rebase to 'ghostscript-9.22'

This commit is contained in:
David Kaspar [Dee'Kej] 2017-11-09 14:25:11 +01:00
parent 74e266f70a
commit 9f6fa20804
21 changed files with 13 additions and 3019 deletions

1
.gitignore vendored
View File

@ -48,3 +48,4 @@ ghostscript-8.71.tar.xz
/ghostscript-9.15-cleaned-1.tar.bz2 /ghostscript-9.15-cleaned-1.tar.bz2
/ghostscript-9.16-cleaned-1.tar.bz2 /ghostscript-9.16-cleaned-1.tar.bz2
/ghostscript-9.20.tar.xz /ghostscript-9.20.tar.xz
/ghostscript-9.22.tar.xz

View File

@ -1,33 +0,0 @@
From 90fd0c7ca3efc1ddff64a86f4104b13b3ac969eb Mon Sep 17 00:00:00 2001
From: Michael Vrhel <michael.vrhel@artifex.com>
Date: Thu, 29 Dec 2016 14:00:21 -0800
Subject: [PATCH] Bug 697456. Dont create new ctx when pdf14 device reenabled
This bug had yet another weird case where the user created a
file that pushed the pdf14 device twice. We were in that case,
creating a new ctx and blowing away the original one with out
proper clean up. To avoid, only create a new one when we need it.
---
base/gdevp14.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/base/gdevp14.c b/base/gdevp14.c
index fd56ec9..f19318e 100644
--- a/base/gdevp14.c
+++ b/base/gdevp14.c
@@ -1669,8 +1669,10 @@ pdf14_open(gx_device *dev)
rect.p.y = 0;
rect.q.x = dev->width;
rect.q.y = dev->height;
- pdev->ctx = pdf14_ctx_new(&rect, dev->color_info.num_components,
- pdev->color_info.polarity != GX_CINFO_POLARITY_SUBTRACTIVE, dev);
+ /* If we are reenabling the device dont create a new ctx. Bug 697456 */
+ if (pdev->ctx == NULL)
+ pdev->ctx = pdf14_ctx_new(&rect, dev->color_info.num_components,
+ pdev->color_info.polarity != GX_CINFO_POLARITY_SUBTRACTIVE, dev);
if (pdev->ctx == NULL)
return_error(gs_error_VMerror);
pdev->free_devicen = true;
--
2.9.3

View File

@ -1,30 +0,0 @@
From c0502b3771e4eac89a199a3558182337d146d4ab Mon Sep 17 00:00:00 2001
From: Michael Vrhel <michael.vrhel@artifex.com>
Date: Thu, 29 Dec 2016 12:00:40 -0800
Subject: [PATCH] Bug 697444 Unmatched transparency group pop
This issue can only occur if there is an unmatched group pop.
If the interpreter is doing that, then the interpreter is
broken. With this bug the user is intentionally doing it.
We now throw and error when it occurs.
---
base/gdevp14.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/base/gdevp14.c b/base/gdevp14.c
index ad3478f..84f0f40 100644
--- a/base/gdevp14.c
+++ b/base/gdevp14.c
@@ -985,6 +985,9 @@ pdf14_pop_transparency_group(gs_gstate *pgs, pdf14_ctx *ctx,
bool blendspot = pdev->blendspot;
bool nonicc_conversion = true;
+ if (nos == NULL)
+ return_error(gs_error_unknownerror); /* Unmatched group pop */
+
#ifdef DEBUG
pdf14_debug_mask_stack_state(ctx);
#endif
--
2.9.3

View File

@ -1,44 +0,0 @@
From 4bef1a1d32e29b68855616020dbff574b9cda08f Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Thu, 29 Dec 2016 15:57:43 +0000
Subject: [PATCH] Bug 697453: Avoid divide by 0 in scan conversion code.
Arithmetic overflow due to extreme values in the scan conversion
code can cause a division by 0.
Avoid this with a simple extra check.
dx_old=cf814d81
endp->x_next=b0e859b9
alp->x_next=8069a73a
leads to dx_den = 0
---
base/gxfill.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/base/gxfill.c b/base/gxfill.c
index 99196c0..2f81bb0 100644
--- a/base/gxfill.c
+++ b/base/gxfill.c
@@ -1741,7 +1741,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
fixed dx_old = alp->x_current - endp->x_current;
fixed dx_den = dx_old + endp->x_next - alp->x_next;
- if (dx_den <= dx_old)
+ if (dx_den <= dx_old || dx_den == 0)
return false; /* Intersection isn't possible. */
dy = y1 - y;
if_debug3('F', "[F]cross: dy=%g, dx_old=%g, dx_new=%g\n",
@@ -1750,7 +1750,7 @@ intersect(active_line *endp, active_line *alp, fixed y, fixed y1, fixed *p_y_new
/* Do the computation in single precision */
/* if the values are small enough. */
y_new =
- ((dy | dx_old) < 1L << (size_of(fixed) * 4 - 1) ?
+ (((ufixed)(dy | dx_old)) < (1L << (size_of(fixed) * 4 - 1)) ?
dy * dx_old / dx_den :
(INCR_EXPR(mq_cross), fixed_mult_quo(dy, dx_old, dx_den)))
+ y;
--
2.9.3

View File

@ -1,50 +0,0 @@
From daf85701dab05f17e924a48a81edc9195b4a04e8 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 21 Dec 2016 16:54:14 +0000
Subject: [PATCH] fix crash with bad data supplied to makeimagedevice
Bug #697450 "Null pointer dereference in gx_device_finalize()"
The problem here is that the code to finalise a device unconditionally
frees the icc_struct member of the device structure. However this
particular (weird) device is not setup as a normal device, probably
because its very, very ancient. Its possible for the initialisation
of the device to abort with an error before calling gs_make_mem_device()
which is where the icc_struct member gets allocated (or set to NULL).
If that happens, then the cleanup code tries to free the device, which
calls finalize() which tries to free a garbage pointer.
Setting the device memory to 0x00 after we allocate it means that the
icc_struct member will be NULL< and our memory manager allows for that
happily enough, which avoids the problem.
---
base/gsdevmem.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/base/gsdevmem.c b/base/gsdevmem.c
index 97b9cf4..fe75bcc 100644
--- a/base/gsdevmem.c
+++ b/base/gsdevmem.c
@@ -225,6 +225,18 @@ gs_makewordimagedevice(gx_device ** pnew_dev, const gs_matrix * pmat,
if (pnew == 0)
return_error(gs_error_VMerror);
+
+ /* Bug #697450 "Null pointer dereference in gx_device_finalize()"
+ * If we have incorrect data passed to gs_initialise_wordimagedevice() then the
+ * initialisation will fail, crucially it will fail *before* it calls
+ * gs_make_mem_device() which initialises the device. This means that the
+ * icc_struct member will be uninitialsed, but the device finalise method
+ * will unconditionally free that memory. Since its a garbage pointer, bad things happen.
+ * Apparently we do still need makeimagedevice to be available from
+ * PostScript, so in here just zero the device memory, which means that
+ * the finalise routine won't have a problem.
+ */
+ memset(pnew, 0x00, st_device_memory.ssize);
code = gs_initialize_wordimagedevice(pnew, pmat, width, height,
colors, num_colors, word_oriented,
page_device, mem);
--
2.9.3

View File

@ -1,180 +0,0 @@
From fee19fa8d4f6f351e5a76f5801884880249d6a45 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 09:55:55 +0100
Subject: [PATCH] Bug 697178: Add a file permissions callback
For the rare occasions when the graphics library directly opens a file
(currently for reading), this allows us to apply any restrictions on
file access normally applied in the interpteter.
---
base/gsicc_manage.c | 10 ++++++----
base/gslibctx.c | 12 +++++++++++-
base/gslibctx.h | 7 +++++++
psi/imain.c | 2 ++
psi/int.mak | 2 +-
psi/zfile.c | 19 +++++++++++++++++++
psi/zfile.h | 7 +++++++
7 files changed, 53 insertions(+), 6 deletions(-)
diff --git a/base/gsicc_manage.c b/base/gsicc_manage.c
index 931c2a6..e9c09c3 100644
--- a/base/gsicc_manage.c
+++ b/base/gsicc_manage.c
@@ -1124,10 +1124,12 @@ gsicc_open_search(const char* pname, int namelen, gs_memory_t *mem_gc,
}
/* First just try it like it is */
- str = sfopen(pname, "r", mem_gc);
- if (str != NULL) {
- *strp = str;
- return 0;
+ if (gs_check_file_permission(mem_gc, pname, namelen, "r") >= 0) {
+ str = sfopen(pname, "r", mem_gc);
+ if (str != NULL) {
+ *strp = str;
+ return 0;
+ }
}
/* If that fails, try %rom% */ /* FIXME: Not sure this is needed or correct */
diff --git a/base/gslibctx.c b/base/gslibctx.c
index fa4432a..f2c13e3 100644
--- a/base/gslibctx.c
+++ b/base/gslibctx.c
@@ -183,7 +183,7 @@ int gs_lib_ctx_init( gs_memory_t *mem )
mem->gs_lib_ctx = NULL;
return -1;
}
-
+ pio->client_check_file_permission = NULL;
gp_get_realtime(pio->real_time_0);
/* Set scanconverter to 1 (default) */
@@ -336,3 +336,13 @@ void errflush(const gs_memory_t *mem)
fflush(mem->gs_lib_ctx->fstderr);
/* else nothing to flush */
}
+
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ int code = 0;
+ if (mem->gs_lib_ctx->client_check_file_permission != NULL) {
+ code = mem->gs_lib_ctx->client_check_file_permission(mem, fname, len, permission);
+ }
+ return code;
+}
diff --git a/base/gslibctx.h b/base/gslibctx.h
index 84ec205..55eb4a6 100644
--- a/base/gslibctx.h
+++ b/base/gslibctx.h
@@ -32,6 +32,9 @@ typedef struct gs_fapi_server_s gs_fapi_server;
# define gs_font_dir_DEFINED
typedef struct gs_font_dir_s gs_font_dir;
#endif
+
+typedef int (*client_check_file_permission_t) (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
typedef struct gs_lib_ctx_s
{
gs_memory_t *memory; /* mem->gs_lib_ctx->memory == mem */
@@ -61,6 +64,7 @@ typedef struct gs_lib_ctx_s
struct gx_io_device_s **io_device_table;
int io_device_table_count;
int io_device_table_size;
+ client_check_file_permission_t client_check_file_permission;
/* Define the default value of AccurateScreens that affects setscreen
and setcolorscreen. */
bool screen_accurate_screens;
@@ -132,6 +136,9 @@ int
gs_lib_ctx_get_default_device_list(const gs_memory_t *mem, char** dev_list_str,
int *list_str_len);
+int
+gs_check_file_permission (gs_memory_t *mem, const char *fname, const int len, const char *permission);
+
#define IS_LIBCTX_STDOUT(mem, f) (f == mem->gs_lib_ctx->fstdout)
#define IS_LIBCTX_STDERR(mem, f) (f == mem->gs_lib_ctx->fstderr)
diff --git a/psi/imain.c b/psi/imain.c
index 9a9bb5d..6874128 100644
--- a/psi/imain.c
+++ b/psi/imain.c
@@ -57,6 +57,7 @@
#include "ivmspace.h"
#include "idisp.h" /* for setting display device callback */
#include "iplugin.h"
+#include "zfile.h"
#ifdef PACIFY_VALGRIND
#include "valgrind.h"
@@ -212,6 +213,7 @@ gs_main_init1(gs_main_instance * minst)
"the_gs_name_table");
if (code < 0)
return code;
+ mem->gs_lib_ctx->client_check_file_permission = z_check_file_permissions;
}
code = obj_init(&minst->i_ctx_p, &idmem); /* requires name_init */
if (code < 0)
diff --git a/psi/int.mak b/psi/int.mak
index 4654afc..bb30d51 100644
--- a/psi/int.mak
+++ b/psi/int.mak
@@ -2024,7 +2024,7 @@ $(PSOBJ)imain.$(OBJ) : $(PSSRC)imain.c $(GH) $(memory__h) $(string__h)\
$(ialloc_h) $(iconf_h) $(idebug_h) $(idict_h) $(idisp_h) $(iinit_h)\
$(iname_h) $(interp_h) $(iplugin_h) $(isave_h) $(iscan_h) $(ivmspace_h)\
$(iinit_h) $(main_h) $(oper_h) $(ostack_h)\
- $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h)\
+ $(sfilter_h) $(store_h) $(stream_h) $(strimpl_h) $(zfile_h)\
$(INT_MAK) $(MAKEDIRS)
$(PSCC) $(PSO_)imain.$(OBJ) $(C_) $(PSSRC)imain.c
diff --git a/psi/zfile.c b/psi/zfile.c
index b6caea2..fd94f67 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -197,6 +197,25 @@ check_file_permissions(i_ctx_t *i_ctx_p, const char *fname, int len,
return check_file_permissions_reduced(i_ctx_p, fname_reduced, rlen, permitgroup);
}
+/* z_check_file_permissions: see zfile.h for explanation
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname, const int len, const char *permission)
+{
+ i_ctx_t *i_ctx_p = get_minst_from_memory(mem)->i_ctx_p;
+ gs_parsed_file_name_t pname;
+ const char *permitgroup = permission[0] == 'r' ? "PermitFileReading" : "PermitFileWriting";
+ int code = gs_parse_file_name(&pname, fname, len, imemory);
+ if (code < 0)
+ return code;
+
+ if (pname.iodev && i_ctx_p->LockFilePermissions && strcmp(pname.iodev->dname, "%pipe%") == 0)
+ return gs_error_invalidfileaccess;
+
+ code = check_file_permissions(i_ctx_p, fname, len, permitgroup);
+ return code;
+}
+
/* <name_string> <access_string> file <file> */
int /* exported for zsysvm.c */
zfile(i_ctx_t *i_ctx_p)
diff --git a/psi/zfile.h b/psi/zfile.h
index fdf1373..a9399c7 100644
--- a/psi/zfile.h
+++ b/psi/zfile.h
@@ -22,4 +22,11 @@
int zopen_file(i_ctx_t *i_ctx_p, const gs_parsed_file_name_t *pfn,
const char *file_access, stream **ps, gs_memory_t *mem);
+/* z_check_file_permissions: a callback (via mem->gs_lib_ctx->client_check_file_permission)
+ * to allow applying the above permissions checks when opening file(s) from
+ * the graphics library
+ */
+int
+z_check_file_permissions(gs_memory_t *mem, const char *fname,
+ const int len, const char *permission);
#endif
--
2.7.4

View File

@ -1,28 +0,0 @@
From 8abd22010eb4db0fb1b10e430d5f5d83e015ef70 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Mon, 3 Oct 2016 01:46:28 +0100
Subject: [PATCH] Bug 697169: Be rigorous with SAFER permissions
Once we've opened our input file from the command line, enforce the SAFER
rules.
---
psi/zfile.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/psi/zfile.c b/psi/zfile.c
index b6caea2..2c6c958 100644
--- a/psi/zfile.c
+++ b/psi/zfile.c
@@ -1081,6 +1081,9 @@ lib_file_open(gs_file_path_ptr lib_path, const gs_memory_t *mem, i_ctx_t *i_ctx
gs_main_instance *minst = get_minst_from_memory(mem);
int code;
+ if (i_ctx_p && starting_arg_file)
+ i_ctx_p->starting_arg_file = false;
+
/* when starting arg files (@ files) iodev_default is not yet set */
if (iodev == 0)
iodev = (gx_io_device *)gx_io_device_table[0];
--
2.7.4

View File

@ -1,25 +0,0 @@
From 6f749c0c44e7b9e09737b9f29edf29925a34f0cf Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Wed, 5 Oct 2016 09:59:25 +0100
Subject: [PATCH] Bug 697179: Reference count device icc profile
when copying a device
---
base/gsdevice.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/base/gsdevice.c b/base/gsdevice.c
index 778106f..aea986a 100644
--- a/base/gsdevice.c
+++ b/base/gsdevice.c
@@ -614,6 +614,7 @@ gx_device_init(gx_device * dev, const gx_device * proto, gs_memory_t * mem,
dev->memory = mem;
dev->retained = !internal;
rc_init(dev, mem, (internal ? 0 : 1));
+ rc_increment(dev->icc_struct);
}
void
--
2.7.4

View File

@ -1,43 +0,0 @@
From 875a0095f37626a721c7ff57d606a0f95af03913 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Wed, 5 Oct 2016 10:10:58 +0100
Subject: [PATCH] DSC parser - validate parameters
Bug #697190 ".initialize_dsc_parser doesn't validate the parameter is a dict type before using it."
Regardless of any security implications, its simply wrong for a PostScript
operator not to validate its parameter(s).
No differences expected.
---
psi/zdscpars.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/psi/zdscpars.c b/psi/zdscpars.c
index c05e154..9b4b605 100644
--- a/psi/zdscpars.c
+++ b/psi/zdscpars.c
@@ -150,11 +150,16 @@ zinitialize_dsc_parser(i_ctx_t *i_ctx_p)
ref local_ref;
int code;
os_ptr const op = osp;
- dict * const pdict = op->value.pdict;
- gs_memory_t * const mem = (gs_memory_t *)dict_memory(pdict);
- dsc_data_t * const data =
- gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
+ dict *pdict;
+ gs_memory_t *mem;
+ dsc_data_t *data;
+ check_read_type(*op, t_dictionary);
+
+ pdict = op->value.pdict;
+ mem = (gs_memory_t *)dict_memory(pdict);
+
+ data = gs_alloc_struct(mem, dsc_data_t, &st_dsc_data_t, "DSC parser init");
if (!data)
return_error(gs_error_VMerror);
data->document_level = 0;
--
2.7.4

View File

@ -1,42 +0,0 @@
From f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Sat, 8 Oct 2016 16:10:27 +0100
Subject: [PATCH] Bug 697203: check for sufficient params in .sethalftone5
and param types
---
psi/zht2.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/psi/zht2.c b/psi/zht2.c
index fb4a264..dfa27a4 100644
--- a/psi/zht2.c
+++ b/psi/zht2.c
@@ -82,14 +82,22 @@ zsethalftone5(i_ctx_t *i_ctx_p)
gs_memory_t *mem;
uint edepth = ref_stack_count(&e_stack);
int npop = 2;
- int dict_enum = dict_first(op);
+ int dict_enum;
ref rvalue[2];
int cname, colorant_number;
byte * pname;
uint name_size;
int halftonetype, type = 0;
gs_gstate *pgs = igs;
- int space_index = r_space_index(op - 1);
+ int space_index;
+
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(gs_error_stackunderflow);
+ check_type(*op, t_dictionary);
+ check_type(*(op - 1), t_dictionary);
+
+ dict_enum = dict_first(op);
+ space_index = r_space_index(op - 1);
mem = (gs_memory_t *) idmemory->spaces_indexed[space_index];
--
2.7.4

View File

@ -1,897 +0,0 @@
From cecf6b592945d247bf932f6a4f50065db4acfba8 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Mon, 12 Dec 2016 17:47:17 +0000
Subject: [PATCH] Squash signed/unsigned warnings in MSVC jbig2 build.
Also rename "new" to "new_dict", because "new" is a bad
variable name.
---
jbig2dec/jbig2.c | 4 +--
jbig2dec/jbig2.h | 8 +++--
jbig2dec/jbig2_generic.c | 2 +-
jbig2dec/jbig2_halftone.c | 24 +++++++--------
jbig2dec/jbig2_huffman.c | 10 +++---
jbig2dec/jbig2_huffman.h | 2 +-
jbig2dec/jbig2_image.c | 32 +++++++++----------
jbig2dec/jbig2_mmr.c | 66 ++++++++++++++++++++-------------------
jbig2dec/jbig2_page.c | 6 ++--
jbig2dec/jbig2_priv.h | 4 +--
jbig2dec/jbig2_segment.c | 10 +++---
jbig2dec/jbig2_symbol_dict.c | 73 ++++++++++++++++++++++----------------------
jbig2dec/jbig2_symbol_dict.h | 6 ++--
jbig2dec/jbig2_text.c | 16 +++++-----
jbig2dec/jbig2_text.h | 2 +-
15 files changed, 134 insertions(+), 131 deletions(-)
diff --git a/jbig2dec/jbig2.c b/jbig2dec/jbig2.c
index f729e29..e51380f 100644
--- a/jbig2dec/jbig2.c
+++ b/jbig2dec/jbig2.c
@@ -379,7 +379,7 @@ typedef struct {
} Jbig2WordStreamBuf;
static int
-jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t *word)
+jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, size_t offset, uint32_t *word)
{
Jbig2WordStreamBuf *z = (Jbig2WordStreamBuf *) self;
const byte *data = z->data;
@@ -390,7 +390,7 @@ jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t
else if (offset > z->size)
return -1;
else {
- int i;
+ size_t i;
result = 0;
for (i = 0; i < z->size - offset; i++)
diff --git a/jbig2dec/jbig2.h b/jbig2dec/jbig2.h
index d5aa52f..624e0ed 100644
--- a/jbig2dec/jbig2.h
+++ b/jbig2dec/jbig2.h
@@ -56,17 +56,19 @@ typedef struct _Jbig2SymbolDictionary Jbig2SymbolDictionary;
*/
struct _Jbig2Image {
- int width, height, stride;
+ uint32_t width;
+ uint32_t height;
+ uint32_t stride;
uint8_t *data;
int refcount;
};
-Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, int width, int height);
+Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height);
Jbig2Image *jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_clear(Jbig2Ctx *ctx, Jbig2Image *image, int value);
-Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height);
+Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height);
/* errors are returned from the library via a callback. If no callback
is provided (a NULL argument is passed ot jbig2_ctx_new) a default
diff --git a/jbig2dec/jbig2_generic.c b/jbig2dec/jbig2_generic.c
index 02fdbfb..9656198 100644
--- a/jbig2dec/jbig2_generic.c
+++ b/jbig2dec/jbig2_generic.c
@@ -718,7 +718,7 @@ jbig2_immediate_generic_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte
byte seg_flags;
int8_t gbat[8];
int offset;
- int gbat_bytes = 0;
+ uint32_t gbat_bytes = 0;
Jbig2GenericRegionParams params;
int code = 0;
Jbig2Image *image = NULL;
diff --git a/jbig2dec/jbig2_halftone.c b/jbig2dec/jbig2_halftone.c
index aeab576..acfbc56 100644
--- a/jbig2dec/jbig2_halftone.c
+++ b/jbig2dec/jbig2_halftone.c
@@ -257,8 +257,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
{
uint8_t **GSVALS = NULL;
size_t consumed_bytes = 0;
- int i, j, code, stride;
- int x, y;
+ uint32_t i, j, stride, x, y;
+ int code;
Jbig2Image **GSPLANES;
Jbig2GenericRegionParams rparams;
Jbig2WordStream *ws = NULL;
@@ -276,9 +276,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
if (GSPLANES[i] == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate %dx%d image for GSPLANES", GSW, GSH);
/* free already allocated */
- for (j = i - 1; j >= 0; --j) {
- jbig2_image_release(ctx, GSPLANES[j]);
- }
+ for (j = i; j > 0;)
+ jbig2_image_release(ctx, GSPLANES[--j]);
jbig2_free(ctx->allocator, GSPLANES);
return NULL;
}
@@ -323,9 +322,10 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
}
/* C.5 step 2. Set j = GSBPP-2 */
- j = GSBPP - 2;
+ j = GSBPP - 1;
/* C.5 step 3. decode loop */
- while (j >= 0) {
+ while (j > 0) {
+ j--;
/* C.5 step 3. (a) */
if (GSMMR) {
code = jbig2_decode_halftone_mmr(ctx, &rparams, data + consumed_bytes, size - consumed_bytes, GSPLANES[j], &consumed_bytes);
@@ -345,7 +345,6 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
GSPLANES[j]->data[i] ^= GSPLANES[j + 1]->data[i];
/* C.5 step 3. (c) */
- --j;
}
/* allocate GSVALS */
@@ -359,9 +358,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
if (GSVALS[i] == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate GSVALS: %d bytes", GSH * GSW);
/* free already allocated */
- for (j = i - 1; j >= 0; --j) {
- jbig2_free(ctx->allocator, GSVALS[j]);
- }
+ for (j = i; j > 0;)
+ jbig2_free(ctx->allocator, GSVALS[--j]);
jbig2_free(ctx->allocator, GSVALS);
GSVALS = NULL;
goto cleanup;
@@ -450,7 +448,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
uint8_t **GI;
Jbig2Image *HSKIP = NULL;
Jbig2PatternDict *HPATS;
- int i;
+ uint32_t i;
uint32_t mg, ng;
int32_t x, y;
uint8_t gray_val;
@@ -476,7 +474,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
/* calculate ceil(log2(HNUMPATS)) */
HBPP = 0;
- while (HNUMPATS > (1 << ++HBPP));
+ while (HNUMPATS > (1U << ++HBPP));
/* 6.6.5 point 4. decode gray-scale image as mentioned in annex C */
GI = jbig2_decode_gray_scale_image(ctx, segment, data, size,
diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
index 4521b48..f77981b 100644
--- a/jbig2dec/jbig2_huffman.c
+++ b/jbig2dec/jbig2_huffman.c
@@ -47,16 +47,16 @@ struct _Jbig2HuffmanState {
is (offset + 4) * 8. */
uint32_t this_word;
uint32_t next_word;
- int offset_bits;
- int offset;
- int offset_limit;
+ uint32_t offset_bits;
+ uint32_t offset;
+ uint32_t offset_limit;
Jbig2WordStream *ws;
Jbig2Ctx *ctx;
};
static uint32_t
-huff_get_next_word(Jbig2HuffmanState *hs, int offset)
+huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset)
{
uint32_t word = 0;
Jbig2WordStream *ws = hs->ws;
@@ -213,7 +213,7 @@ jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
/* return the offset of the huffman decode pointer (in bytes)
* from the beginning of the WordStream
*/
-int
+uint32_t
jbig2_huffman_offset(Jbig2HuffmanState *hs)
{
return hs->offset + (hs->offset_bits >> 3);
diff --git a/jbig2dec/jbig2_huffman.h b/jbig2dec/jbig2_huffman.h
index 5d1e6e0..cfda9e0 100644
--- a/jbig2dec/jbig2_huffman.h
+++ b/jbig2dec/jbig2_huffman.h
@@ -64,7 +64,7 @@ void jbig2_huffman_skip(Jbig2HuffmanState *hs);
void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
-int jbig2_huffman_offset(Jbig2HuffmanState *hs);
+uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
int32_t jbig2_huffman_get(Jbig2HuffmanState *hs, const Jbig2HuffmanTable *table, bool *oob);
diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
index 1ae614e..94e5a4c 100644
--- a/jbig2dec/jbig2_image.c
+++ b/jbig2dec/jbig2_image.c
@@ -32,10 +32,10 @@
/* allocate a Jbig2Image structure and its associated bitmap */
Jbig2Image *
-jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
+jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
{
Jbig2Image *image;
- int stride;
+ uint32_t stride;
int64_t check;
image = jbig2_new(ctx, Jbig2Image, 1);
@@ -99,7 +99,7 @@ jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image)
/* resize a Jbig2Image */
Jbig2Image *
-jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
+jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height)
{
if (width == image->width) {
/* check for integer multiplication overflow */
@@ -133,11 +133,11 @@ jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
static int
jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
{
- int i, j;
- int sw = src->width;
- int sh = src->height;
- int sx = 0;
- int sy = 0;
+ uint32_t i, j;
+ uint32_t sw = src->width;
+ uint32_t sh = src->height;
+ uint32_t sx = 0;
+ uint32_t sy = 0;
/* clip to the dst image boundaries */
if (x < 0) {
@@ -200,10 +200,10 @@ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x
int
jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
{
- int i, j;
- int w, h;
- int leftbyte, rightbyte;
- int shift;
+ uint32_t i, j;
+ uint32_t w, h;
+ uint32_t leftbyte, rightbyte;
+ uint32_t shift;
uint8_t *s, *ss;
uint8_t *d, *dd;
uint8_t mask, rightmask;
@@ -226,8 +226,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
h += y;
y = 0;
}
- w = (x + w < dst->width) ? w : dst->width - x;
- h = (y + h < dst->height) ? h : dst->height - y;
+ w = ((uint32_t)x + w < dst->width) ? w : ((dst->width >= (uint32_t)x) ? dst->width - (uint32_t)x : 0);
+ h = ((uint32_t)y + h < dst->height) ? h : ((dst->height >= (uint32_t)y) ? dst->height - (uint32_t)y : 0);
#ifdef JBIG2_DEBUG
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "compositing %dx%d at (%d, %d) after clipping\n", w, h, x, y);
#endif
@@ -249,8 +249,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
}
#endif
- leftbyte = x >> 3;
- rightbyte = (x + w - 1) >> 3;
+ leftbyte = (uint32_t)x >> 3;
+ rightbyte = ((uint32_t)x + w - 1) >> 3;
shift = x & 7;
/* general OR case */
diff --git a/jbig2dec/jbig2_mmr.c b/jbig2dec/jbig2_mmr.c
index d4cd3a2..390e27c 100644
--- a/jbig2dec/jbig2_mmr.c
+++ b/jbig2dec/jbig2_mmr.c
@@ -38,19 +38,21 @@
#include "jbig2_mmr.h"
typedef struct {
- int width;
- int height;
+ uint32_t width;
+ uint32_t height;
const byte *data;
size_t size;
- int data_index;
- int bit_index;
+ uint32_t data_index;
+ uint32_t bit_index;
uint32_t word;
} Jbig2MmrCtx;
+#define MINUS1 ((uint32_t)-1)
+
static void
jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size)
{
- int i;
+ size_t i;
uint32_t word = 0;
mmr->width = width;
@@ -732,14 +734,14 @@ const mmr_table_node jbig2_mmr_black_decode[] = {
#define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 )
static int
-jbig2_find_changing_element(const byte *line, int x, int w)
+jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
{
int a, b;
if (line == 0)
- return w;
+ return (int)w;
- if (x == -1) {
+ if (x == MINUS1) {
a = 0;
x = 0;
} else {
@@ -758,7 +760,7 @@ jbig2_find_changing_element(const byte *line, int x, int w)
}
static int
-jbig2_find_changing_element_of_color(const byte *line, int x, int w, int color)
+jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color)
{
if (line == 0)
return w;
@@ -772,9 +774,9 @@ static const byte lm[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0x0F, 0x07, 0x03, 0x01 };
static const byte rm[8] = { 0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE };
static void
-jbig2_set_bits(byte *line, int x0, int x1)
+jbig2_set_bits(byte *line, uint32_t x0, uint32_t x1)
{
- int a0, a1, b0, b1, a;
+ uint32_t a0, a1, b0, b1, a;
a0 = x0 >> 3;
a1 = x1 >> 3;
@@ -831,8 +833,8 @@ jbig2_decode_get_run(Jbig2MmrCtx *mmr, const mmr_table_node *table, int initial_
static int
jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
{
- int a0 = -1;
- int a1, a2, b1, b2;
+ uint32_t a0 = MINUS1;
+ uint32_t a1, a2, b1, b2;
int c = 0; /* 0 is white, black is 1 */
while (1) {
@@ -840,7 +842,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("%08x\n", word); */
- if (a0 >= mmr->width)
+ if (a0 != MINUS1 && a0 >= mmr->width)
break;
if ((word >> (32 - 3)) == 1) {
@@ -848,7 +850,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
jbig2_decode_mmr_consume(mmr, 3);
- if (a0 == -1)
+ if (a0 == MINUS1)
a0 = 0;
if (c == 0) {
@@ -860,7 +862,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
a1 = mmr->width;
if (a2 > mmr->width)
a2 = mmr->width;
- if (a2 < a1 || a1 < 0)
+ if (a1 == MINUS1 || a2 < a1)
return -1;
jbig2_set_bits(dst, a1, a2);
a0 = a2;
@@ -874,7 +876,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
a1 = mmr->width;
if (a2 > mmr->width)
a2 = mmr->width;
- if (a1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || a1 < a0)
return -1;
jbig2_set_bits(dst, a0, a1);
a0 = a2;
@@ -888,7 +890,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
b2 = jbig2_find_changing_element(ref, b1, mmr->width);
if (c) {
- if (b2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b2 < a0)
return -1;
jbig2_set_bits(dst, a0, b2);
}
@@ -900,7 +902,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
jbig2_decode_mmr_consume(mmr, 1);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
if (c) {
- if (b1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1);
}
@@ -915,7 +917,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 + 1 > mmr->width)
break;
if (c) {
- if (b1 + 1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 1);
}
@@ -930,7 +932,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 + 2 > mmr->width)
break;
if (c) {
- if (b1 + 2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 2 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 2);
}
@@ -942,10 +944,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VR(3)\n"); */
jbig2_decode_mmr_consume(mmr, 7);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 + 3 > mmr->width)
+ if (b1 + 3 > (int)mmr->width)
break;
if (c) {
- if (b1 + 3 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 3 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 3);
}
@@ -957,10 +959,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(1)\n"); */
jbig2_decode_mmr_consume(mmr, 3);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 1 < 0)
+ if (b1 < 1)
break;
if (c) {
- if (b1 - 1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 1);
}
@@ -972,7 +974,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(2)\n"); */
jbig2_decode_mmr_consume(mmr, 6);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 2 < 0)
+ if (b1 < 2)
break;
if (c) {
if (b1 - 2 < a0 || a0 < 0)
@@ -987,10 +989,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(3)\n"); */
jbig2_decode_mmr_consume(mmr, 7);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 3 < 0)
+ if (b1 < 3)
break;
if (c) {
- if (b1 - 3 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 3 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 3);
}
@@ -1009,10 +1011,10 @@ int
jbig2_decode_generic_mmr(Jbig2Ctx *ctx, Jbig2Segment *segment, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image)
{
Jbig2MmrCtx mmr;
- const int rowstride = image->stride;
+ const uint32_t rowstride = image->stride;
byte *dst = image->data;
byte *ref = NULL;
- int y;
+ uint32_t y;
int code = 0;
jbig2_decode_mmr_init(&mmr, image->width, image->height, data, size);
@@ -1047,10 +1049,10 @@ int
jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image, size_t *consumed_bytes)
{
Jbig2MmrCtx mmr;
- const int rowstride = image->stride;
+ const uint32_t rowstride = image->stride;
byte *dst = image->data;
byte *ref = NULL;
- int y;
+ uint32_t y;
int code = 0;
const uint32_t EOFB = 0x001001;
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c
index 110ff7c..1ed1c8a 100644
--- a/jbig2dec/jbig2_page.c
+++ b/jbig2dec/jbig2_page.c
@@ -155,9 +155,9 @@ int
jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
{
Jbig2Page page = ctx->pages[ctx->current_page];
- int end_row;
+ uint32_t end_row;
- end_row = jbig2_get_int32(segment_data);
+ end_row = jbig2_get_uint32(segment_data);
if (end_row < page.end_row) {
jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
"end of stripe segment with non-positive end row advance" " (new end row %d vs current end row %d)", end_row, page.end_row);
@@ -248,7 +248,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, int x,
/* grow the page to accomodate a new stripe if necessary */
if (page->striped) {
- int new_height = y + image->height + page->end_row;
+ uint32_t new_height = y + image->height + page->end_row;
if (page->image->height < new_height) {
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "growing page buffer to %d rows " "to accomodate new stripe", new_height);
diff --git a/jbig2dec/jbig2_priv.h b/jbig2dec/jbig2_priv.h
index 42ba496..3d44b42 100644
--- a/jbig2dec/jbig2_priv.h
+++ b/jbig2dec/jbig2_priv.h
@@ -132,7 +132,7 @@ struct _Jbig2Page {
uint32_t x_resolution, y_resolution; /* in pixels per meter */
uint16_t stripe_size;
bool striped;
- int end_row;
+ uint32_t end_row;
uint8_t flags;
Jbig2Image *image;
};
@@ -182,7 +182,7 @@ int jbig2_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segm
typedef struct _Jbig2WordStream Jbig2WordStream;
struct _Jbig2WordStream {
- int (*get_next_word)(Jbig2WordStream *self, int offset, uint32_t *word);
+ int (*get_next_word)(Jbig2WordStream *self, size_t offset, uint32_t *word);
};
Jbig2WordStream *jbig2_word_stream_buf_new(Jbig2Ctx *ctx, const byte *data, size_t size);
diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c
index 2e0db67..5b63706 100644
--- a/jbig2dec/jbig2_segment.c
+++ b/jbig2dec/jbig2_segment.c
@@ -39,10 +39,10 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
uint8_t rtscarf;
uint32_t rtscarf_long;
uint32_t *referred_to_segments;
- int referred_to_segment_count;
- int referred_to_segment_size;
- int pa_size;
- int offset;
+ uint32_t referred_to_segment_count;
+ uint32_t referred_to_segment_size;
+ uint32_t pa_size;
+ uint32_t offset;
/* minimum possible size of a jbig2 segment header */
if (buf_size < 11)
@@ -83,7 +83,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
/* 7.2.5 */
if (referred_to_segment_count) {
- int i;
+ uint32_t i;
referred_to_segments = jbig2_new(ctx, uint32_t, referred_to_segment_count * referred_to_segment_size);
if (referred_to_segments == NULL) {
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
index 2c71a4c..11a2252 100644
--- a/jbig2dec/jbig2_symbol_dict.c
+++ b/jbig2dec/jbig2_symbol_dict.c
@@ -88,40 +88,40 @@ jbig2_dump_symbol_dict(Jbig2Ctx *ctx, Jbig2Segment *segment)
/* return a new empty symbol dict */
Jbig2SymbolDict *
-jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols)
+jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
{
- Jbig2SymbolDict *new = NULL;
+ Jbig2SymbolDict *new_dict = NULL;
if (n_symbols < 0) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
return NULL;
}
- new = jbig2_new(ctx, Jbig2SymbolDict, 1);
- if (new != NULL) {
- new->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
- new->n_symbols = n_symbols;
+ new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
+ if (new_dict != NULL) {
+ new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+ new_dict->n_symbols = n_symbols;
} else {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate new empty symbol dict");
return NULL;
}
- if (new->glyphs != NULL) {
- memset(new->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
+ if (new_dict->glyphs != NULL) {
+ memset(new_dict->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
} else {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate glyphs for new empty symbol dict");
- jbig2_free(ctx->allocator, new);
+ jbig2_free(ctx->allocator, new_dict);
return NULL;
}
- return new;
+ return new_dict;
}
/* release the memory associated with a symbol dict */
void
jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict)
{
- int i;
+ uint32_t i;
if (dict == NULL)
return;
@@ -142,12 +142,12 @@ jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id)
}
/* count the number of dictionary segments referred to by the given segment */
-int
+uint32_t
jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
{
int index;
Jbig2Segment *rsegment;
- int n_dicts = 0;
+ uint32_t n_dicts = 0;
for (index = 0; index < segment->referred_to_segment_count; index++) {
rsegment = jbig2_find_segment(ctx, segment->referred_to_segments[index]);
@@ -166,8 +166,8 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
int index;
Jbig2Segment *rsegment;
Jbig2SymbolDict **dicts;
- int n_dicts = jbig2_sd_count_referred(ctx, segment);
- int dindex = 0;
+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
+ uint32_t dindex = 0;
dicts = jbig2_new(ctx, Jbig2SymbolDict *, n_dicts);
if (dicts == NULL) {
@@ -195,10 +195,10 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
/* generate a new symbol dictionary by concatenating a list of
existing dictionaries */
Jbig2SymbolDict *
-jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
+jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts)
{
- int i, j, k, symbols;
- Jbig2SymbolDict *new = NULL;
+ uint32_t i, j, k, symbols;
+ Jbig2SymbolDict *new_dict = NULL;
/* count the imported symbols and allocate a new array */
symbols = 0;
@@ -206,17 +206,17 @@ jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
symbols += dicts[i]->n_symbols;
/* fill a new array with cloned glyph pointers */
- new = jbig2_sd_new(ctx, symbols);
- if (new != NULL) {
+ new_dict = jbig2_sd_new(ctx, symbols);
+ if (new_dict != NULL) {
k = 0;
for (i = 0; i < n_dicts; i++)
for (j = 0; j < dicts[i]->n_symbols; j++)
- new->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
+ new_dict->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
} else {
jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1, "failed to allocate new symbol dictionary");
}
- return new;
+ return new_dict;
}
/* Decoding routines */
@@ -431,7 +431,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
if (REFAGGNINST > 1) {
Jbig2Image *image;
- int i;
+ uint32_t i;
if (tparams == NULL) {
/* First time through, we need to initialise the */
@@ -512,7 +512,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
uint32_t ID;
int32_t RDX, RDY;
int BMSIZE = 0;
- int ninsyms = params->SDNUMINSYMS;
+ uint32_t ninsyms = params->SDNUMINSYMS;
int code1 = 0;
int code2 = 0;
int code3 = 0;
@@ -609,8 +609,9 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
if (params->SDHUFF && !params->SDREFAGG) {
/* 6.5.9 */
Jbig2Image *image;
- int BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
- int j, x;
+ uint32_t BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
+ uint32_t j;
+ int x;
if (code || (BMSIZE < 0)) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
@@ -700,22 +701,22 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate symbols exported from symbols dictionary");
goto cleanup4;
} else {
- int i = 0;
- int j = 0;
- int k;
+ uint32_t i = 0;
+ uint32_t j = 0;
+ uint32_t k;
int exflag = 0;
- int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
- int32_t exrunlength;
+ uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
+ uint32_t exrunlength;
int zerolength = 0;
while (i < limit) {
if (params->SDHUFF)
exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
else
- code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
/* prevent infinite loop */
zerolength = exrunlength > 0 ? 0 : zerolength + 1;
- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
+ if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
else if (exrunlength <= 0)
@@ -797,8 +798,8 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
{
Jbig2SymbolDictParams params;
uint16_t flags;
- int sdat_bytes;
- int offset;
+ uint32_t sdat_bytes;
+ uint32_t offset;
Jbig2ArithCx *GB_stats = NULL;
Jbig2ArithCx *GR_stats = NULL;
int table_index = 0;
@@ -951,7 +952,7 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
/* 7.4.2.2 (2) */
{
- int n_dicts = jbig2_sd_count_referred(ctx, segment);
+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
Jbig2SymbolDict **dicts = NULL;
if (n_dicts > 0) {
diff --git a/jbig2dec/jbig2_symbol_dict.h b/jbig2dec/jbig2_symbol_dict.h
index d56d62d..30211d4 100644
--- a/jbig2dec/jbig2_symbol_dict.h
+++ b/jbig2dec/jbig2_symbol_dict.h
@@ -32,18 +32,18 @@ int jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *se
Jbig2Image *jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id);
/* return a new empty symbol dict */
-Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols);
+Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols);
/* release the memory associated with a symbol dict */
void jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict);
/* generate a new symbol dictionary by concatenating a list of
existing dictionaries */
-Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts);
+Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts);
/* count the number of dictionary segments referred
to by the given segment */
-int jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
+uint32_t jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
/* return an array of pointers to symbol dictionaries referred
to by a segment */
diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c
index 5c99640..e77460f 100644
--- a/jbig2dec/jbig2_text.c
+++ b/jbig2dec/jbig2_text.c
@@ -55,7 +55,7 @@
int
jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
const Jbig2TextRegionParams *params,
- const Jbig2SymbolDict *const *dicts, const int n_dicts,
+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws)
{
/* relevent bits of 6.4.4 */
@@ -476,19 +476,19 @@ cleanup2:
int
jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data)
{
- int offset = 0;
+ uint32_t offset = 0;
Jbig2RegionSegmentInfo region_info;
Jbig2TextRegionParams params;
Jbig2Image *image = NULL;
Jbig2SymbolDict **dicts = NULL;
- int n_dicts = 0;
+ uint32_t n_dicts = 0;
uint16_t flags = 0;
uint16_t huffman_flags = 0;
Jbig2ArithCx *GR_stats = NULL;
int code = 0;
Jbig2WordStream *ws = NULL;
Jbig2ArithState *as = NULL;
- int table_index = 0;
+ uint32_t table_index = 0;
const Jbig2HuffmanParams *huffman_params = NULL;
/* 7.4.1 */
@@ -779,7 +779,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unable to retrive symbol dictionaries! previous parsing error?");
goto cleanup1;
} else {
- int index;
+ uint32_t index;
if (dicts[0] == NULL) {
code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to find first referenced symbol dictionary!");
@@ -823,8 +823,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
if (!params.SBHUFF) {
- int SBSYMCODELEN, index;
- int SBNUMSYMS = 0;
+ uint32_t SBSYMCODELEN, index;
+ uint32_t SBNUMSYMS = 0;
for (index = 0; index < n_dicts; index++) {
SBNUMSYMS += dicts[index]->n_symbols;
@@ -840,7 +840,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
/* Table 31 */
- for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
+ for (SBSYMCODELEN = 0; (1U << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
}
params.IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN);
params.IARI = jbig2_arith_int_ctx_new(ctx);
diff --git a/jbig2dec/jbig2_text.h b/jbig2dec/jbig2_text.h
index aec2732..51d242e 100644
--- a/jbig2dec/jbig2_text.h
+++ b/jbig2dec/jbig2_text.h
@@ -70,5 +70,5 @@ typedef struct {
int
jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
const Jbig2TextRegionParams *params,
- const Jbig2SymbolDict *const *dicts, const int n_dicts,
+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws);
--
2.9.3

View File

@ -1,39 +0,0 @@
From bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 6 Apr 2017 16:44:54 +0100
Subject: [PATCH] Bug 697548: use the correct param list enumerator
When we encountered dictionary in a ref_param_list, we were using the enumerator
for the "parent" param_list, rather than the enumerator for the param_list
we just created for the dictionary. That parent was usually the stack
list enumerator, and caused a segfault.
Using the correct enumerator works better.
---
psi/iparam.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/psi/iparam.c b/psi/iparam.c
index 4e63b6d..b2fa85f 100644
--- a/psi/iparam.c
+++ b/psi/iparam.c
@@ -770,12 +770,13 @@ ref_param_read_typed(gs_param_list * plist, gs_param_name pkey,
gs_param_enumerator_t enumr;
gs_param_key_t key;
ref_type keytype;
+ dict_param_list *dlist = (dict_param_list *) pvalue->value.d.list;
param_init_enumerator(&enumr);
- if (!(*((iparam_list *) plist)->enumerate)
- ((iparam_list *) pvalue->value.d.list, &enumr, &key, &keytype)
+ if (!(*(dlist->enumerate))
+ ((iparam_list *) dlist, &enumr, &key, &keytype)
&& keytype == t_integer) {
- ((dict_param_list *) pvalue->value.d.list)->int_keys = 1;
+ dlist->int_keys = 1;
pvalue->type = gs_param_type_dict_int_keys;
}
}
--
2.9.3

View File

@ -1,33 +0,0 @@
From 309eca4e0a31ea70dcc844812691439312dad091 Mon Sep 17 00:00:00 2001
From: Ken Sharp <ken.sharp@artifex.com>
Date: Mon, 20 Mar 2017 09:34:11 +0000
Subject: [PATCH] Ensure a device has raster memory, before trying to read it.
Bug #697676 "Null pointer dereference in mem_get_bits_rectangle()"
This is only possible by abusing/mis-using Ghostscript-specific
language extensions, so cannot happen in a general PostScript program.
Nevertheless, Ghostscript should not crash. So this commit checks the
memory device to see if raster memory has been allocated, before trying
to read from it.
---
base/gdevmem.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/base/gdevmem.c b/base/gdevmem.c
index afd05bd..d52d684 100644
--- a/base/gdevmem.c
+++ b/base/gdevmem.c
@@ -606,6 +606,8 @@ mem_get_bits_rectangle(gx_device * dev, const gs_int_rect * prect,
GB_PACKING_CHUNKY | GB_COLORS_NATIVE | GB_ALPHA_NONE;
return_error(gs_error_rangecheck);
}
+ if (mdev->line_ptrs == 0x00)
+ return_error(gs_error_rangecheck);
if ((w <= 0) | (h <= 0)) {
if ((w | h) < 0)
return_error(gs_error_rangecheck);
--
2.9.3

View File

@ -1,31 +0,0 @@
From 5e57e483298dae8b8d4ec9aab37a526736ac2e97 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 26 Apr 2017 22:12:14 +0100
Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
While building a Huffman table, the start and end points were susceptible
to integer overflow.
Thank you to Jiaqi for finding this issue and suggesting a patch.
---
jbig2dec/jbig2_huffman.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
index 511e461..b4189a1 100644
--- a/jbig2dec/jbig2_huffman.c
+++ b/jbig2dec/jbig2_huffman.c
@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
if (PREFLEN == CURLEN) {
int RANGELEN = lines[CURTEMP].RANGELEN;
- int start_j = CURCODE << shift;
- int end_j = (CURCODE + 1) << shift;
+ uint32_t start_j = CURCODE << shift;
+ uint32_t end_j = (CURCODE + 1) << shift;
byte eflags = 0;
if (end_j > max_j) {
--
2.9.3

View File

@ -1,92 +0,0 @@
From 4f83478c88c2e05d6e8d79ca4557eb039354d2f3 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 27 Apr 2017 13:03:33 +0100
Subject: [PATCH 1/2] Bug 697799: have .eqproc check its parameters
The Ghostscript custom operator .eqproc was not check the number or type of
the parameters it was given.
---
psi/zmisc3.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/psi/zmisc3.c b/psi/zmisc3.c
index 54b3042..37293ff 100644
--- a/psi/zmisc3.c
+++ b/psi/zmisc3.c
@@ -56,6 +56,12 @@ zeqproc(i_ctx_t *i_ctx_p)
ref2_t stack[MAX_DEPTH + 1];
ref2_t *top = stack;
+ if (ref_stack_count(&o_stack) < 2)
+ return_error(gs_error_stackunderflow);
+ if (!r_is_array(op - 1) || !r_is_array(op)) {
+ return_error(gs_error_typecheck);
+ }
+
make_array(&stack[0].proc1, 0, 1, op - 1);
make_array(&stack[0].proc2, 0, 1, op);
for (;;) {
--
2.9.3
From 04b37bbce174eed24edec7ad5b920eb93db4d47d Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 27 Apr 2017 13:21:31 +0100
Subject: [PATCH 2/2] Bug 697799: have .rsdparams check its parameters
The Ghostscript internal operator .rsdparams wasn't checking the number or
type of the operands it was being passed. Do so.
---
psi/zfrsd.c | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/psi/zfrsd.c b/psi/zfrsd.c
index 191107d..950588d 100644
--- a/psi/zfrsd.c
+++ b/psi/zfrsd.c
@@ -49,13 +49,20 @@ zrsdparams(i_ctx_t *i_ctx_p)
ref *pFilter;
ref *pDecodeParms;
int Intent = 0;
- bool AsyncRead;
+ bool AsyncRead = false;
ref empty_array, filter1_array, parms1_array;
uint i;
- int code;
+ int code = 0;
+
+ if (ref_stack_count(&o_stack) < 1)
+ return_error(gs_error_stackunderflow);
+ if (!r_has_type(op, t_dictionary) && !r_has_type(op, t_null)) {
+ return_error(gs_error_typecheck);
+ }
make_empty_array(&empty_array, a_readonly);
- if (dict_find_string(op, "Filter", &pFilter) > 0) {
+ if (r_has_type(op, t_dictionary)
+ && dict_find_string(op, "Filter", &pFilter) > 0) {
if (!r_is_array(pFilter)) {
if (!r_has_type(pFilter, t_name))
return_error(gs_error_typecheck);
@@ -94,12 +101,13 @@ zrsdparams(i_ctx_t *i_ctx_p)
return_error(gs_error_typecheck);
}
}
- code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
+ if (r_has_type(op, t_dictionary))
+ code = dict_int_param(op, "Intent", 0, 3, 0, &Intent);
if (code < 0 && code != gs_error_rangecheck) /* out-of-range int is ok, use 0 */
return code;
- if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0
- )
- return code;
+ if (r_has_type(op, t_dictionary))
+ if ((code = dict_bool_param(op, "AsyncRead", false, &AsyncRead)) < 0)
+ return code;
push(1);
op[-1] = *pFilter;
if (pDecodeParms)
--
2.9.3

View File

@ -1,56 +0,0 @@
From 99cf218dbd5f6fbdbda2ce6872eb9ab7f475c353 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Tue, 27 Sep 2016 11:22:18 +0100
Subject: [PATCH 1/2] Add pre-processor define for shared OpenJPEG
---
Makefile.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.in b/Makefile.in
index 25875ad..2ca2a80 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -290,7 +290,7 @@ JBIG2_CFLAGS=@JBIG2_AUTOCONF_CFLAGS@
JPX_LIB=@JPX_DECODER@
SHARE_JPX=@SHARE_JPX@
JPXSRCDIR=@JPXDIR@
-JPX_CFLAGS=@JPX_AUTOCONF_CFLAGS@ @JPX_SSE_CFLAGS@
+JPX_CFLAGS=-DSHARE_JPX=$(SHARE_JPX) @JPX_AUTOCONF_CFLAGS@ @JPX_SSE_CFLAGS@
# uncomment the following three lines and one of the last two to
# compile in the Luratech lwf_jp2 codec
--
2.7.4
From 4f19ab99cac2d8a7d21aea34d8aea0727fad52d3 Mon Sep 17 00:00:00 2001
From: Didier Raboud <odyx@debian.org>
Date: Thu, 6 Oct 2016 17:08:41 +0200
Subject: [PATCH 2/2] Don't pass -DOPJ_STATIC when compiling the OpenJPEG code.
It makes the symbols hidden when including
/usr/include/openjpeg-2.1/openjpeg.h.
Fixes a FTBFS against libopenjp2-7 (>= 2.1.1).
Debian bug: https://bugs.debian.org/832873
---
base/lib.mak | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/base/lib.mak b/base/lib.mak
index 173e2c6..cffdc9d 100644
--- a/base/lib.mak
+++ b/base/lib.mak
@@ -1849,7 +1849,7 @@ $(GLOBJ)sjpx_openjpeg.$(OBJ) : $(GLSRC)sjpx_openjpeg.c $(AK) \
$(memory__h) $(gserror_h) $(gserrors_h) \
$(gdebug_h) $(strimpl_h) $(sjpx_openjpeg_h) $(LIB_MAK) $(MAKEDIRS)
$(GLJPXOPJCC) $(GLO_)sjpx_openjpeg.$(OBJ) \
- $(C_) -DOPJ_STATIC $(GLSRC)sjpx_openjpeg.c
+ $(C_) $(GLSRC)sjpx_openjpeg.c
# ---------------- Pixel-difference filters ---------------- #
# The Predictor facility of the LZW and Flate filters uses these.
--
2.7.4

View File

@ -1,52 +0,0 @@
From 329e0a6d187cc5b5698689d76636ed3214d7efa7 Mon Sep 17 00:00:00 2001
From: Chris Liddell <chris.liddell@artifex.com>
Date: Thu, 3 Nov 2016 13:09:27 +0000
Subject: [PATCH] Bug 697286: handle GlyphDirectory as an array
For high level devices that need to copy CIDFonts, we need to establish the
highest CID in a given CIDFont. If the font has a GlyphDirectory dictionary
the only way to do so is to iterate through the keys to find the highest.
The code handling this ignored that the GlyphDirectory could be an array,
which confused the dictionary content iterator, and caused a segfault.
In the case of an array, set the high CID to the highest index available in the
array.
---
psi/zfcid.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/psi/zfcid.c b/psi/zfcid.c
index ce583af..3098a22 100644
--- a/psi/zfcid.c
+++ b/psi/zfcid.c
@@ -76,15 +76,19 @@ cid_font_data_param(os_ptr op, gs_font_cid_data *pdata, ref *pGlyphDirectory)
* the number of CIDs in the font. We need to know the maximum CID
* when copying fonts, so calculate and store it now.
*/
- index = dict_first(pgdir);
- while (index >= 0) {
- index = dict_next(pgdir, index, (ref *)&element);
- if (index >= 0) {
- if (element[0].value.intval > pdata->MaxCID)
- pdata->MaxCID = element[0].value.intval;
+ if (r_has_type(pgdir, t_dictionary)) {
+ index = dict_first(pgdir);
+ while (index >= 0) {
+ index = dict_next(pgdir, index, (ref *)&element);
+ if (index >= 0) {
+ if (element[0].value.intval > pdata->MaxCID)
+ pdata->MaxCID = element[0].value.intval;
+ }
}
}
-
+ else {
+ pdata->MaxCID = r_size(pgdir) - 1;
+ }
return code;
} else {
return_error(gs_error_typecheck);
--
2.7.4

File diff suppressed because it is too large Load Diff

View File

@ -1,33 +0,0 @@
From a3b95bec1e3e07abdb4b29e3642777d2963fec80 Mon Sep 17 00:00:00 2001
From: "David Kaspar [Dee'Kej]" <dkaspar@redhat.com>
Date: Wed, 27 Sep 2017 12:59:18 +0200
Subject: [PATCH] Resource/Init/Fontmap.GS: Use latest (URW)++ fonts
Taken from ghostscript-9.22 RC1.
---
Resource/Init/Fontmap.GS | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Resource/Init/Fontmap.GS b/Resource/Init/Fontmap.GS
index a9fa335..7770c67 100644
--- a/Resource/Init/Fontmap.GS
+++ b/Resource/Init/Fontmap.GS
@@ -94,13 +94,13 @@
/Courier /NimbusMonoPS-Regular ;
/Courier-Oblique /NimbusMonoPS-Italic ;
/Helvetica-Bold /NimbusSans-Bold ;
-/Helvetica-BoldOblique /NimbusSans-BoldOblique ;
+/Helvetica-BoldOblique /NimbusSans-BoldItalic ;
/Helvetica-Narrow-Bold /NimbusSansNarrow-Bold ;
/Helvetica-Narrow-BoldOblique /NimbusSansNarrow-BdOblique ;
/Helvetica-Narrow /NimbusSansNarrow-Regular ;
/Helvetica-Narrow-Oblique /NimbusSansNarrow-Oblique ;
/Helvetica /NimbusSans-Regular ;
-/Helvetica-Oblique /NimbusSans-Oblique ;
+/Helvetica-Oblique /NimbusSans-Italic ;
/NewCenturySchlbk-Bold /C059-Bold ;
/NewCenturySchlbk-BoldItalic /C059-BdIta ;
/NewCenturySchlbk-Italic /C059-Italic ;
--
2.9.5

View File

@ -1,43 +1,23 @@
%define gs_ver 9.20 %define gs_ver 9.22
%define gs_dot_ver 9.20 %define gs_dot_ver 9.22
%{expand: %%define build_with_freetype %{?_with_freetype:1}%{!?_with_freetype:0}} %{expand: %%define build_with_freetype %{?_with_freetype:1}%{!?_with_freetype:0}}
Summary: A PostScript interpreter and renderer Summary: A PostScript interpreter and renderer
Name: ghostscript Name: ghostscript
Version: %{gs_ver} Version: %{gs_ver}
Release: 14%{?dist} Release: 1%{?dist}
# Included CMap data is Redistributable, no modification permitted, # Included CMap data is Redistributable, no modification permitted,
# see http://bugzilla.redhat.com/487510 # see http://bugzilla.redhat.com/487510
License: AGPLv3+ and Redistributable, no modification permitted License: AGPLv3+ and Redistributable, no modification permitted
URL: http://www.ghostscript.com/ URL: http://www.ghostscript.com/
Group: Applications/Publishing Group: Applications/Publishing
Source0: ghostscript-9.20.tar.xz Source0: ghostscript-9.22.tar.xz
Source1: CIDFnmap Source1: CIDFnmap
Source2: cidfmap Source2: cidfmap
Patch1: ghostscript-9.20-fix-openjpeg-system-build.patch Patch1: ghostscript-9.20-runlibfileifexists.patch
Patch2: ghostscript-9.20-runlibfileifexists.patch Patch2: ghostscript-9.20-run-dvipdf-securely.patch
Patch3: ghostscript-9.20-run-dvipdf-securely.patch
Patch4: ghostscript-9.20-urw-fonts-naming.patch
Patch10: ghostscript-9.20-handle-glyphdirectory-correctly.patch
Patch11: ghostscript-9.20-remove-and-reimplement-ConvertUTF.patch
# Security patches:
Patch5: ghostscript-9.20-cve-2016-7979.patch
Patch6: ghostscript-9.20-cve-2016-7976.patch
Patch7: ghostscript-9.20-cve-2016-7978.patch
Patch8: ghostscript-9.20-cve-2016-8602.patch
Patch9: ghostscript-9.20-cve-2016-7977.patch
Patch12: ghostscript-9.20-cve-2016-9601.patch
Patch13: ghostscript-9.20-cve-2017-7207.patch
Patch14: ghostscript-9.20-cve-2016-10217.patch
Patch15: ghostscript-9.20-cve-2016-10218.patch
Patch16: ghostscript-9.20-cve-2016-10219.patch
Patch17: ghostscript-9.20-cve-2016-10220.patch
Patch18: ghostscript-9.20-cve-2017-5951.patch
Patch19: ghostscript-9.20-cve-2017-8291.patch
Patch20: ghostscript-9.20-cve-2017-7975.patch
Requires: %{name}-core%{?_isa} = %{version}-%{release} Requires: %{name}-core%{?_isa} = %{version}-%{release}
Requires: %{name}-x11%{?_isa} = %{version}-%{release} Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -126,66 +106,12 @@ A GTK-enabled version of Ghostscript, called 'gsx'.
%setup -q -n %{name}-%{gs_ver} %setup -q -n %{name}-%{gs_ver}
rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib cups/libs rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib cups/libs
# Fix building with system's OpenJPEG shared library:
%patch1 -p1
# Fix error when using 'convert' from ImageMagick, and # Fix error when using 'convert' from ImageMagick, and
# make sure the configuration in /etc/ghostscript/Fonts.local is used: # make sure the configuration in /etc/ghostscript/Fonts.local is used:
%patch2 -p1 %patch1 -p1
# Fix some shell scripts # Fix some shell scripts
%patch3 -p1 %patch2 -p1
# Use latest names for new 'urw-base35-fonts' package.
%patch4 -p1
# DSC parser - validate parameters (bug #1382305):
%patch5 -p1
# Add a file permissions callaback (bug #1382294):
%patch6 -p1
# Reference count device icc profile (bug #1382300):
%patch7 -p1
# Check for sufficient params in .sethalftone5 (bug #1383940):
%patch8 -p1
# Honor -dSAFER in .libfile (bug #1380415):
%patch9 -p1
# handle GlyphDirectory as an array (http://bugs.ghostscript.com/show_bug.cgi?id=697286):
%patch10 -p1
# Remove (and re-implement) ConvertUTF.c because of licensing issues (bug #1404933):
%patch11 -p1
# Squash signed/unsigned warnings in MSVC jbig2 build (bug #1410021):
%patch12 -p1
# Check for null-pointer dereference in mem_get_bits_rectangle() (bug #1434497):
%patch13 -p1
# CVE-2016-10217 (bug #1441564):
%patch14 -p1
# CVE-2016-10218 (bug #1441568):
%patch15 -p1
# CVE-2016-10219 (bug #1441569):
%patch16 -p1
# CVE-2016-10220 (bug #1441571):
%patch17 -p1
# CVE-2017-5951 (bug #1441572):
%patch18 -p1
# CVE-2017-8291 (bug #1446063):
%patch19 -p1
# CVE-2017-7975 (bug #1443940):
%patch20 -p1
# Convert manual pages to UTF-8 # Convert manual pages to UTF-8
from8859_1() { from8859_1() {
@ -380,6 +306,9 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/libgs.so %{_libdir}/libgs.so
%changelog %changelog
* Wed Sep 27 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.22-1
- Rebase to latest upstream version (no API/ABI changes according to upstream)
* Wed Sep 27 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-14 * Wed Sep 27 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-14
- Rebuilt with updated 'search path' for fonts (bug #1500105) - Rebuilt with updated 'search path' for fonts (bug #1500105)

View File

@ -1 +1 @@
8f3d383d48da22345937b66b01ab2960 ghostscript-9.20.tar.xz SHA512 (ghostscript-9.22.tar.xz) = 67739ace64090ab1951cba4cb011a5a6829ee60b32ba4157d0f17e744e345ea268335304db6722677ae33565ea5b696c2ff7b889d42a463acf2933c8230523d4