diff --git a/poppler/Stream.cc b/poppler/Stream.cc index c034cff..f330b7c 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -1708,7 +1708,7 @@ int CCITTFaxStream::lookChar() { // 2-D encoding if (nextLine2D) { - for (i = 0; codingLine[i] < columns; ++i) { + for (i = 0; i < columns && codingLine[i] < columns; ++i) { refLine[i] = codingLine[i]; } refLine[i++] = columns; @@ -1724,7 +1724,7 @@ int CCITTFaxStream::lookChar() { // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible // exception at right edge: // refLine[b1i] = refLine[b1i+1] = columns is possible - while (codingLine[a0i] < columns) { + while (codingLine[a0i] < columns && !err) { code1 = getTwoDimCode(); switch (code1) { case twoDimPass: @@ -1758,49 +1758,109 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } break; case twoDimVertR3: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i] + 3, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertR2: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i] + 2, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertR1: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i] + 1, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVert0: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixels(refLine[b1i], blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { ++b1i; while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertL3: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixelsNeg(refLine[b1i] - 3, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { @@ -1811,10 +1871,22 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertL2: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixelsNeg(refLine[b1i] - 2, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { @@ -1825,10 +1897,22 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; case twoDimVertL1: + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } addPixelsNeg(refLine[b1i] - 1, blackPixels); blackPixels ^= 1; if (codingLine[a0i] < columns) { @@ -1839,6 +1923,12 @@ int CCITTFaxStream::lookChar() { } while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { b1i += 2; + if (b1i > columns + 1) { + error(errSyntaxError, getPos(), + "Bad 2D code {0:04x} in CCITTFax stream", code1); + err = gTrue; + break; + } } } break; @@ -2022,6 +2112,12 @@ int CCITTFaxStream::lookChar() { outputBits = 0; if (codingLine[a0i] < columns) { ++a0i; + if (a0i > columns) { + error(errSyntaxError, getPos(), + "Bad bits {0:04x} in CCITTFax stream", bits); + err = gTrue; + break; + } outputBits = codingLine[a0i] - codingLine[a0i - 1]; } else if (bits > 0) { buf <<= bits;