe79436f4d5ac21 Mon Sep 17 00:00:00 2001
From: Michael Vrhel <michael.vrhel@artifex.com>
Date: Mon, 30 Mar 2020 14:47:25 -0700
Subject: [PATCH] Coverity 94826 Add missing offset to buffer size used for
clist cmd.
---
base/gxclpath.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/base/gxclpath.c b/base/gxclpath.c
index b2b946d..4a8902d 100644
--- a/base/gxclpath.c
+++ b/base/gxclpath.c
@@ -486,7 +486,8 @@ cmd_write_unknown(gx_device_clist_writer * cldev, gx_clist_state * pcls,
sizeof(float) + /* line width */
sizeof(float) + /* miter limit */
3 + /* bm_tk, op, and rend intent */
- sizeof(float) * 2 + /* opacity/shape alpha */
+ sizeof(cldev->gs_gstate.alphaisshape) +
+ sizeof(float) * 2 + /* ca CA */
sizeof(cldev->gs_gstate.alpha)
];
byte *bp = buf;
--
1.8.3.1

51
Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch Normal file
View File

@ -0,0 +1,51 @@
From 6a3c36f8c5e83448f5d1e5f24ee01c0e80a92877 Mon Sep 17 00:00:00 2001
From: Ray Johnston <ray.johnston@artifex.com>
Date: Fri, 27 Mar 2020 13:54:02 -0700
Subject: [PATCH] Fix Bug 702177: VMerrors with some BufferSpace and/or -K
limits.
Interestingly, the two examples given in the bug succeed on Windows 64
but don't on linux. The difference is due to an 8 byte difference in the
size of gx_clist_state (the per band writer state). In the case of the
Bug690546.pdf file, the space left in the BufferSpace area after the
logic increased it was only 2,200 bytes on linux, but was 12k bytes on
Windows (it made an extra pass through the automatic "increase space"
loop in gdev_prn_setup_as_command_list. Fix the calculation in
clist_init_states so that the amount of extra space corresponds to the
amount expected by clist command writing (data_bits_size + cmd_largest_size)
rather than the insufficient and arbitrary "100".
Note that although the Bug692057.pdf returned VMerror from cmd_put_list_op, the
'fallback; method of gx_default_strip_tile_rectangle still produces the SAME
raster from psdcmyk16 and does not change the performance or clist file size
Robin's commit cbee0840 fixed this case.
---
base/gxclist.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/base/gxclist.c b/base/gxclist.c
index 1819e58..667d9c0 100644
--- a/base/gxclist.c
+++ b/base/gxclist.c
@@ -355,12 +355,13 @@ clist_init_states(gx_device * dev, byte * init_data, uint data_size)
/* Align to the natural boundary for ARM processors, bug 689600 */
long alignment = (-(long)init_data) & (sizeof(init_data) - 1);
- /*
- * The +100 in the next line is bogus, but we don't know what the
- * real check should be. We're effectively assuring that at least 100
- * bytes will be available to buffer command operands.
+ /* Leave enough room after states for commands that write a reasonable
+ * amount of data. The cmd_largest_size and the data_bits_size should be
+ * enough to buffer command operands. The data_bits_size is the level
+ * at which commands should expect to split data across buffers. If this
+ * extra space is a little large, it doesn't really hurt.
*/
- if (state_size + sizeof(cmd_prefix) + cmd_largest_size + 100 + alignment > data_size)
+ if (state_size + sizeof(cmd_prefix) + cmd_largest_size + data_bits_size + alignment > data_size)
return_error(gs_error_rangecheck);
/* The end buffer position is not affected by alignment */
cdev->cend = init_data + data_size;
--
1.8.3.1

74
Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch Normal file
View File

@ -0,0 +1,74 @@
From cca279886b3bbb4d3af5768880565c9f7b372c08 Mon Sep 17 00:00:00 2001
From: ray <Ray.Johnston@artifex.com>
Date: Mon, 23 Mar 2020 15:27:37 -0700
Subject: [PATCH] Fix Bug 702181: SEGV when BufferSpace is at or above -K alloc
limit
The issue with this file is that one of the pages is done in page mode because
it was so small, but the 'resize' call when doing page 2 was not checking the
allocation request against the limit, so the malloc would succeed, but the very
next (and all subsequent) allocations would fail. The gdev_prn_allocate would
capture the ecode, but would still call the clist_enable_multi_thread_render
resulting in the SEGV.
Add the check in the gs_heap_resize_object function, and make sure and leave
the 'monitor' after failure, then don't call clist_enable_multi_thread if the
resize failed.
---
base/gdevprn.c | 14 ++++++++------
base/gsmalloc.c | 11 ++++++++++-
2 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/base/gdevprn.c b/base/gdevprn.c
index c365509..ed89cd7 100644
--- a/base/gdevprn.c
+++ b/base/gdevprn.c
@@ -520,13 +520,15 @@ gdev_prn_allocate(gx_device *pdev, gdev_prn_space_params *new_space_params,
if (ecode == 0)
ecode = code;
- if ( code >= 0 || (reallocate && pass > 1) )
+ if (code >= 0 || (reallocate && pass > 1))
ppdev->procs = gs_clist_device_procs;
- /*
- * Now the device is a clist device, we enable multi-threaded rendering.
- * It will remain enabled, but that doesn't really cause any problems.
- */
- clist_enable_multi_thread_render(pdev);
+ if (code > 0) {
+ /*
+ * Now the device is a clist device, we enable multi-threaded rendering.
+ * It will remain enabled, but that doesn't really cause any problems.
+ */
+ clist_enable_multi_thread_render(pdev);
+ }
} else {
/* Render entirely in memory. */
gx_device *bdev = (gx_device *)pmemdev;
diff --git a/base/gsmalloc.c b/base/gsmalloc.c
index 14979e8..2fbccab 100644
--- a/base/gsmalloc.c
+++ b/base/gsmalloc.c
@@ -279,9 +279,18 @@ gs_heap_resize_object(gs_memory_t * mem, void *obj, size_t new_num_elements,
return obj;
if (mmem->monitor)
gx_monitor_enter(mmem->monitor); /* Exclusive access */
+ if (new_size > mmem->limit - sizeof(gs_malloc_block_t)) {
+ /* too large to allocate; also avoids overflow. */
+ if (mmem->monitor)
+ gx_monitor_leave(mmem->monitor); /* Done with exclusive access */
+ return 0;
+ }
new_ptr = (gs_malloc_block_t *) gs_realloc(ptr, old_size, new_size);
- if (new_ptr == 0)
+ if (new_ptr == 0) {
+ if (mmem->monitor)
+ gx_monitor_leave(mmem->monitor); /* Done with exclusive access */
return 0;
+ }
if (new_ptr->prev)
new_ptr->prev->next = new_ptr;
else
--
1.8.3.1

44
Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch Normal file
View File

@ -0,0 +1,44 @@
From d49dbf133ac49d09d626bab08ee92835a50a646a Mon Sep 17 00:00:00 2001
From: ray <Ray.Johnston@artifex.com>
Date: Tue, 24 Mar 2020 16:49:13 -0700
Subject: [PATCH] Fix bug 702182: VMerror due to leaks in pattern cache due to
locking.
If the tile being loaded by the clist reader was already in the cache and
was locked, the slot would be re-loaded (with the same tile) without freeing
up the previously loaded tile. It would be nicer to be able to skip reading
the tile in this case, but we need to consume the data from the clist sequence,
so just unlock it so it can be freed, then re-load it (presumably setting the
lock again).
---
base/gsptype1.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/base/gsptype1.c b/base/gsptype1.c
index 7d4714f..c39f039 100644
--- a/base/gsptype1.c
+++ b/base/gsptype1.c
@@ -2117,8 +2117,20 @@ gx_dc_pattern_read(
/* the following works for raster or clist patterns */
cache_space_needed = buf.size_b + buf.size_c;
}
+
+ /* Free up any unlocked patterns if needed */
gx_pattern_cache_ensure_space((gs_gstate *)pgs, cache_space_needed);
+ /* If the pattern tile is already in the cache, make sure it isn't locked */
+ /* The lock will be reset below, but the read logic needs to finish loading the pattern. */
+ ptile = &(pgs->pattern_cache->tiles[buf.id % pgs->pattern_cache->num_tiles]);
+ if (ptile->id != gs_no_id && ptile->is_locked) {
+ /* we shouldn't have miltiple tiles locked, but check if OK before unlocking */
+ if (ptile->id != buf.id)
+ return_error(gs_error_unregistered); /* can't unlock some other tile in this slot */
+ code = gx_pattern_cache_entry_set_lock(pgs, buf.id, false); /* make sure not locked */
+ }
+ /* get_entry will free the tile in the cache slot if it isn't empty */
code = gx_pattern_cache_get_entry((gs_gstate *)pgs, /* Break 'const'. */
buf.id, &ptile);
if (code < 0)
--
1.8.3.1

74
Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch Normal file
View File

@ -0,0 +1,74 @@
From b09cbe8e577fb14504932dc8d9096187ec4e0840 Mon Sep 17 00:00:00 2001
From: Ray Johnston <ray.johnston@artifex.com>
Date: Sun, 29 Mar 2020 15:32:36 -0700
Subject: [PATCH] Fix infinite loop in PDF interpreter 'pagespotcolors'
procedure
The file tests_private/pdf/uploads/poc1_pdf_gs.pdf has the single page
Parent object as itself. This only showed up with "DeviceN" devices that
search the PDF for the number of spot colorants on the page.
Note that this file is broken in other respects since it has a /Count
of 9 pages, but only a single page. This change also adds handling for
the //null object returned when a page isn't found since there isn't
actually a second page, and adds an error message when this is the case.
---
Resource/Init/pdf_main.ps | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps
index 2d896b2..7a3b91f 100644
--- a/Resource/Init/pdf_main.ps
+++ b/Resource/Init/pdf_main.ps
@@ -513,7 +513,12 @@ currentdict /runpdfstring .undef
{
dup /Page# exch store
QUIET not { (Page ) print dup //== exec flush } if
- pdfgetpage pdfshowpage
+ pdfgetpage
+ dup //null ne { pdfshowpage } {
+ ( **** Error: Page #) pdfformaterror Page# 10 string cvs pdfformaterror
+ ( not found.\n) pdfformaterror
+ /dopdfpages cvx /syntaxerror signalerror
+ } ifelse
}{
pop
}ifelse
@@ -2076,14 +2081,19 @@ currentdict /xref-char-dict undef
/pdffindpageref { % <int> pdffindpage <objref>
dup pdffindpage?
% Stack: index countleft noderef
- 1 index 1 ne { pop pop /pdffindpage cvx /rangecheck signalerror } if
- exch pop
- PageIndex 2 index 1 sub 65533 .min 2 index oforce put
- PageNumbers 1 index oforce 3 index dup 65534 le
- { put }
- { pop pop pop } % don't store more than 65534 pagenumbers
+ dup //null ne {
+ 1 index 1 ne { pop pop /pdffindpage cvx /rangecheck signalerror } if
+ exch pop
+ PageIndex 2 index 1 sub 65533 .min 2 index oforce put
+ PageNumbers 1 index oforce 3 index dup 65534 le
+ { put }
+ { pop pop pop } % don't store more than 65534 pagenumbers
+ ifelse
+ } {
+ exch pop % return the //null
+ }
ifelse
- exch pop
+ exch pop % pop the page number, return the object or null
} bind executeonly def
/pdffindpage { % <int> pdffindpage <pagedict>
pdffindpageref oforce
@@ -3311,6 +3321,7 @@ currentdict /PDF2PS_matrix_key undef
{
/Parent knownoget
{
+ dup /Pages known not { pop exit } if % not a valid Page Tree ancestor
dup 4 1 roll
resourcespotcolors
3 -1 roll
--
1.8.3.1

47
PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch Normal file
View File

@ -0,0 +1,47 @@
From a45d7217c8c1578475ee9204d1f4ad46520f44d1 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Sat, 21 Mar 2020 10:00:42 +0000
Subject: [PATCH] PDF interpreter - swallow errors reading ICC profiles and
continue
Bug #702240 "Invalid ICC profile aborts PDF ineterpretation"
The file contains an ICCbased space which references an embedded ICC
profile, which is Flate compressed. The compressed stream has been
corrupted and cannot be decompressed.
This causes the colour space code to throw an ioerror and terminate
interpretation, Acrobat (as usual) doesn't even give a warning.
This commit checks for an error creating the ReusableStreamDecode and
if it fails sets the Data Source in the stream dictionary to null. We
will later use the /N value in the stream dictionary to set a reasonable
fallback space (in this case CMYK).
---
Resource/Init/pdf_draw.ps | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps
index 1deb052..9d818de 100644
--- a/Resource/Init/pdf_draw.ps
+++ b/Resource/Init/pdf_draw.ps
@@ -874,7 +874,15 @@ currentdict /csncompdict undef
dup dup 1 oget
mark exch { oforce } forall .dicttomark
dup dup //true resolvestream
- /ReusableStreamDecode filter /DataSource exch put
+ {
+ /ReusableStreamDecode filter
+ } stopped
+ {
+ pop null
+% ( **** Error: Failed to read ICC profile for an ICCBased colour space.\n) pdfformaterror
+% ( Falling back to a colour space determined by the /N value.\n) pdfformaterror
+ }if
+ /DataSource exch put
dup /.hash 0 put % placeholder for use by seticc icc_profile_cache key
% Check that the number of components (/N) defined in the ICCBased
% dictionry matches the actual profile. Bug #696120
--
1.8.3.1

83
PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch Normal file
View File

@ -0,0 +1,83 @@
From ebabebad34a3811230b7bfe351eface7f5efc8a9 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 8 Apr 2020 16:06:44 +0100
Subject: [PATCH] PostScript interpreter - don't leave A85Decode pdf_rules
uninitialised
Bug #702319 "Read of uninitialized value according to valgrind..."
There are a number of other bugs which relate to this particular problem:
690976, 692983 and 693485. The problem has come about as a cumulative
result of working on these bugs.
Starting with commit :
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e0ecca32ecd12dae3310fac4b65dc224031c85a2
for bug 690976 a new flag 'pdf_rules' was added to the Ascii85Decode
state. This is initialised from the dictionary operand in PostScript
by zA85D() in zfdecode.c. When this flag is true the ASCII85Decode
filter will silently accept just '~' as a valid termination for a string
(should be '~>').
However this is not the only way to initialise an Ascii85Decode filter,
the PostScript token scanner can also use s_A85D_init_inline() which
does not initialise the flag. From this point we have the potential
for testing an unitialised variable in s_A85D_process(), if we get an
encoded string which terminates with a '~' and the filter was
instantiated from PostScript.
When fixing bug 692983, this commit:
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d561224d1495321d40012230abbcf835b298f557
Alex specifically added a comment that pdf_rules must not be initialised
in s_A85D_init_inline() but didn't say why! The reason is that the
regular stream initialisation code (s_A85D-init) also uses this inline
function, so if it altered pdf_rules it would overwrite the value
previously set by zA85D().
Since the initialisation is done in two places, the only way to fix this
is to initialise pdf_rules in gs_scan_token() which this commit duly
does. I've also added comments in s_A85D_init_inline to explain more
clearly *why* pdf_rules must not be initialised here.
---
base/sa85d.h | 9 ++++++++-
psi/iscan.c | 4 ++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/base/sa85d.h b/base/sa85d.h
index 6e74622..8685af7 100644
--- a/base/sa85d.h
+++ b/base/sa85d.h
@@ -41,7 +41,14 @@ typedef struct stream_A85D_state_s {
(ss)->min_left = 1; \
(ss)->word = 0; \
(ss)->odd = 0; \
- /* pdf_rules should not be initialized here */ \
+ /* pdf_rules should not be initialized here. This flag is initialised in\
+ * zA85D to either true or false, and this inline function is called *after*\
+ * that in s_A85D_init to do the remaining initialisation. However, this\
+ * inline function is also called from gs_scan_token to handle inline\
+ * ASCII85 strings. These are not to be interpreted using PDF rules\
+ * and so we must not set the flag here, but in the relevant calling\
+ * functions.\
+ */ \
(ss)->require_eod=false; \
END
extern const stream_template s_A85D_template;
diff --git a/psi/iscan.c b/psi/iscan.c
index e5956e1..9b7151a 100644
--- a/psi/iscan.c
+++ b/psi/iscan.c
@@ -581,6 +581,10 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate)
s_A85D_init_inline(&sstate.s_ss.a85d);
sstate.s_ss.st.templat = &s_A85D_template;
sstate.s_ss.a85d.require_eod = true;
+ /* If this is an inline ASCII string, interpret it normally, throw an error
+ * if it fails rather than ignoring it as PDF (Acrobat) does.
+ */
+ sstate.s_ss.a85d.pdf_rules = false;
goto str;
}
sputback_inline(s, sptr, endptr);
--
1.8.3.1

34
ghostscript.spec
View File

@ -9,14 +9,38 @@
Name: ghostscript
Version: 9.52
Release: 1
Release: 2
Summary: An interpreter for PostScript and PDF files
License: AGPLv3+
URL: https://ghostscript.com/
Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz
Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch
Patch1: jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch
Patch2: jbig2dec-Add-overflow-detection-for-IAID-context-size.patch
Patch3: jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch
Patch4: Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch
Patch5: jbig2dec-Always-use-uint32_t-when-counting-pages.patch
Patch6: PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch
Patch7: jbig2dec-Fix-two-overlooked-warnings.patch
Patch8: jbig2dec-Use-correct-define-for-maxium-value-of-type.patch
Patch9: Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch
Patch10: Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch
Patch11: Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch
Patch12: Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch
Patch13: Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch
Patch14: Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch
Patch15: jbig2dec-Plug-leak-of-image-upon-error.patch
Patch16: jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch
Patch17: jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch
Patch18: PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch
Patch19: Bug-702322-fix-uninitalized-data-reads.patch
Patch20: Bug-702320-Valgrind-complains-about-UMR.patch
Patch21: Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch
Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch
Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch
Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch
Patch0000: ghostscript-9.23-100-run-dvipdf-securely.patch
BuildRequires: automake gcc
BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel
BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel
@ -176,6 +200,12 @@ make check
%{_bindir}/dvipdf
%changelog
* Thu Sep 3 2020 wangchen <wangchen137@huawei.com> - 9.52-2
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:Sync some patches from community
* Sun Jun 28 2020 wangchen <wangchen137@huawei.com> - 9.52-1
- Type:requirement
- ID:NA

37
jbig2dec-Add-overflow-detection-for-IAID-context-size.patch Normal file
View File

@ -0,0 +1,37 @@
From 30842ee99923fa10a7301494fd08b998e7acf57b Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sun, 15 Sep 2019 18:12:31 +0200
Subject: [PATCH] jbig2dec: Add overflow detection for IAID context size.
---
jbig2dec/jbig2_arith_iaid.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/jbig2dec/jbig2_arith_iaid.c b/jbig2dec/jbig2_arith_iaid.c
index 78dc830..bbc38a0 100644
--- a/jbig2dec/jbig2_arith_iaid.c
+++ b/jbig2dec/jbig2_arith_iaid.c
@@ -44,9 +44,18 @@ struct _Jbig2ArithIaidCtx {
Jbig2ArithIaidCtx *
jbig2_arith_iaid_ctx_new(Jbig2Ctx *ctx, int SBSYMCODELEN)
{
- Jbig2ArithIaidCtx *result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1);
- int ctx_size = 1 << SBSYMCODELEN;
+ Jbig2ArithIaidCtx *result;
+ size_t ctx_size;
+ if (sizeof(ctx_size) * 8 <= SBSYMCODELEN)
+ {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "requested IAID arithmetic coding state size too large");
+ return NULL;
+ }
+
+ ctx_size = 1 << SBSYMCODELEN;
+
+ result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1);
if (result == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed to allocate IAID arithmetic coding state");
return NULL;
--
1.8.3.1

94
jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch Normal file
View File

@ -0,0 +1,94 @@
From dc6b8098b52db7e1a9b20c1ef6f1006555c04b1b Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Fri, 27 Mar 2020 05:41:07 +0800
Subject: [PATCH] jbig2dec: Adjust number of bytes consumed by MMR decoder.
The MMR decoder pre-buffers up to 32 bits of encoded input data in a word
buffer before they are consumed by the MMR decoder. Once bits are consumed, the
pre-buffer will be filled up with more input data. When filling up the buffer
the decoder would previously stay clear of reading data belonging to succeeding
segments, but still indicated that it consumed those bytes it never read. Once
finished the MMR decoder lied to the caller by propagating the incorrect number
of consumed bytes. The caller subtracted the consumed number of bytes from the
size and end up in underflow causing the next MMR decoding to first read input
data at the wrong location, later ending up attempting to read outside the MMR
encoded input buffer.
Now, the MMR decoder keeps track of how many bits it has consumed and
accurately rounds this number up to a whole number of bytes to the caller.
Fixes OSS-fuzz issue 17855.
Thanks to OSS-fuzz for reporting.
---
jbig2dec/jbig2_mmr.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/jbig2dec/jbig2_mmr.c b/jbig2dec/jbig2_mmr.c
index 8029c81..94ff429 100644
--- a/jbig2dec/jbig2_mmr.c
+++ b/jbig2dec/jbig2_mmr.c
@@ -45,6 +45,7 @@ typedef struct {
uint32_t height;
const byte *data;
size_t size;
+ size_t consumed_bits;
uint32_t data_index;
uint32_t bit_index;
uint32_t word;
@@ -58,30 +59,34 @@ typedef struct {
static void
jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size)
{
- size_t i;
- uint32_t word = 0;
-
mmr->width = width;
mmr->height = height;
mmr->data = data;
mmr->size = size;
mmr->data_index = 0;
- mmr->bit_index = 0;
+ mmr->bit_index = 32;
+ mmr->word = 0;
+ mmr->consumed_bits = 0;
- for (i = 0; i < size && i < 4; i++)
- word |= (data[i] << ((3 - i) << 3));
- mmr->word = word;
+ while (mmr->bit_index >= 8 && mmr->data_index < mmr->size) {
+ mmr->bit_index -= 8;
+ mmr->word |= (mmr->data[mmr->data_index] << mmr->bit_index);
+ mmr->data_index++;
+ }
}
static void
jbig2_decode_mmr_consume(Jbig2MmrCtx *mmr, int n_bits)
{
+ mmr->consumed_bits += n_bits;
+ if (mmr->consumed_bits > mmr->size * 8)
+ mmr->consumed_bits = mmr->size * 8;
+
mmr->word <<= n_bits;
mmr->bit_index += n_bits;
- while (mmr->bit_index >= 8) {
+ while (mmr->bit_index >= 8 && mmr->data_index < mmr->size) {
mmr->bit_index -= 8;
- if (mmr->data_index + 4 < mmr->size)
- mmr->word |= (mmr->data[mmr->data_index + 4] << mmr->bit_index);
+ mmr->word |= (mmr->data[mmr->data_index] << mmr->bit_index);
mmr->data_index++;
}
}
@@ -1259,6 +1264,6 @@ jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params,
jbig2_decode_mmr_consume(&mmr, 24);
}
- *consumed_bytes += mmr.data_index + (mmr.bit_index >> 3) + (mmr.bit_index > 0 ? 1 : 0);
+ *consumed_bytes += (mmr.consumed_bits + 7) / 8;
return code;
}
--
1.8.3.1

78
jbig2dec-Always-use-uint32_t-when-counting-pages.patch Normal file
View File

@ -0,0 +1,78 @@
From ff53af0d4ff9291aa5039522f5553a2850dd569d Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 12 Mar 2020 00:26:59 +0800
Subject: [PATCH] jbig2dec: Always use uint32_t when counting pages.
---
jbig2dec/jbig2.c | 4 ++--
jbig2dec/jbig2_page.c | 10 +++++++++-
jbig2dec/jbig2_priv.h | 4 ++--
3 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/jbig2dec/jbig2.c b/jbig2dec/jbig2.c
index 126e7a9..9fbb340 100644
--- a/jbig2dec/jbig2.c
+++ b/jbig2dec/jbig2.c
@@ -154,7 +154,7 @@ jbig2_ctx_new_imp(Jbig2Allocator *allocator, Jbig2Options options, Jbig2GlobalCt
return NULL;
}
{
- int index;
+ uint32_t index;
for (index = 0; index < result->max_page_index; index++) {
result->pages[index].state = JBIG2_PAGE_FREE;
@@ -412,7 +412,7 @@ Jbig2Allocator *
jbig2_ctx_free(Jbig2Ctx *ctx)
{
Jbig2Allocator *ca;
- int i;
+ uint32_t i;
if (ctx == NULL)
return NULL;
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c
index 21483e8..31b31f7 100644
--- a/jbig2dec/jbig2_page.c
+++ b/jbig2dec/jbig2_page.c
@@ -72,13 +72,21 @@ jbig2_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_dat
/* find a free page */
{
- int index, j;
+ size_t index, j;
index = ctx->current_page;
while (ctx->pages[index].state != JBIG2_PAGE_FREE) {
index++;
if (index >= ctx->max_page_index) {
/* grow the list */
+
+ if (ctx->max_page_index == SIZE_MAX) {
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many pages in jbig2 image");
+ }
+ else if (ctx->max_page_index > (SIZE_MAX >> 2)) {
+ ctx->max_page_index = SIZE_MAX;
+ }
+
pages = jbig2_renew(ctx, ctx->pages, Jbig2Page, (ctx->max_page_index <<= 2));
if (pages == NULL) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to reallocate pages");
diff --git a/jbig2dec/jbig2_priv.h b/jbig2dec/jbig2_priv.h
index e5a1eb5..d464208 100644
--- a/jbig2dec/jbig2_priv.h
+++ b/jbig2dec/jbig2_priv.h
@@ -101,8 +101,8 @@ struct _Jbig2Ctx {
/* list of decoded pages, including the one in progress,
currently stored as a contiguous, 0-indexed array. */
- int current_page;
- int max_page_index;
+ uint32_t current_page;
+ uint32_t max_page_index;
Jbig2Page *pages;
};
--
1.8.3.1

48
jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch Normal file
View File

@ -0,0 +1,48 @@
From 92faea67b31570e84b978a77b43c8f38bdad7bd4 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 1 Oct 2019 18:08:34 +0200
Subject: [PATCH] jbig2dec: Avoid warning by copying bytes instead of
characters.
---
jbig2dec/jbig2dec.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c
index 39f487e..d7d0aef 100644
--- a/jbig2dec/jbig2dec.c
+++ b/jbig2dec/jbig2dec.c
@@ -458,6 +458,7 @@ make_output_filename(const char *input_filename, const char *extension)
{
char *output_filename;
const char *c, *e;
+ int extlen;
int len;
if (extension == NULL) {
@@ -488,16 +489,18 @@ make_output_filename(const char *input_filename, const char *extension)
if (e != NULL)
len -= strlen(e);
+ extlen = strlen(extension);
+
/* allocate enough space for the base + ext */
- output_filename = (char *)malloc(len + strlen(extension) + 1);
+ output_filename = (char *)malloc(len + extlen + 1);
if (output_filename == NULL) {
fprintf(stderr, "failed to allocate memory for output filename\n");
exit(1);
}
- strncpy(output_filename, c, len);
- strncpy(output_filename + len, extension, strlen(extension));
- *(output_filename + len + strlen(extension)) = '\0';
+ memcpy(output_filename, c, len);
+ memcpy(output_filename + len, extension, extlen);
+ *(output_filename + len + extlen) = '\0';
/* return the new string */
return (output_filename);
--
1.8.3.1

40
jbig2dec-Fix-two-overlooked-warnings.patch Normal file
View File

@ -0,0 +1,40 @@
From 4f0c17451afb66e6fcf3bd453490b4b9d2b06b42 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sat, 21 Mar 2020 16:20:28 +0800
Subject: [PATCH] jbig2dec: Fix two overlooked warnings.
While working to fix all warnings seen when -Wsign-conversion is
enabled, these two warnings were accidentally introduced by commit
ff53af0d4ff9291aa5039522f5553a2850dd569d and not noticed in the
avalanche of warnings emitted due to -Wsign-conversion. This commit
changes the indicies to the type of the limit variable, fixing the
warnings.
---
jbig2dec/jbig2_page.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c
index 31b31f7..bc89a43 100644
--- a/jbig2dec/jbig2_page.c
+++ b/jbig2dec/jbig2_page.c
@@ -319,7 +319,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, uint32_
Jbig2Image *
jbig2_page_out(Jbig2Ctx *ctx)
{
- int index;
+ uint32_t index;
/* search for a completed page */
for (index = 0; index < ctx->max_page_index; index++) {
@@ -348,7 +348,7 @@ jbig2_page_out(Jbig2Ctx *ctx)
void
jbig2_release_page(Jbig2Ctx *ctx, Jbig2Image *image)
{
- int index;
+ uint32_t index;
if (image == NULL)
return;
--
1.8.3.1

52
jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch Normal file
View File

@ -0,0 +1,52 @@
From 716560bf5f2bc4b821ca6924ec648ca4949826bb Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sun, 15 Sep 2019 17:31:48 +0200
Subject: [PATCH] jbig2dec: Handle under-/overflow detection and messaging
better.
Previously SYMWIDTH was capped too early in order to prevent underflow
Moreover TOTWIDTH was allowed to overflow.
Now the value DW is checked compared to SYMWIDTH, preventing over
underflow and overflow at the correct limits, and an overflow
check has been added for TOTWIDTH.
---
jbig2dec/jbig2_symbol_dict.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
index e606529..bc6e98c 100644
--- a/jbig2dec/jbig2_symbol_dict.c
+++ b/jbig2dec/jbig2_symbol_dict.c
@@ -428,14 +428,24 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
break;
}
+ if (DW < 0 && SYMWIDTH < (uint32_t) -DW) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1);
+ goto cleanup;
+ }
+ if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1);
+ goto cleanup;
+ }
+
SYMWIDTH = SYMWIDTH + DW;
- TOTWIDTH = TOTWIDTH + SYMWIDTH;
- if ((int32_t) SYMWIDTH < 0) {
- code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1);
+ if (SYMWIDTH > UINT32_MAX - TOTWIDTH) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1);
goto cleanup;
}
+
+ TOTWIDTH = TOTWIDTH + SYMWIDTH;
#ifdef JBIG2_DEBUG
- jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH);
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH);
#endif
/* 6.5.5 (4c.ii) */
if (!params->SDHUFF || params->SDREFAGG) {
--
1.8.3.1

41
jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch Normal file
View File

@ -0,0 +1,41 @@
From d8ed6363166841dcb067d7adc6ad6b52a1b1f90c Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sun, 5 Apr 2020 12:24:36 +0800
Subject: [PATCH] jbig2dec: Initiate variable before avoids using uninited data
during cleanup.
Fixes OSS-fuzz issue 21571.
Also fixes Coverity CID 355467.
Thanks to OSS-fuzz for reporting.
---
jbig2dec/jbig2_text.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c
index 61dc815..d49303a 100644
--- a/jbig2dec/jbig2_text.c
+++ b/jbig2dec/jbig2_text.c
@@ -593,6 +593,9 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
uint32_t table_index = 0;
const Jbig2HuffmanParams *huffman_params = NULL;
+ /* zero params to ease cleanup later */
+ memset(&params, 0, sizeof(Jbig2TextRegionParams));
+
/* 7.4.1 */
if (segment->data_length < 17) {
code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
@@ -614,9 +617,6 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "text region header flags 0x%04x", flags);
- /* zero params to ease cleanup later */
- memset(&params, 0, sizeof(Jbig2TextRegionParams));
-
params.SBHUFF = flags & 0x0001;
params.SBREFINE = flags & 0x0002;
params.LOGSBSTRIPS = (flags & 0x000c) >> 2;
--
1.8.3.1

104
jbig2dec-Plug-leak-of-image-upon-error.patch Normal file
View File

@ -0,0 +1,104 @@
From f14f35c6e3218554cd351b848447cfa83b3c4256 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 26 Mar 2020 14:20:11 +0800
Subject: [PATCH] jbig2dec: Plug leak of image upon error.
Fixes OSS-Fuzz issue 17513.
Thanks to OSS-fuzz for reporting.
---
jbig2dec/jbig2_text.c | 39 ++++++++++++++++++++++++---------------
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c
index 6d983b6..61dc815 100644
--- a/jbig2dec/jbig2_text.c
+++ b/jbig2dec/jbig2_text.c
@@ -594,8 +594,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
const Jbig2HuffmanParams *huffman_params = NULL;
/* 7.4.1 */
- if (segment->data_length < 17)
- goto too_short;
+ if (segment->data_length < 17) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
+ goto cleanup2;
+ }
jbig2_get_region_segment_info(&region_info, segment_data);
offset += 17;
/* Check for T.88 amendment 3 */
@@ -603,8 +605,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "region segment flags indicate use of colored bitmap (NYI)");
/* 7.4.3.1.1 */
- if (segment->data_length - offset < 2)
- goto too_short;
+ if (segment->data_length - offset < 2) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
+ goto cleanup2;
+ }
flags = jbig2_get_uint16(segment_data + offset);
offset += 2;
@@ -633,8 +637,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
if (params.SBHUFF) { /* Huffman coding */
/* 7.4.3.1.2 */
- if (segment->data_length - offset < 2)
- goto too_short;
+ if (segment->data_length - offset < 2) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
+ goto cleanup2;
+ }
huffman_flags = jbig2_get_uint16(segment_data + offset);
offset += 2;
@@ -643,8 +649,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
} else { /* arithmetic coding */
/* 7.4.3.1.3 */
- if (segment->data_length - offset < 4)
- goto too_short;
+ if (segment->data_length - offset < 4) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
+ goto cleanup2;
+ }
if ((params.SBREFINE) && !(params.SBRTEMPLATE)) {
params.sbrat[0] = segment_data[offset];
params.sbrat[1] = segment_data[offset + 1];
@@ -655,8 +663,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
/* 7.4.3.1.4 */
- if (segment->data_length - offset < 4)
- goto too_short;
+ if (segment->data_length - offset < 4) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
+ goto cleanup2;
+ }
params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset);
offset += 4;
@@ -922,8 +932,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
goto cleanup2;
}
- if (offset >= segment->data_length)
- goto too_short;
+ if (offset >= segment->data_length) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
+ goto cleanup2;
+ }
ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset);
if (ws == NULL) {
code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to allocate word stream when handling text region image");
@@ -1028,7 +1040,4 @@ cleanup1:
jbig2_free(ctx->allocator, dicts);
return code;
-
-too_short:
- return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short");
}
--
1.8.3.1

32
jbig2dec-Use-correct-define-for-maxium-value-of-type.patch Normal file
View File

@ -0,0 +1,32 @@
From a80f7f12e7a2fb0caa1ea9ac6fa8981cc539a1bc Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sat, 21 Mar 2020 15:59:21 +0800
Subject: [PATCH] jbig2dec: Use correct define for maxium value of type.
Fixes Coverity CID 355177.
---
jbig2dec/jbig2_page.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c
index bc89a43..92486dd 100644
--- a/jbig2dec/jbig2_page.c
+++ b/jbig2dec/jbig2_page.c
@@ -80,11 +80,11 @@ jbig2_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_dat
if (index >= ctx->max_page_index) {
/* grow the list */
- if (ctx->max_page_index == SIZE_MAX) {
+ if (ctx->max_page_index == UINT32_MAX) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many pages in jbig2 image");
}
- else if (ctx->max_page_index > (SIZE_MAX >> 2)) {
- ctx->max_page_index = SIZE_MAX;
+ else if (ctx->max_page_index > (UINT32_MAX >> 2)) {
+ ctx->max_page_index = UINT32_MAX;
}
pages = jbig2_renew(ctx, ctx->pages, Jbig2Page, (ctx->max_page_index <<= 2));
--
1.8.3.1

27
lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch Normal file
View File

@ -0,0 +1,27 @@
From d9b37029db10bdeaf5eaee00bac2eb0653644c77 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Sat, 9 May 2020 17:45:01 +0100
Subject: [PATCH] lgtm.com tweak: Make it clear that something isn't a typo.
Use "INTERPATCH_PADDING != 0" rather than "INTERPATCH_PADDING" to
avoid the appearance of a typo.
---
base/gxshade6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/gxshade6.c b/base/gxshade6.c
index 85b8d76..e48bcfb 100644
--- a/base/gxshade6.c
+++ b/base/gxshade6.c
@@ -2389,7 +2389,7 @@ fill_wedges_aux(patch_fill_state_t *pfs, int k, int ka,
pfs->inside = save_inside;
return code;
} else {
- if (INTERPATCH_PADDING && (wedge_type & interpatch_padding)) {
+ if ((INTERPATCH_PADDING != 0) && (wedge_type & interpatch_padding)) {
code = mesh_padding(pfs, &pole[0], &pole[3], c0, c1);
if (code < 0)
return code;
--
1.8.3.1