You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pdfbox.apache.org by he...@apache.org on 2018/02/06 18:18:19 UTC
[1/3] pdfbox-jbig2 git commit: Fix PDFBOX-4014 by adding additional
terminating conditions
Repository: pdfbox-jbig2
Updated Branches:
refs/heads/master 4713f7f34 -> ec61cccc2
Fix PDFBOX-4014 by adding additional terminating conditions
Project: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/repo
Commit: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/commit/f5daacc4
Tree: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/tree/f5daacc4
Diff: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/diff/f5daacc4
Branch: refs/heads/master
Commit: f5daacc4417825f334032a495f10fa42e3d55e71
Parents: 6d652bf
Author: Jörg Henne <j....@levigo.de>
Authored: Thu Nov 16 13:32:38 2017 +0100
Committer: Jörg Henne <j....@levigo.de>
Committed: Thu Nov 16 13:32:38 2017 +0100
----------------------------------------------------------------------
.../pdfbox/jbig2/segments/SymbolDictionary.java | 36 ++++++++++++--------
.../pdfbox/jbig2/segments/TextRegion.java | 12 +++++--
2 files changed, 30 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/blob/f5daacc4/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java b/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
index a3a6394..4170ff1 100644
--- a/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
+++ b/src/main/java/org/apache/pdfbox/jbig2/segments/SymbolDictionary.java
@@ -73,7 +73,7 @@ public class SymbolDictionary implements Dictionary {
private int amountOfExportSymbolss;
/** Number of new symbols, 7.4.2.1.5 */
- private int amountOfNewSymbolss;
+ private int amountOfNewSymbols;
/** Further parameters */
private SegmentHeader segmentHeader;
@@ -114,7 +114,7 @@ public class SymbolDictionary implements Dictionary {
public SymbolDictionary() {
}
- public SymbolDictionary(SubInputStream subInputStream, SegmentHeader segmentHeader) throws IOException {
+ public SymbolDictionary(final SubInputStream subInputStream, final SegmentHeader segmentHeader) throws IOException {
this.subInputStream = subInputStream;
this.segmentHeader = segmentHeader;
}
@@ -231,7 +231,7 @@ public class SymbolDictionary implements Dictionary {
}
private void readAmountOfNewSymbols() throws IOException {
- amountOfNewSymbolss = (int) subInputStream.readBits(32); // & 0xffffffff;
+ amountOfNewSymbols = (int) subInputStream.readBits(32); // & 0xffffffff;
}
private void setInSyms() throws IOException, InvalidHeaderValueException, IntegerMaxValueException {
@@ -328,12 +328,12 @@ public class SymbolDictionary implements Dictionary {
}
/* 6.5.5 1) */
- newSymbols = new Bitmap[amountOfNewSymbolss];
+ newSymbols = new Bitmap[amountOfNewSymbols];
/* 6.5.5 2) */
int[] newSymbolsWidths = null;
if (isHuffmanEncoded && !useRefinementAggregation) {
- newSymbolsWidths = new int[amountOfNewSymbolss];
+ newSymbolsWidths = new int[amountOfNewSymbols];
}
setSymbolsArray();
@@ -343,7 +343,7 @@ public class SymbolDictionary implements Dictionary {
amountOfDecodedSymbols = 0;
/* 6.5.5 4 a) */
- while (amountOfDecodedSymbols != amountOfNewSymbolss) {
+ while (amountOfDecodedSymbols < amountOfNewSymbols) {
/* 6.5.5 4 b) */
heightClassHeight += decodeHeightClassDeltaHeight();
@@ -358,9 +358,15 @@ public class SymbolDictionary implements Dictionary {
/* 4 c) i) */
final long differenceWidth = decodeDifferenceWidth();
- // If result is OOB, then all the symbols in this height
- // class has been decoded; proceed to step 4 d)
- if (differenceWidth == Long.MAX_VALUE) {
+ /*
+ * If result is OOB, then all the symbols in this height
+ * class has been decoded; proceed to step 4 d). Also exit, if the expected number of
+ * symbols have been decoded.
+ *
+ * The latter exit condition guards against pathological cases where a symbol's
+ * DW never contains OOB and thus never terminates.
+ */
+ if (differenceWidth == Long.MAX_VALUE || amountOfDecodedSymbols >= amountOfNewSymbols) {
break;
}
@@ -711,10 +717,10 @@ public class SymbolDictionary implements Dictionary {
}
}
- private void setExportedSymbols(int[] toExportFlags) {
+ private void setExportedSymbols(final int[] toExportFlags) {
exportSymbols = new ArrayList<Bitmap>(amountOfExportSymbolss);
- for (int i = 0; i < amountOfImportedSymbolss + amountOfNewSymbolss; i++) {
+ for (int i = 0; i < amountOfImportedSymbolss + amountOfNewSymbols; i++) {
if (toExportFlags[i] == 1) {
if (i < amountOfImportedSymbolss) {
@@ -729,9 +735,9 @@ public class SymbolDictionary implements Dictionary {
private int[] getToExportFlags() throws IOException, InvalidHeaderValueException {
int currentExportFlag = 0;
long exRunLength = 0;
- final int[] exportFlags = new int[amountOfImportedSymbolss + amountOfNewSymbolss];
+ final int[] exportFlags = new int[amountOfImportedSymbolss + amountOfNewSymbols];
- for (int exportIndex = 0; exportIndex < amountOfImportedSymbolss + amountOfNewSymbolss; exportIndex += exRunLength) {
+ for (int exportIndex = 0; exportIndex < amountOfImportedSymbolss + amountOfNewSymbols; exportIndex += exRunLength) {
if (isHuffmanEncoded) {
exRunLength = StandardTables.getTable(1).decode(subInputStream);
@@ -776,9 +782,9 @@ public class SymbolDictionary implements Dictionary {
*/
private int getSbSymCodeLen() throws IOException {
if (isHuffmanEncoded) {
- return Math.max((int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbolss) / Math.log(2))), 1);
+ return Math.max((int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbols) / Math.log(2))), 1);
} else {
- return (int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbolss) / Math.log(2)));
+ return (int) (Math.ceil(Math.log(amountOfImportedSymbolss + amountOfNewSymbols) / Math.log(2)));
}
}
http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/blob/f5daacc4/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java b/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
index 797729c..0e11bc8 100644
--- a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
+++ b/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
@@ -420,11 +420,17 @@ public class TextRegion implements Region {
} else {
/* 6.4.8 */
final long idS = decodeIdS();
- /*
+
+ /*
* If result is OOB, then all the symbol instances in this strip have been decoded;
- * proceed to step 3 d) respectively 3 b)
+ * proceed to step 3 d) respectively 3 b). Also exit, if the expected number of
+ * instances have been decoded.
+ *
+ * The latter exit condition guards against pathological cases where a strip's
+ * S never contains OOB and thus never terminates as illustrated in
+ * https://bugs.chromium.org/p/chromium/issues/detail?id=450971 case pdfium-loop2.pdf.
*/
- if (idS == Long.MAX_VALUE)
+ if (idS == Long.MAX_VALUE || instanceCounter >= amountOfSymbolInstances)
break;
currentS += (idS + sbdsOffset);
[2/3] pdfbox-jbig2 git commit: Add sanity check for TextRegion with
excessive number of symbols
Posted by he...@apache.org.
Add sanity check for TextRegion with excessive number of symbols
Project: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/repo
Commit: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/commit/7f01e34a
Tree: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/tree/7f01e34a
Diff: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/diff/7f01e34a
Branch: refs/heads/master
Commit: 7f01e34a262c7786bced310e58bf54e1d4d12aaf
Parents: f5daacc
Author: Jörg Henne <j....@levigo.de>
Authored: Wed Jan 3 00:06:00 2018 +0100
Committer: Jörg Henne <j....@levigo.de>
Committed: Wed Jan 3 00:06:00 2018 +0100
----------------------------------------------------------------------
.../pdfbox/jbig2/segments/TextRegion.java | 21 +++++++++++++-------
1 file changed, 14 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/blob/7f01e34a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java b/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
index 0e11bc8..200b036 100644
--- a/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
+++ b/src/main/java/org/apache/pdfbox/jbig2/segments/TextRegion.java
@@ -32,8 +32,8 @@ import org.apache.pdfbox.jbig2.decoder.arithmetic.CX;
import org.apache.pdfbox.jbig2.decoder.huffman.EncodedTable;
import org.apache.pdfbox.jbig2.decoder.huffman.FixedSizeTable;
import org.apache.pdfbox.jbig2.decoder.huffman.HuffmanTable;
-import org.apache.pdfbox.jbig2.decoder.huffman.StandardTables;
import org.apache.pdfbox.jbig2.decoder.huffman.HuffmanTable.Code;
+import org.apache.pdfbox.jbig2.decoder.huffman.StandardTables;
import org.apache.pdfbox.jbig2.err.IntegerMaxValueException;
import org.apache.pdfbox.jbig2.err.InvalidHeaderValueException;
import org.apache.pdfbox.jbig2.image.Bitmaps;
@@ -239,6 +239,14 @@ public class TextRegion implements Region {
private void readAmountOfSymbolInstances() throws IOException {
amountOfSymbolInstances = subInputStream.readBits(32) & 0xffffffff;
+
+ // sanity check: don't decode more than one symbol per pixel
+ long pixels = (long) regionInfo.getBitmapWidth() * (long) regionInfo.getBitmapHeight();
+ if (pixels < amountOfSymbolInstances) {
+ log.warn("Limiting number of decoded symbol instances to one per pixel (" + pixels + " instead of "
+ + amountOfSymbolInstances + ")");
+ amountOfSymbolInstances = pixels;
+ }
}
private void getSymbols() throws IOException, IntegerMaxValueException, InvalidHeaderValueException {
@@ -394,7 +402,7 @@ public class TextRegion implements Region {
/* Last two sentences of 6.4.5 2) */
long firstS = 0;
- int instanceCounter = 0;
+ long instanceCounter = 0;
/* 6.4.5 3 a) */
while (instanceCounter < amountOfSymbolInstances) {
@@ -422,12 +430,11 @@ public class TextRegion implements Region {
final long idS = decodeIdS();
/*
- * If result is OOB, then all the symbol instances in this strip have been decoded;
- * proceed to step 3 d) respectively 3 b). Also exit, if the expected number of
- * instances have been decoded.
+ * If result is OOB, then all the symbol instances in this strip have been decoded; proceed to step
+ * 3 d) respectively 3 b). Also exit, if the expected number of instances have been decoded.
*
- * The latter exit condition guards against pathological cases where a strip's
- * S never contains OOB and thus never terminates as illustrated in
+ * The latter exit condition guards against pathological cases where a strip's S never contains OOB
+ * and thus never terminates as illustrated in
* https://bugs.chromium.org/p/chromium/issues/detail?id=450971 case pdfium-loop2.pdf.
*/
if (idS == Long.MAX_VALUE || instanceCounter >= amountOfSymbolInstances)
[3/3] pdfbox-jbig2 git commit: Merge branch
'bugfix/PDFBOX-4014_Malformed_pathological_malicious_input_can_lead_to_infinite_looping'
Posted by he...@apache.org.
Merge branch 'bugfix/PDFBOX-4014_Malformed_pathological_malicious_input_can_lead_to_infinite_looping'
Project: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/repo
Commit: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/commit/ec61cccc
Tree: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/tree/ec61cccc
Diff: http://git-wip-us.apache.org/repos/asf/pdfbox-jbig2/diff/ec61cccc
Branch: refs/heads/master
Commit: ec61cccc23850853662cd674192fe58830ad4401
Parents: 4713f7f 7f01e34
Author: Jörg Henne <j....@levigo.de>
Authored: Tue Feb 6 19:14:49 2018 +0100
Committer: Jörg Henne <j....@levigo.de>
Committed: Tue Feb 6 19:14:49 2018 +0100
----------------------------------------------------------------------
.../pdfbox/jbig2/segments/SymbolDictionary.java | 36 ++++++++++++--------
.../pdfbox/jbig2/segments/TextRegion.java | 25 ++++++++++----
2 files changed, 40 insertions(+), 21 deletions(-)
----------------------------------------------------------------------