Description: fix uninitialized memory read Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=931051fe0bb445545355027d999515bc3d4b32ef Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=50c0b294d08114920a5db711876e20d991f474a6 Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=31874f2e065b0d68f726ef404de98f42489c80c7 Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e8822c0f3a46195ec7c6e55c556dd0c5716be742 Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=2017dbebd9afd4f172242ff8462fce739d911e64 Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=b1026b5978c385328f2a15a2185c599a563edf91 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071 Index: poppler-0.16.7/poppler/Stream.cc =================================================================== --- poppler-0.16.7.orig/poppler/Stream.cc 2013-03-27 10:18:27.904260440 -0400 +++ poppler-0.16.7/poppler/Stream.cc 2013-03-28 08:18:51.403504905 -0400 @@ -423,7 +423,7 @@ // force a call to gmallocn(-1,...), which will throw an exception imgLineSize = -1; } - imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgLine = (Guchar *)gmallocn_checkoverflow(imgLineSize, sizeof(Guchar)); imgIdx = nVals; } @@ -1591,11 +1591,12 @@ // 2-D encoding if (nextLine2D) { - for (i = 0; codingLine[i] < columns; ++i) { + for (i = 0; i < columns && codingLine[i] < columns; ++i) { refLine[i] = codingLine[i]; } - refLine[i++] = columns; - refLine[i] = columns; + for (; i < columns + 2; ++i) { + refLine[i] = columns; + } codingLine[0] = 0; a0i = 0; b1i = 0; @@ -1607,13 +1608,15 @@ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible // exception at right edge: // refLine[b1i] = refLine[b1i+1] = columns is possible - while (codingLine[a0i] < columns) { + while (codingLine[a0i] < columns && !err) { code1 = getTwoDimCode(); switch (code1) { case twoDimPass: - addPixels(refLine[b1i + 1], blackPixels); - if (refLine[b1i + 1] < columns) { - b1i += 2; + if (likely(b1i + 1 < columns + 2)) { + addPixels(refLine[b1i + 1], blackPixels); + if (refLine[b1i + 1] < columns) { + b1i += 2; + } } break; case twoDimHoriz: @@ -1639,49 +1642,109 @@ } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } break; case twoDimVertR3: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i] + 3, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertR2: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i] + 2, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertR1: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i] + 1, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVert0: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i], blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertL3: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixelsNeg(refLine[b1i] - 3, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { @@ -1692,10 +1755,22 @@ } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertL2: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixelsNeg(refLine[b1i] - 2, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { @@ -1706,10 +1781,22 @@ } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertL1: + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } addPixelsNeg(refLine[b1i] - 1, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { @@ -1720,6 +1807,12 @@ } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (unlikely(b1i > columns + 1)) { + error(getPos(), + "Bad 2D code %04x in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -1870,6 +1963,12 @@ outputBits = 0; if (codingLine[a0i] < columns) { ++a0i; + if (unlikely(a0i > columns)) { + error(getPos(), + "Bad bits %04x in CCITTFax stream", bits); + err = gTrue; + break; + } outputBits = codingLine[a0i] - codingLine[a0i - 1]; } else if (bits > 0) { buf <<= bits; @@ -2418,6 +2517,9 @@ vSub = vert / 8; for (y2 = 0; y2 < mcuHeight; y2 += vert) { for (x2 = 0; x2 < mcuWidth; x2 += horiz) { + if (unlikely(scanInfo.dcHuffTable[cc] >= 4) || unlikely(scanInfo.acHuffTable[cc] >= 4)) { + return gFalse; + } if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]], &acHuffTables[scanInfo.acHuffTable[cc]], &compInfo[cc].prevDC,