| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OSS-fuzz #58582
The fundamental problem here is that pdfwrite was assuming that the
font WMode could only ever be 0 or 1 (the only two valid values) and so
was using it as a bitfield, shifting and OR'ing it with other values.
The file in this case has a CMap which contains :
/WMode 8883123282518010140455180910294889 def
Which gets clamped to the maximum unsigned integer 0x7fffff
This led to a non-zero value in the flags to the glyph info code, when
the value *should* have been 0, which caused the graphics library to
take a code path which wasn't valid. This led to us trying to use a
member of a structure whose pointer was NULL.
I can't be certain whether other places in the code use WMode in the
same way, so I've chosen to fix this at several levels.
Firstly, in the code path we shouldn't reach (gs_type42_glyph_info_by_gid)
check the value of pmat before calling gs_default_glyph_info. That code
will try to use the matrix to scale the outline, so if it is NULL then
the result is undefined. This prevents the seg fault.
Secondly, in gdevpdtc.c, scan_cmap_text(), set wmode to be either 0 or
1, to ensure that it does work as a bit, rather than using the integer
value from the font and assuming it will be 0 or 1.
Finally in the three places in the PDF interpreter where we set the
WMode for the font, check to see if the value is either 0 or 1 and if it
is not, raise a warning and make it 0 or 1.
|
| |
|
|
|
|
|
|
|
| |
Previously we just stored the offset for the post table, and checked the version
when required to read from it. That can cost considerable time if the post table
version is invalid. So check it up front, and set the offset to zero if the
version is bad.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The problem here is an (I think) corrupted TrueType font. One of the
glyphs claims to be a component glyph, and the component GID is
larger than the number of glyphs in the font (and so is invalid).
When we copy the font (which we only do with pdfwrite and ps2write) we
try to copy this glyph which is not otherwise used in the document.
As part of trying to copy the glyph we try to get the glyph name for
both the glyph and the components of the glyph.
Normally we walk the font twice, putting the glyph names for each
glyph into the name table on the first pass, and then retrieving them
on the second. Because the component glyph is not valid, we (obviously)
don't find it on the first pass, and don't add it to the name table.
On the second pass we use the glyph ID to try and get the name, but
because we didn't store it on the first pass there is no such name with
that ID, so we get an empty slot back. Which we don't check! We then
try to use it which involves dereferencing a NULL pointer, and we
crash.
This commit checks the GID of the component glyphs and makes sure they
are in the valid range so that (hopefully) this can't happen.
This also checks the name returned from name_index_ref to ensure it is
not an unused name slot, to avoid a crash if we find another route
that fails to return a name. We use this a lot in many places and
it's not obvious which ones are guaranteed safe and which might not be
so I haven't tried to change the other cases.
|
|
|
|
|
|
| |
If the number of valid elements in the LOCA table is 0, then we exit
with an error, but we need to free the array we used to sort it to
avoid a memory leak.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test case has a TTF that the loca size has been set to an enormous value.
While the loca size is a 32 bit unsigned number (so the value in question is
"valid") it should follow a specific relationship with the number of glyphs
that the font contains, and that is a an unsigned 16 bit value.
So, we can sanity check the size of the loca table based on that condition.
This may or may not solve the oss-fuzz timeout, but it does improve things
considerably.
|
|
|
|
|
|
|
|
| |
Previously, gs_type42_find_post_name() would fall back to ".notdef" if there
was no post table, or the index did not have a matching glyph name in the post
table.
This changes it to return an undefined error instead.
|
|
|
|
|
| |
In gs_type42_find_post_name() I'd mistakenly check for a return code
> 0 for success, rather than >= 0.
|
| |
|
|
|
|
|
| |
Just memset to 0x00, so in the event of an error, we don't later use the memory
uninitialized.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, the code did not differentiate between an empty loca table, a
missing loca table and a broken loca table.
We'll now do so and, in particular, with a broken loca table (in this case,
one with only 1 entry) we'll initialize the single entry to avoid later code
accessing unitialized memory.
|
| |
|
|
|
|
|
|
|
| |
The Coverity report was misleading, and I missed a compiler warning with
commit a34130a136fa.
This resolves the compiler warning, and should keep coverity happy.
|
|
|
|
| |
Mistakenly passing a pointer into a macro, rather than the variable.
|
|
|
|
|
|
| |
Make Mac Roman glyph ordering available to 'clients'
(in support of the pdfi branch)
|
| |
|
|
|
|
|
|
|
|
|
| |
Ensure the GS TTF interpreter is associated with a TTF font before attempting
to retrieve the glyph bounding box. We have to eplicitly NULL the FAPI entry
before doing so because, for normal rendering, we'll use the FAPI/Freetype API
(in this case, we want to avoid rendering the glyph)
Fix supplied by Chris Liddell
|
| |
|
|
|
|
|
|
|
| |
Fix memory leaks for numerous allocation events.
Error created using :-
MEMENTO_FAILAT=1564 ./membin/gpcl6 -sDEVICE=ppmraw -o /dev/null ./pcl/examples/owl.pcl
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
gdevkrnlsclass.c Change a while...do into a do...while to see if it
pacifies a 'dereference of NULL pointer' in scanbuild
gsparamx.c Incorrect return code could lead to an earlier error not
being preserved. Fortunately this is currently only called by claptrap.
gsptype1.c remove unnecessary assignments
gssprintf.c " " "
gstype2.c " " "
gstype42.c " " "
gxfill.c " " "
gsptype2.c rejig the code to avoid setting a return code that isn't used.
Add a check on a return code that was missing.
gxchar.c add return code checking
gxcmap.c " " " "
|
|
|
|
|
|
|
|
|
| |
Also update copyright dates.
Remove gs_cmdl.ps as we no longer use it, and remove its entry from
psfiles.htm.
Remove xfonts.htm as this feature (xfont support) is long, long gone.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug #697627 "IO in gs_notify_all function"
The bug title is a misnomer; the actual problem is that we have a badly
corrupted font which appears to have 2 GSUB tables. This causes us to
allocate two chunks of memory to hold the tables, losing the original
reference when we allocate the second, and also to register the font
to have the GSUB table released twice.
Trying to release the same memory twice leads to us trying to access
invalid memory, and therefore to a seg fault.
So if we find we have a GSUB, and we've already allocated memory for a
GSUB table, just throw an error.
Chris thinks it may be possible to legally have multiple GSUB tables, if
we ever find such a thing we'll have to rethink this.
|
|
|
|
| |
We weren't applying vertical glyph substition (from the gsub table).
|
|
|
|
|
|
|
| |
This font contains a composite glyph that references itself, resulting in
infinite recursion when we try to retrieve the metrics for the glyph.
Add a check for this (trivial) case.
|
|
|
|
|
|
|
|
|
|
|
| |
The update to Freetype removed a bounds check in the Freetype code when the
incremental API is in use (leaving it up to the caller to validate the glyph
index). This adds that bounds check to our glyph data callback.
As part of that, return the trueNumGlyphs and numGlyphs varaibles in the
Ghostscript type 42 font structure to their (apparent) original intent:
trueNumGlyphs is the value read from the maxp table, whilst numGlyphs is a value
derived from the size of the loca table (see the bug for a fuller explanation).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change how gstate initialisation is done:
Previously we relied on the imager state being a subset of the gstate (thus
assigning an imager state to a graphics state over wrote to the entries
common to both, and didn't overwrite any already set graphics state specific
entries).
Making the imager and graphics states the same means that approach doesn't work,
so this changes it to initialise the entries individually.
Renames gsistate.c->gsgstate.c and gxistate.h->gxgstate.h
Cleanup and fix the gs_state gc stuff.
Uses different check for pre/post clist pdf14 device
Previously, the code used "is_gstate" in the imager/graphics state object
to determine if the code was being called pre or post clist (post clist would
only ever have had an imager_state so is_gstate = false).
With no imager state any more, that test would no longer work (and I am dubious
about whether it was really safe, anyway). Other places check for the presence
of a clist reader device in the pdf14 device structure - so use that here
too.
Adds initial (NULL) value for show_gstate pointer in gs_state.
Removes the now pointless macro for the contents of the graphics state
Changes function names that had "imager" to use "gstate"
Removes the redundant 'is_state' flag
Cleans up gs_(g)state_putdeviceparams():
Previously we had to similar routines: one took a graphics state, and used the
device from the graphics state, the other took an imager state and the device
as an explicit parameter.
With the removal of the imager state, "merge" those two functions
Replaces gs_state with gs_gstate
It makes for less confusion as it really is a g(raphics)state
|
|
|
|
|
|
| |
Always include windows_.h first, wherever we include it.
This gets the windows definition of 'bool' in, and we can then
override it with our own.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Support in Ghostscript is implemented by augmenting the TrueType handling in
the Postscript world. Loading WOFF fonts "stripped" is not supported, except
for the purpose of finding the font name from the name table.
There is also a C implementation in the graphics library which takes a memory
buffer or a stream, and unpacks the WOFF into a TTF in a memory buffer. It
is currently not called.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug #696174 "Error: /invalidfont in --show--"
The problem occurs because the embedded type 42 fonts don't include a
Copyright entry in the names table. When copying fonts, we try to copy the
copyright information, and it fails which results in an invalid font error.
Clearly we want to copy the information if its present, but its absence
shouldn't be regarded as an error, so this commit simply ignores the return
value when we try to copy the copyright information.
|
|
Squashed into one commit (see branch for details of the evolution of the
branch).
This brings gpcl6 and gxps into the Ghostscript build system, and a shared
set of graphics library object files for all the interpreters.
Also, brings the same configuration options to the pcl and xps products as we
have for Ghostscript.
|