| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug #705834 "stack overflow in psi/idict.c:160 dict_alloc (exploitable)"
This is caused by subsequent calls to .PDFInfo causing the Info
dictionary to end up with circular references as we replace indirect
references with PDF objects.
I'd been meaning for some time to revisit the PostScript code and avoid
calling .PDFInfo multiple times just for performance reasons (we have to
convert the PDF dictionary to a PostScript dictionary every time).
This commit uses the stored PostScript dictionary 'PDFInfo' instead of
calling .PDFInfo which avoids the circular reference and is slightly
more efficient.
|
|
|
|
|
|
|
|
| |
Turns out there are multiple paths to the error label, many of which
occur before the 'info' enumerator is created. Fix this by initialising
the pointer to NULL and then testing to see if it has been created
before calling end_image. If it hasn't then we didn't call begin_image
(or it failed) and so should not call end_image.
|
|
|
|
|
|
| |
The cleanup code was misplaced, because the enumerator finalze resets
the 'dev' member to NULL before we use it. Move the 'tif' cleanup
earlier so we can use the dev member before it is set to NULL.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OSS-fuzz 50779
The gdevp14 device was not calling end_image if an error occurred while
sending an image to the output device. The xpswrite device only cleans
up its TIFF image on receipt of an end_image call, which meant that the
'tiff' member allocated in the image enumerator was never freed.
So start by making the gdevp14 device call end_image if it gets an error
in case any other devices have similar requirements.
For a belt and braces approach, have the xpswrite device's finalize
routine for image enumerators free the tif member if it has been
initialised. To do this we first need to actually initialise it to NULL
on creation of the image enumerator, and set it back to NULL in the
end_image routine when we free it.
|
|
|
|
|
| |
Previously, I changed the wrong macro invocation, this puts that back, and
changes the correct instance to new macro.
|
| |
|
|
|
|
|
|
|
| |
Previously we just stored the offset for the post table, and checked the version
when required to read from it. That can cost considerable time if the post table
version is invalid. So check it up front, and set the offset to zero if the
version is bad.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug #705828 "stack-overflow in /targets/ghostscript/foo/./pdf/pdf_colour.c:2236 pdfi_create_colorspace_by_array"
The code was reading all the entries in a Range array into a stack
array. But we hadn't validated the maximum number in the array so we
could overrun. Limit the copy to the maximum number required by the
'N' value (which is validated).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OSS-fuzz 50747
The corrupted file has an ObjStm where the value of 'N', the number of
objects in the stream, is corrupted and huge. We read the objects from
a SubFileDecode, so we don't overrun, but we were ignoring the error
return and attempting to read a full 'N' objects.
There's really no point, corrupted ObjStms are more or less irreperable
so if we get an error, just stop.
This doesn't prevent a crash or any other problem, it just means we stop
handling an irreparable file more quickly.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Arising from Bug #705784, if we hadn't built the PDF interpreter we
would get typecheck errors which were somewhat misleading as to the
source of the problem.
This commit tidies up the error handling in the area of .PDFInit so
that we not only detect the problem there but give a warning that it
occurred.
In addition, add a means to detect if the PDF interpreter is built in
before we stat trying to process a PDF file and, if it is not, give
a sensible error message.
Tested with BUILD_PDF 0 and with NEWPDF true and false.
|
|
|
|
|
|
|
|
|
|
| |
Since we've already checked the font and macro ID types are string, coverity
spots that the type checks in the ID accessor macros are redundant.
So, add accessors for when we already know the ID is a string ID.
Secondly, tidy up macro naming, so it's not so easily confused with a variable
or constant value.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Coverity ID #380524
A seg fault can be reproduced on Windows using this PostScript:
(d:\\temp) (w+) .tempfile
The problem occurs because on Windows gp_file_name_is_absolute permits
either '\' or '/' to be used as a separator, but gp_file_name_separator
can (obviously) only return one separator, in this case '/'.
This means the loop stripping the prefix fails to find any separator
and exits with plen = -1, which causes a seg fault in the memcpy below.
The first part of the fix is to check plen and if it's less than 0
exit with an error.
The remainder of the commit changes from using the separator string to
calling gp_file_name_check_separator instead. This has two benefits;
firstly it means that on Windows both separators can be detected,
secondly for OS's where the separator is more than a single byte we can
still detect it, which we could not before.
Ghostscript itself never uses .tempfile with a filename, so this can
only occur with PostScript input.
|
|
|
|
|
|
|
|
|
|
|
| |
We were not using the return value from pdfi_array_get_number(). Since
we're making changes anyway, duplicate the fix in commit
0cbcfd63c0865a8c3a8d9d4bd81ba27cb0432487 to avoid storing the
dereferenced object in the array, in case we end up with a CropBox
where the array contains an indirect reference to the Pages tree.
The earlier commit only updated the array we were using for the canvas
size.
|
|
|
|
|
|
|
|
|
|
|
| |
Bug #785703 "stack overflow in pdf/pdf_loop_detect.c:76 pdfi_loop_detector_check_object (exploitable) "
The file is corrupted in such a way that dereferencing object 6 results
in an indirect reference to object 6.
Add a specific check to the dereference code to compare any resulting
indirect reference with the requested object number, and if they are the
same throw a circular reference error.
|
| |
|
|
|
|
|
|
|
| |
This is exactly the same problem as was fixed in commit
21b9a273b4aa94d88eb0c9731d339af1decce2cc, but that fixed the problem
when called from Ghostscript, this commit does the same for the stand
alone PDF interpreter.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using the file from OSS-fuzz #47753 and this command line:
-K1048576 -r200x200 -sBandListStorage=memory -dMaxBitmap=0 -dBufferSpace=450k -dMediaPosition=1 -dcupsColorSpace=1 -dSAFER -dNOPAUSE -dBATCH -dNOINTERPOLATE -dNOMEDIAATTRS -sDEVICE=nullpage
Leaked memory due to the array checking of the various Box parameters.
One of the MediaBox entries is an (invalid) indirect reference to the
Pages tree, when we fetched the reference from the array we dereferenced
it and stored the dereferenced value in the MediaBox array, thus
creating a circular reference:
Pages->Page->MediaBox
^ |
|------------
Which meant we never counted down any of the objects in the sequence to
0 and freed them.
Using the 'no_store_R' variant avoids storing the dereferenced object
back to the array. Since we don't need the object, other than to get
its numeric value, this doesn't cost any performance.
|
| |
|
|
|
|
|
|
|
|
|
| |
The pdfi code for reading and using mappings for CIDFonts in cidfmap validated
all the CIDSystemInfo (registry, ordering and supplement) and if any didn't
match, it would reject the mapping.
It turns out that the old code ignored the Supplement value, so the pdfi code
will now, too.
|
|
|
|
|
|
|
|
| |
Don't replace the array entry with the dereferenced object until we
have recursively dereferenced the object. We were storing the value
in the array before fully descending through its contents, which meant
that if we found a circular reference we were 'baking it in' to the
array.
|
| |
|
| |
|
|
|
|
| |
Bug #705777 " stack overflow in psi/idict.c:160 dict_alloc (exploitable)"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug #705776 "stack-overflow in /base/gsmchunk.c:1110:31 in chunk_free_object"
The PixelDifference filter has a memory buffer in the stream state to
hold 'Colors' values, that buffer is hard-coded at 60 values, despite
the fact that, according to the comment in spdiffx.h at line 27 the
value of Colors can be arbitrarily large.
Because the initialisation function doesn't check the value of Colors
we can end up running off the buffer and overwriting memory.
This commit checks the value of Colors and if it exceeds the maximum
value at compile-time returns a rangecheck error.
|
|
|
|
| |
in pdfi_cidtype2_get_glyph_index()
|
|
|
|
|
|
| |
Since mkromfs is only run as part of the build process, and the "leaked" memory
isn't really leaked, the only reason to fix this is so certain sanitizers can
be used without requiring CCFLAGSAUX/LDFLAGSAUX to differ from CFLAGS/LDFLAGS.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When shutting down the device, pdfwrite would flush and close the pipeline
of filters in place for the main output stream. But s_close_filters() would
stop the process if a filter in the pipeline threw an error. As pdfwrite
immediately then closes the ouput file, the ultimate target of the pipeline,
this would then later cause a crash then the garbager attempted to "sweep up"
the errant stream objects. Or, in the non-gc use case, it would cause a
memory leak.
So change s_close_filters() to continue to destroy the filters in the pipeline
even after an error (but strill return the relevant error), meaning the filter
pipelines are always cleaned up, even if one or more filters has an error.
|
|
|
|
|
|
|
| |
Seen with OSS-fuzz #42920, teh nullpage device and Ghostscript (not gpdf)
To gt the reference counting right we need to not count up 'currdict',
but we do need to NULL 'Parent' instead.
|
|
|
|
|
|
|
| |
situations.
Committed upstream:
https://gitlab.freedesktop.org/freetype/freetype/-/commit/37b718d5899bc4a85425fcc548a7636871808f96
|
|
|
|
| |
Bug 705767 "Dereference of free object 41, next object number as offset failed"
|
|
|
|
|
|
|
| |
Bug #705769 "NULL pointer dereference in pdf/pdf_misc.c:110 in pdfi_name"
pdfi_dict_knownget_type returns a typecheck error if the object has the
wrong type. So we need to check for a return code > 0.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 7d6d69ff17c43664482fe0dc34676a46ba551d93 accidentally broke
PSPageOptions with multi-page input, because the array of strings was
freed on every page.
This commit fixes that problem; note you cannot change PSPageOptions
once it has been set, except by restoring back to the point before the
device was opened.
Also the documentation formatting was slightly broken, fix that at the
same time.
|
|
|
|
|
|
| |
for Type 1/2 charstring executaion state stack. The bounds checking macro was
incorrect, and wasn't being used in the minimal CharString interpreter used
by pdfwrite and co.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Exhibited by /tests_private/pdf/sumatra/1348_-_support_Additional_Actions.pdf
The problem can occur if we find either /T or /FT in the current
dictionary but don't find both. In that case we try to find the keys in
any /Parent dictionary. But if the Parent contains *both* keys then it
would replace the stored one found in the earlier dictionary, without
counting it down, leading to a memory leak.
We don't actually use the /T and /FT values which we retrieve, so the
simplest solution is to simply discard them as soon as they are found.
Once we do that, we don't need to count them down on exit any more
either.
|
|
|
|
|
|
|
| |
The file from OSS-fuzz 50321 has an Annotation with a /Parent which is
an integer, this was causing us to count down the reference too many
times and free the object while it was still in the cache, leading to
a seg fault.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Observed with OSS-fuzz 50113 and this command line:
-K1048576 -r200x200 -sBandListStorage=memory -dMaxBitmap=0 -dBufferSpace=450k -dMediaPosition=1 -dcupsColorSpace=1 -dSAFER -dNOPAUSE -dBATCH -dNOINTERPOLATE -dNOMEDIAATTRS -sDEVICE=pdfwrite -sOutputFile=out.pdf
We tried to allocate memory to hold a number of Unicode code points, but
we didn't check to see if the allocation succeeded. In this case it
fails, and we then tried to use the pointer.
Check the allocation and return an error if it fails.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Seen with the file from OSS-fuzz 42916 and :
-K1048576 -r200x200 -sBandListStorage=memory -dMaxBitmap=0 -dBufferSpace=450k -dMediaPosition=1 -dcupsColorSpace=1 -dSAFER -dNOPAUSE -dBATCH -dNOINTERPOLATE -dNOMEDIAATTRS -sDEVICE=pdfwrite -sOutputFile=out.pdf
If we failed to allocate 'map' we would properly free the (already
allocated) pcmap, but we left the pointer pointing at the freed memory.
Later we would free the font, and would then attempt to free the free
memory, and crash.
Fix by setting the returned pointer to NULL.
|
|
|
|
| |
for the git prelease code.
|
| |
|
| |
|
|
|
|
|
| |
Two booleans were initialised with the wrong value which meant some
code could never be executed.
|
|
|
|
|
|
|
|
| |
We can't get to the 'exit' label after we've added the Parent, so
there's no need for the code to remove it again currently.
Explicitly cast the cleartomark to void just to indicate it's
deliberate.
|
|
|
|
| |
Missing stack bounds check
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If left to its defaults, the build system on Unix will assume GNU make, and use
GNU make features to speed up the build process.
configure would check for GNU make for this reason, but wasn't checking if there
was a "make" program available first, leading to a potentiall confusing error
message.
This checks that a "make" program exists, before trying to check it's GNU make.
Secondly, in recognition that some systems (Solaris, for example) have their own
make, but often have GNU make available as "gmake", add a "--with-make=" option
allowing a user to set a custom name for the make executable to look for and
check the version.
|
|
|
|
|
|
| |
Added check to an offset while reading the index header in
xps_count_cff_index. If the offset was read as negative, the function
will return a pointer outside the range of the buffer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The first problem is that the code did not do what the comments said.
We exited the loop searching for T and FT keys as soon as we found
either, and then only checked if we had at least one of the keys.
The comments (and the old PostScript code) say we should not render the
annotation unless both keys are present.
Change the loop and exit conditions to implement this.
The second change is handling the /Parent. If we use a simple dictionary
accessor then the value of the key will be dereferenced and stored in
the dictionary. Fine if the Parent is valid but if the Parent value is
an indirect reference to (eg) the Pages tree, then we will end up
with a circular reference (Pages->Page->annot->Pages) which will leak
memory.
Use more complicated code to access the dictionary without storing the
dereferenced value of /Parent in the dictionary.
|