diff --git a/Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch b/Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch deleted file mode 100644 index 78b264dd11f67a82ad95d185d12a30ed8b16f1e8..0000000000000000000000000000000000000000 --- a/Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch +++ /dev/null @@ -1,44 +0,0 @@ -From efd0b47fe66a99097e200d76be1a4846ae2ef692 Mon Sep 17 00:00:00 2001 -From: Shailesh Mistry -Date: Wed, 6 May 2020 18:01:07 +0100 -Subject: [PATCH] Bug 697545 : Prevent memory leak in gx_path_assign_free. - -Prevent memory leak by freeing path on all errors. - -Error created using :- -MEMENTO_FAILAT=16246 ./membin/gpcl6 -sDEVICE=pbmraw -o /dev/null ./tests_private/pcl/pcl5cfts/fts.2120 ---- - base/gxpath.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/base/gxpath.c b/base/gxpath.c -index 4593d67..ffdea76 100644 ---- a/base/gxpath.c -+++ b/base/gxpath.c -@@ -323,6 +323,7 @@ gx_path_assign_preserve(gx_path * ppto, gx_path * ppfrom) - int - gx_path_assign_free(gx_path * ppto, gx_path * ppfrom) - { -+ int code = 0; - /* - * Detect the special case where both paths have non-shared local - * segments, since we can avoid allocating new segments in this case. -@@ -349,13 +350,10 @@ gx_path_assign_free(gx_path * ppto, gx_path * ppfrom) - #undef tosegs - } else { - /* In all other cases, just do assign + free. */ -- int code = gx_path_assign_preserve(ppto, ppfrom); -- -- if (code < 0) -- return code; -+ code = gx_path_assign_preserve(ppto, ppfrom); - } - gx_path_free(ppfrom, "gx_path_assign_free"); -- return 0; -+ return code; - } - - /* --- -1.8.3.1 - diff --git a/Bug-697545-Prevent-numerous-memory-leaks.patch b/Bug-697545-Prevent-numerous-memory-leaks.patch deleted file mode 100644 index 314379c0ff122900d69e97a95d364e543afee49a..0000000000000000000000000000000000000000 --- a/Bug-697545-Prevent-numerous-memory-leaks.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 9e553991e4c99814eb342d83b4fb42b5af457390 Mon Sep 17 00:00:00 2001 -From: Shailesh Mistry -Date: Fri, 8 May 2020 21:50:30 +0100 -Subject: [PATCH] Bug 697545 : Prevent numerous memory leaks. - -Prevent memory leaks by propagating error codes and freeing loose objects. - -Also resolve some compiler warnings. - -Error created using :- -EMENTO_FAILAT=19484 ./membin/gpcl6 -sDEVICE=pbmraw -o /dev/null ./tests_private/pcl/pcl5efts/fts.0051 ---- - base/gscspace.c | 11 +++++++---- - base/gxclrast.c | 10 ++++++++-- - base/gxcpath.c | 4 +++- - 3 files changed, 18 insertions(+), 7 deletions(-) - -diff --git a/base/gscspace.c b/base/gscspace.c -index aa3e3cf..f00bdba 100644 ---- a/base/gscspace.c -+++ b/base/gscspace.c -@@ -329,8 +329,11 @@ gx_install_DeviceGray(gs_color_space * pcs, gs_gstate * pgs) - return 0; - - /* If we haven't initialised the iccmanager, do it now. */ -- if (pgs->icc_manager->default_gray == NULL) -- gsicc_init_iccmanager(pgs); -+ if (pgs->icc_manager->default_gray == NULL) { -+ int code = gsicc_init_iccmanager(pgs); -+ if (code < 0) -+ return code; -+ } - - /* pcs takes a reference to the default_gray profile data */ - pcs->cmm_icc_profile_data = pgs->icc_manager->default_gray; -@@ -677,7 +680,7 @@ int gx_set_overprint_cmyk(const gs_color_space * pcs, gs_gstate * pgs) - } - - if_debug1m(gs_debug_flag_overprint, pgs->memory, -- "[overprint] gx_set_overprint_cmyk. drawn_comps = 0x%x\n", drawn_comps); -+ "[overprint] gx_set_overprint_cmyk. drawn_comps = 0x%x\n", (uint)drawn_comps); - - if (drawn_comps == 0) - return gx_spot_colors_set_overprint(pcs, pgs); -@@ -760,7 +763,7 @@ int gx_set_overprint_cmyk(const gs_color_space * pcs, gs_gstate * pgs) - - if_debug2m(gs_debug_flag_overprint, pgs->memory, - "[overprint] gx_set_overprint_cmyk. retain_any_comps = %d, drawn_comps = 0x%x\n", -- params.retain_any_comps, params.drawn_comps); -+ params.retain_any_comps, (uint)(params.drawn_comps)); - - /* We are in CMYK, the profiles match and overprint is true. Set effective - overprint mode to overprint mode but only if effective has not already -diff --git a/base/gxclrast.c b/base/gxclrast.c -index 4e75d3e..65df9bd 100644 ---- a/base/gxclrast.c -+++ b/base/gxclrast.c -@@ -612,6 +612,8 @@ in: /* Initialize for a new page. */ - memset(&gs_gstate, 0, sizeof(gs_gstate)); - GS_STATE_INIT_VALUES_CLIST((&gs_gstate)); - code = gs_gstate_initialize(&gs_gstate, mem); -+ if (code < 0) -+ goto out; - gs_gstate.device = tdev; - gs_gstate.view_clip = NULL; /* Avoid issues in pdf14 fill stroke */ - gs_gstate.clip_path = &clip_path; -@@ -620,7 +622,9 @@ in: /* Initialize for a new page. */ - code = gs_note_error(gs_error_VMerror); - goto out; - } -- pcs->type->install_cspace(pcs, &gs_gstate); -+ code = pcs->type->install_cspace(pcs, &gs_gstate); -+ if (code < 0) -+ goto out; - gs_gstate.color[0].color_space = pcs; - rc_increment_cs(pcs); - gs_gstate.color[1].color_space = pcs; -@@ -2383,6 +2387,8 @@ idata: data_size = 0; - if (code < 0) { - if (pfs.dev != NULL) - term_patch_fill_state(&pfs); -+ gs_free_object(mem, pcs, "clist_playback_band(pcs)"); -+ gs_free_object(mem, cbuf_storage, "clist_playback_band(cbuf_storage)"); - gx_cpath_free(&clip_path, "clist_playback_band"); - if (pcpath != &clip_path) - gx_cpath_free(pcpath, "clist_playback_band"); -diff --git a/base/gxcpath.c b/base/gxcpath.c -index d9518b8..082c389 100644 ---- a/base/gxcpath.c -+++ b/base/gxcpath.c -@@ -403,8 +403,10 @@ gx_cpath_path_list_new(gs_memory_t *mem, gx_clip_path *pcpath, int rule, - rc_init_free(pcplist, mem, 1, rc_free_cpath_path_list); - if (pcpath!=NULL && !pcpath->path_valid) { - code = gx_path_init_contained_shared(&pcplist->path, NULL, mem, cname); -- if (code < 0) -+ if (code < 0) { -+ gs_free_object(mem, pcplist, "gx_cpath_path_list_new"); - return code; -+ } - code = gx_cpath_to_path(pcpath, &pcplist->path); - } else { - gx_path_init_local(&pcplist->path, mem); --- -1.8.3.1 - diff --git a/Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch b/Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch deleted file mode 100644 index 74ebfad738726c906e96773444c4c457034ccbb6..0000000000000000000000000000000000000000 --- a/Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ea9b3a676a516a603fabb593085d14a67356db6f Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Thu, 17 Oct 2019 01:48:00 +0200 -Subject: [PATCH] Bug 701721: jbig2dec: Fix under/overflow handling in - arithmetic integer decoder. - -The previous detection logic caused GCC's -Wlogical-op to trip. -Not only that, but the detection logic never took into account -that underflow is not possible (the worst case is V == INT32_MIN, -but offset is always > 0, so underflow cannot happen), nor take -varying offset values into account (hardcoded limits meant that -the offset was ignored even if it could not cause an overflow), -but instead could cause non-clamped values to be emitted. - -This corrected logic adheres to the Annex A. Table A.1 in the specification. ---- - jbig2dec/jbig2_arith_int.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/jbig2dec/jbig2_arith_int.c b/jbig2dec/jbig2_arith_int.c -index 7ad47ad..20b62df 100644 ---- a/jbig2dec/jbig2_arith_int.c -+++ b/jbig2dec/jbig2_arith_int.c -@@ -130,8 +130,11 @@ jbig2_arith_int_decode(Jbig2Ctx *ctx, Jbig2ArithIntCtx *actx, Jbig2ArithState *a - V = (V << 1) | bit; - } - -- /* make sure not to underflow/overflow 32 bit value */ -- if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436) -+ /* offset is always >=0, so underflow can't happen. */ -+ /* avoid overflow by clamping 32 bit value. */ -+ if (V > INT32_MAX - offset) -+ V = INT32_MAX; -+ else - V += offset; - V = S ? -V : V; - *p_result = V; --- -1.8.3.1 - diff --git a/Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch b/Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch deleted file mode 100644 index 6d989343fc9944a04da7d5fb03cb291da703b9ad..0000000000000000000000000000000000000000 --- a/Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch +++ /dev/null @@ -1,122 +0,0 @@ -From 9dc0eb31d79bf819c97420aaf2f6fc5cf3a52c10 Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Wed, 18 Mar 2020 15:11:01 +0000 -Subject: [PATCH] Bug 702196: Fix incorrect detection of "thin" lines while - stroking. - -When stroking lines, we spot whether a line is 'thin' (i.e. the -perpendicular width of the line is less than 1 pixel), and handle -those cases specially by using custom 'thin line' routines. This -gives more pleasing results than slavishly following the 'any part -of a pixel' rule. - -The current code makes this determination in 2 places. Firstly, -we calculate 'always_thin', by scaling the perpendicular vector -and seeing if all possible lines will be 'thin'. Secondly, in -the case when we aren't 'always_thin', we calculate it for each -line segment in turn by calling 'width_is_thin'. - -Unfortunately, the threshold used for the simple early rejection -test in 'width_is_thin' is wrong. Rather than checking against -0.5, we should be checking against sqrt(1/8). This causes lines -near 45 degrees to be improperly treated as thin. This is a -simple fix. - -This gives lots of progressions - so many that you wonder how we -never spotted this before. - -Unfortunately, buried in these progressions, there are a few files -which, while improved, are still imperfect. - -In some files, that use 'non-uniform' scales, (such as -(53 0 0 21 0 0 )) a stroke of constant width can 'pop' between -thick and thin as we move around the path; a near vertical -line segment may be thin, whereas a near horizontal line segment -might be thick due to the difference in scale. This is visually -jarring. - -To fix this, therefore, we'd need to modify the width_is_thin -testing in non-uniform cases, so that it gives us the same results -all the way around. Doing this would be complex, and ultimately -actually ends up equivalent to us just relying on "always_thin" -(with the exception of strictly vertical and horizontal line -segements). We therefore disable the non-orthogonal test in -'width_is_thin' entirely. ---- - base/gxstroke.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 47 insertions(+), 5 deletions(-) - -diff --git a/base/gxstroke.c b/base/gxstroke.c -index 52c1543..399c914 100644 ---- a/base/gxstroke.c -+++ b/base/gxstroke.c -@@ -1093,12 +1093,51 @@ width_is_thin(pl_ptr plp) - if ((dx = plp->vector.x) == 0) - return any_abs(wx) < fixed_half; - -- /* -- * If both horizontal and vertical widths are less than -- * 0.5, the line is thin. -+ /* For the longest time, we used to have a test here that -+ * attempted to trivially accept diagonal lines as being -+ * thin based on the components of the perpendicular -+ * width vector in device space as both being less than 0.5. -+ * Bug 702196 showed some examples where this was clearly -+ * wrong. -+ * -+ * The cause for this bug was that the 0.5 figure was wrong. -+ * For the point to be less than 1/2 a pixel perpendicular -+ * distant from the line, we'd need x^2 + y^2 < .5^2. -+ * For a 45 degree line, that'd be 2(x^2) < 1/4 = x^2 < 1/8 -+ * or x < sqr(1/8). 45 degree line is the "worst case", so -+ * if both horizontal and vertical widths are less than -+ * sqr(1/8), the line is thin. sqr(1/8) = 0.35355339059. -+ * So, we should be using sqr(1/8) rather than 0.5. -+ * -+ * Fixing this did indeed produce many many progressions, -+ * but left just the odd file still showing problems. -+ * -+ * Further investigations show that those cases were due to -+ * the use of "non-uniform" scaling matrices, for example -+ * (83 0 0 51 0 0). With such matrices, it's possible for -+ * nearly horizontal lines to be thin, but nearly vertical -+ * ones to be thick (or vice versa). Having the style of -+ * line "pop" between thick and thin in a single stroke -+ * looks very noticeable. -+ * -+ * We could change the trivial optimisation below to only -+ * apply in the 'uniform' case, but that would never actually -+ * trigger (as tested on the cluster), because all such -+ * cases are caught by the "always_thin" condition in the -+ * caller. -+ * -+ * Just removing the trivial test and leaving the 'complicated' -+ * test below us would leave us vulnerable to "popping", -+ * so we disable both. In practice this makes no difference -+ * to the number of tests showing diffs in the cluster. - */ -- if (any_abs(wx) < fixed_half && any_abs(wy) < fixed_half) -- return true; -+#if 0 /* DISABLED TEST, see above */ -+ { -+ /* thin_threshold = fixed sqr(1/8) - see above. */ -+ const fixed thin_threshold = float2fixed(0.35355339059f); -+ if (any_abs(wx) < thin_threshold && any_abs(wy) < thin_threshold) -+ return true; -+ } - - /* - * We have to do this the hard way, by actually computing the -@@ -1116,6 +1155,9 @@ width_is_thin(pl_ptr plp) - /* so we don't need to do any de-scaling for the test. */ - return fabs(num) < denom * 0.5; - } -+#else -+ return false; -+#endif - } - - /* Adjust the endpoints and width of a stroke segment along a specified axis */ --- -1.8.3.1 - diff --git a/Bug-702320-Valgrind-complains-about-UMR.patch b/Bug-702320-Valgrind-complains-about-UMR.patch deleted file mode 100644 index 3fa2cdfa7187b3ff4d8c59872b658b0600d4a0ca..0000000000000000000000000000000000000000 --- a/Bug-702320-Valgrind-complains-about-UMR.patch +++ /dev/null @@ -1,54 +0,0 @@ -From b503c46c124cf5aaa82a71e28f624f2ef2b71e71 Mon Sep 17 00:00:00 2001 -From: ray -Date: Fri, 10 Apr 2020 15:35:02 -0700 -Subject: [PATCH] Bug 702320: Valgrind complains about UMR. - -The file for this bug does show that the stroke_color stack based struct -in not initialized. Init fill_color and stroke_color. This is probably a -bug tail from the fill_stroke commit. - -Also explicitly set 'zeros' to 0 to clarify the expected contents. ---- - base/gxclbits.c | 3 +-- - base/gxclrast.c | 4 ++-- - 2 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/base/gxclbits.c b/base/gxclbits.c -index 3c65af9..519cdac 100644 ---- a/base/gxclbits.c -+++ b/base/gxclbits.c -@@ -82,7 +82,7 @@ go_process(stream_state * st, stream_cursor_read *pr, stream_cursor_write *pw, b - return -1; - return 0; - } --static byte zeros[1< -Date: Thu, 9 Apr 2020 09:40:05 +0100 -Subject: [PATCH] Bug 702322: fix uninitalized data reads - -gs_scan_token() keeps a local copy of the scanner state, and copies from and to -the scanner state that is passed into it. There are several code paths that -can leave some important entries in the structure uninitalized when we copy the -local copy to the parameter. - -This just ensures those specific entries are always set to *something* sane. ---- - psi/iscan.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/psi/iscan.c b/psi/iscan.c -index 9b7151a..32d910f 100644 ---- a/psi/iscan.c -+++ b/psi/iscan.c -@@ -535,6 +535,16 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate) - return_error(gs_error_Fatal); - } - } -+ else { -+ /* We *may* use these in the event of returning to this function after -+ * a interruption, but not every code path below sets them. Set them -+ * to sane values here for safety. We can write the contents of sstate -+ * (back) to pstate before returning. -+ */ -+ sstate.s_da.base = sstate.s_da.next = &(sstate.s_da.buf[0]); -+ sstate.s_da.limit = sstate.s_da.next; -+ sstate.s_da.is_dynamic = false; -+ } - /* Fetch any state variables that are relevant even if */ - /* sstate.s_scan_type == scanning_none. */ - sstate.s_pstack = pstate->s_pstack; --- -1.8.3.1 - diff --git a/Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch b/Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch deleted file mode 100644 index c6b5522495d240d87244209a307ccb2f90d48545..0000000000000000000000000000000000000000 --- a/Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 60a535f9f49fece2761a1c0c8069f87f7514182c Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Fri, 17 Apr 2020 16:22:06 +0800 -Subject: [PATCH] Bug 702335: jbig2dec: Refill input buffer upon failure to - parse segment header. - -Before commit 2b2dcf4ccf401ed210f03c858b304994749fd2b3 there was -a debug message when attempting to parse a a segment header and -the data supplied to jbig2dec was not enough. Commit 2b2dcf4 -incorrectly changed the debug message into a fatal error message, -due misinterpreting the message text as something that warranted -a fatal error. - -When data was supplied in chunks to jbig2_data_in() in repeated -calls such that a segment header's referred-to segment numbers -field straddled a chunk boundary then jbig2dec would indicate a -fatal error. The file in bug 702335 caused this to happen. - -Instead jbig2dec should be asking the caller for more data so -that the entire segment header can be parsed during a single call -to jbig2_data_in(). - -By convering the fatal error back to a a debug message the problem -is resolved. The message itself is also rewored to clearly -indicate that the situation is non-fatal and that the caller will -be asked to provide more data. ---- - jbig2dec/jbig2_segment.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c -index f901a03..d5c4075 100644 ---- a/jbig2dec/jbig2_segment.c -+++ b/jbig2dec/jbig2_segment.c -@@ -88,7 +88,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t - referred_to_segment_size = result->number <= 256 ? 1 : result->number <= 65536 ? 2 : 4; /* 7.2.5 */ - pa_size = result->flags & 0x40 ? 4 : 1; /* 7.2.6 */ - if (offset + referred_to_segment_count * referred_to_segment_size + pa_size + 4 > buf_size) { -- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, result->number, "insufficient data to parse segment header"); -+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, result->number, "attempted to parse segment header with insufficient data, asking for more data"); - jbig2_free(ctx->allocator, result); - return NULL; - } --- -1.8.3.1 - diff --git a/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch b/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch deleted file mode 100644 index d279fb827e4b1299195d47526f81cb9e630d6da8..0000000000000000000000000000000000000000 --- a/Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 5d499272b95a6b890a1397e11d20937de000d31b Mon Sep 17 00:00:00 2001 -From: Ray Johnston -Date: Wed, 22 Jul 2020 09:57:54 -0700 -Subject: [PATCH 410/532] Bug 702582, CVE 2020-15900 Memory Corruption in - Ghostscript 9.52 - -Fix the 'rsearch' calculation for the 'post' size to give the correct -size. Previous calculation would result in a size that was too large, -and could underflow to max uint32_t. Also fix 'rsearch' to return the -correct 'pre' string with empty string match. - -A future change may 'undefine' this undocumented, non-standard operator -during initialization as we do with the many other non-standard internal -PostScript operators and procedures. ---- - psi/zstring.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/psi/zstring.c b/psi/zstring.c -index 33662da..58e1af2 100644 ---- a/psi/zstring.c -+++ b/psi/zstring.c -@@ -142,13 +142,18 @@ search_impl(i_ctx_t *i_ctx_p, bool forward) - return 0; - found: - op->tas.type_attrs = op1->tas.type_attrs; -- op->value.bytes = ptr; -- r_set_size(op, size); -+ op->value.bytes = ptr; /* match */ -+ op->tas.rsize = size; /* match */ - push(2); -- op[-1] = *op1; -- r_set_size(op - 1, ptr - op[-1].value.bytes); -- op1->value.bytes = ptr + size; -- r_set_size(op1, count + (!forward ? (size - 1) : 0)); -+ op[-1] = *op1; /* pre */ -+ op[-3].value.bytes = ptr + size; /* post */ -+ if (forward) { -+ op[-1].tas.rsize = ptr - op[-1].value.bytes; /* pre */ -+ op[-3].tas.rsize = count; /* post */ -+ } else { -+ op[-1].tas.rsize = count; /* pre */ -+ op[-3].tas.rsize -= count + size; /* post */ -+ } - make_true(op); - return 0; - } --- -1.8.3.1 - diff --git a/Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch b/Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch deleted file mode 100644 index 27ecfd050863799c5f84694a7fdcea05aad94dee..0000000000000000000000000000000000000000 --- a/Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b8bda01581b94e9159533460cfe79436f4d5ac21 Mon Sep 17 00:00:00 2001 -From: Michael Vrhel -Date: Mon, 30 Mar 2020 14:47:25 -0700 -Subject: [PATCH] Coverity 94826 Add missing offset to buffer size used for - clist cmd. - ---- - base/gxclpath.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/base/gxclpath.c b/base/gxclpath.c -index b2b946d..4a8902d 100644 ---- a/base/gxclpath.c -+++ b/base/gxclpath.c -@@ -486,7 +486,8 @@ cmd_write_unknown(gx_device_clist_writer * cldev, gx_clist_state * pcls, - sizeof(float) + /* line width */ - sizeof(float) + /* miter limit */ - 3 + /* bm_tk, op, and rend intent */ -- sizeof(float) * 2 + /* opacity/shape alpha */ -+ sizeof(cldev->gs_gstate.alphaisshape) + -+ sizeof(float) * 2 + /* ca CA */ - sizeof(cldev->gs_gstate.alpha) - ]; - byte *bp = buf; --- -1.8.3.1 - diff --git a/Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch b/Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch deleted file mode 100644 index c38282f6be6446e30f1f895d42de4485a8931ce3..0000000000000000000000000000000000000000 --- a/Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 6a3c36f8c5e83448f5d1e5f24ee01c0e80a92877 Mon Sep 17 00:00:00 2001 -From: Ray Johnston -Date: Fri, 27 Mar 2020 13:54:02 -0700 -Subject: [PATCH] Fix Bug 702177: VMerrors with some BufferSpace and/or -K - limits. - -Interestingly, the two examples given in the bug succeed on Windows 64 -but don't on linux. The difference is due to an 8 byte difference in the -size of gx_clist_state (the per band writer state). In the case of the -Bug690546.pdf file, the space left in the BufferSpace area after the -logic increased it was only 2,200 bytes on linux, but was 12k bytes on -Windows (it made an extra pass through the automatic "increase space" -loop in gdev_prn_setup_as_command_list. Fix the calculation in -clist_init_states so that the amount of extra space corresponds to the -amount expected by clist command writing (data_bits_size + cmd_largest_size) -rather than the insufficient and arbitrary "100". - -Note that although the Bug692057.pdf returned VMerror from cmd_put_list_op, the -'fallback; method of gx_default_strip_tile_rectangle still produces the SAME -raster from psdcmyk16 and does not change the performance or clist file size -Robin's commit cbee0840 fixed this case. ---- - base/gxclist.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/base/gxclist.c b/base/gxclist.c -index 1819e58..667d9c0 100644 ---- a/base/gxclist.c -+++ b/base/gxclist.c -@@ -355,12 +355,13 @@ clist_init_states(gx_device * dev, byte * init_data, uint data_size) - /* Align to the natural boundary for ARM processors, bug 689600 */ - long alignment = (-(long)init_data) & (sizeof(init_data) - 1); - -- /* -- * The +100 in the next line is bogus, but we don't know what the -- * real check should be. We're effectively assuring that at least 100 -- * bytes will be available to buffer command operands. -+ /* Leave enough room after states for commands that write a reasonable -+ * amount of data. The cmd_largest_size and the data_bits_size should be -+ * enough to buffer command operands. The data_bits_size is the level -+ * at which commands should expect to split data across buffers. If this -+ * extra space is a little large, it doesn't really hurt. - */ -- if (state_size + sizeof(cmd_prefix) + cmd_largest_size + 100 + alignment > data_size) -+ if (state_size + sizeof(cmd_prefix) + cmd_largest_size + data_bits_size + alignment > data_size) - return_error(gs_error_rangecheck); - /* The end buffer position is not affected by alignment */ - cdev->cend = init_data + data_size; --- -1.8.3.1 - diff --git a/Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch b/Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch deleted file mode 100644 index c711f7f9d9a1faa6658d43545cd9c0079d127e07..0000000000000000000000000000000000000000 --- a/Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch +++ /dev/null @@ -1,74 +0,0 @@ -From cca279886b3bbb4d3af5768880565c9f7b372c08 Mon Sep 17 00:00:00 2001 -From: ray -Date: Mon, 23 Mar 2020 15:27:37 -0700 -Subject: [PATCH] Fix Bug 702181: SEGV when BufferSpace is at or above -K alloc - limit - -The issue with this file is that one of the pages is done in page mode because -it was so small, but the 'resize' call when doing page 2 was not checking the -allocation request against the limit, so the malloc would succeed, but the very -next (and all subsequent) allocations would fail. The gdev_prn_allocate would -capture the ecode, but would still call the clist_enable_multi_thread_render -resulting in the SEGV. - -Add the check in the gs_heap_resize_object function, and make sure and leave -the 'monitor' after failure, then don't call clist_enable_multi_thread if the -resize failed. ---- - base/gdevprn.c | 14 ++++++++------ - base/gsmalloc.c | 11 ++++++++++- - 2 files changed, 18 insertions(+), 7 deletions(-) - -diff --git a/base/gdevprn.c b/base/gdevprn.c -index c365509..ed89cd7 100644 ---- a/base/gdevprn.c -+++ b/base/gdevprn.c -@@ -520,13 +520,15 @@ gdev_prn_allocate(gx_device *pdev, gdev_prn_space_params *new_space_params, - if (ecode == 0) - ecode = code; - -- if ( code >= 0 || (reallocate && pass > 1) ) -+ if (code >= 0 || (reallocate && pass > 1)) - ppdev->procs = gs_clist_device_procs; -- /* -- * Now the device is a clist device, we enable multi-threaded rendering. -- * It will remain enabled, but that doesn't really cause any problems. -- */ -- clist_enable_multi_thread_render(pdev); -+ if (code > 0) { -+ /* -+ * Now the device is a clist device, we enable multi-threaded rendering. -+ * It will remain enabled, but that doesn't really cause any problems. -+ */ -+ clist_enable_multi_thread_render(pdev); -+ } - } else { - /* Render entirely in memory. */ - gx_device *bdev = (gx_device *)pmemdev; -diff --git a/base/gsmalloc.c b/base/gsmalloc.c -index 14979e8..2fbccab 100644 ---- a/base/gsmalloc.c -+++ b/base/gsmalloc.c -@@ -279,9 +279,18 @@ gs_heap_resize_object(gs_memory_t * mem, void *obj, size_t new_num_elements, - return obj; - if (mmem->monitor) - gx_monitor_enter(mmem->monitor); /* Exclusive access */ -+ if (new_size > mmem->limit - sizeof(gs_malloc_block_t)) { -+ /* too large to allocate; also avoids overflow. */ -+ if (mmem->monitor) -+ gx_monitor_leave(mmem->monitor); /* Done with exclusive access */ -+ return 0; -+ } - new_ptr = (gs_malloc_block_t *) gs_realloc(ptr, old_size, new_size); -- if (new_ptr == 0) -+ if (new_ptr == 0) { -+ if (mmem->monitor) -+ gx_monitor_leave(mmem->monitor); /* Done with exclusive access */ - return 0; -+ } - if (new_ptr->prev) - new_ptr->prev->next = new_ptr; - else --- -1.8.3.1 - diff --git a/Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch b/Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch deleted file mode 100644 index 6ac4fa3d5e253c6392b55743c2405d0dbff137cf..0000000000000000000000000000000000000000 --- a/Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch +++ /dev/null @@ -1,44 +0,0 @@ -From d49dbf133ac49d09d626bab08ee92835a50a646a Mon Sep 17 00:00:00 2001 -From: ray -Date: Tue, 24 Mar 2020 16:49:13 -0700 -Subject: [PATCH] Fix bug 702182: VMerror due to leaks in pattern cache due to - locking. - -If the tile being loaded by the clist reader was already in the cache and -was locked, the slot would be re-loaded (with the same tile) without freeing -up the previously loaded tile. It would be nicer to be able to skip reading -the tile in this case, but we need to consume the data from the clist sequence, -so just unlock it so it can be freed, then re-load it (presumably setting the -lock again). ---- - base/gsptype1.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/base/gsptype1.c b/base/gsptype1.c -index 7d4714f..c39f039 100644 ---- a/base/gsptype1.c -+++ b/base/gsptype1.c -@@ -2117,8 +2117,20 @@ gx_dc_pattern_read( - /* the following works for raster or clist patterns */ - cache_space_needed = buf.size_b + buf.size_c; - } -+ -+ /* Free up any unlocked patterns if needed */ - gx_pattern_cache_ensure_space((gs_gstate *)pgs, cache_space_needed); - -+ /* If the pattern tile is already in the cache, make sure it isn't locked */ -+ /* The lock will be reset below, but the read logic needs to finish loading the pattern. */ -+ ptile = &(pgs->pattern_cache->tiles[buf.id % pgs->pattern_cache->num_tiles]); -+ if (ptile->id != gs_no_id && ptile->is_locked) { -+ /* we shouldn't have miltiple tiles locked, but check if OK before unlocking */ -+ if (ptile->id != buf.id) -+ return_error(gs_error_unregistered); /* can't unlock some other tile in this slot */ -+ code = gx_pattern_cache_entry_set_lock(pgs, buf.id, false); /* make sure not locked */ -+ } -+ /* get_entry will free the tile in the cache slot if it isn't empty */ - code = gx_pattern_cache_get_entry((gs_gstate *)pgs, /* Break 'const'. */ - buf.id, &ptile); - if (code < 0) --- -1.8.3.1 - diff --git a/Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch b/Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch deleted file mode 100644 index 44aef09335502d54f09f53a9b139c4adc088f0a0..0000000000000000000000000000000000000000 --- a/Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch +++ /dev/null @@ -1,74 +0,0 @@ -From b09cbe8e577fb14504932dc8d9096187ec4e0840 Mon Sep 17 00:00:00 2001 -From: Ray Johnston -Date: Sun, 29 Mar 2020 15:32:36 -0700 -Subject: [PATCH] Fix infinite loop in PDF interpreter 'pagespotcolors' - procedure - -The file tests_private/pdf/uploads/poc1_pdf_gs.pdf has the single page -Parent object as itself. This only showed up with "DeviceN" devices that -search the PDF for the number of spot colorants on the page. - -Note that this file is broken in other respects since it has a /Count -of 9 pages, but only a single page. This change also adds handling for -the //null object returned when a page isn't found since there isn't -actually a second page, and adds an error message when this is the case. ---- - Resource/Init/pdf_main.ps | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) - -diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps -index 2d896b2..7a3b91f 100644 ---- a/Resource/Init/pdf_main.ps -+++ b/Resource/Init/pdf_main.ps -@@ -513,7 +513,12 @@ currentdict /runpdfstring .undef - { - dup /Page# exch store - QUIET not { (Page ) print dup //== exec flush } if -- pdfgetpage pdfshowpage -+ pdfgetpage -+ dup //null ne { pdfshowpage } { -+ ( **** Error: Page #) pdfformaterror Page# 10 string cvs pdfformaterror -+ ( not found.\n) pdfformaterror -+ /dopdfpages cvx /syntaxerror signalerror -+ } ifelse - }{ - pop - }ifelse -@@ -2076,14 +2081,19 @@ currentdict /xref-char-dict undef - /pdffindpageref { % pdffindpage - dup pdffindpage? - % Stack: index countleft noderef -- 1 index 1 ne { pop pop /pdffindpage cvx /rangecheck signalerror } if -- exch pop -- PageIndex 2 index 1 sub 65533 .min 2 index oforce put -- PageNumbers 1 index oforce 3 index dup 65534 le -- { put } -- { pop pop pop } % don't store more than 65534 pagenumbers -+ dup //null ne { -+ 1 index 1 ne { pop pop /pdffindpage cvx /rangecheck signalerror } if -+ exch pop -+ PageIndex 2 index 1 sub 65533 .min 2 index oforce put -+ PageNumbers 1 index oforce 3 index dup 65534 le -+ { put } -+ { pop pop pop } % don't store more than 65534 pagenumbers -+ ifelse -+ } { -+ exch pop % return the //null -+ } - ifelse -- exch pop -+ exch pop % pop the page number, return the object or null - } bind executeonly def - /pdffindpage { % pdffindpage - pdffindpageref oforce -@@ -3311,6 +3321,7 @@ currentdict /PDF2PS_matrix_key undef - { - /Parent knownoget - { -+ dup /Pages known not { pop exit } if % not a valid Page Tree ancestor - dup 4 1 roll - resourcespotcolors - 3 -1 roll --- -1.8.3.1 - diff --git a/PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch b/PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch deleted file mode 100644 index 08dc87308637518e1dbada8a1dacd3f83a8f9a95..0000000000000000000000000000000000000000 --- a/PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a45d7217c8c1578475ee9204d1f4ad46520f44d1 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Sat, 21 Mar 2020 10:00:42 +0000 -Subject: [PATCH] PDF interpreter - swallow errors reading ICC profiles and - continue - -Bug #702240 "Invalid ICC profile aborts PDF ineterpretation" - -The file contains an ICCbased space which references an embedded ICC -profile, which is Flate compressed. The compressed stream has been -corrupted and cannot be decompressed. - -This causes the colour space code to throw an ioerror and terminate -interpretation, Acrobat (as usual) doesn't even give a warning. - -This commit checks for an error creating the ReusableStreamDecode and -if it fails sets the Data Source in the stream dictionary to null. We -will later use the /N value in the stream dictionary to set a reasonable -fallback space (in this case CMYK). ---- - Resource/Init/pdf_draw.ps | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps -index 1deb052..9d818de 100644 ---- a/Resource/Init/pdf_draw.ps -+++ b/Resource/Init/pdf_draw.ps -@@ -874,7 +874,15 @@ currentdict /csncompdict undef - dup dup 1 oget - mark exch { oforce } forall .dicttomark - dup dup //true resolvestream -- /ReusableStreamDecode filter /DataSource exch put -+ { -+ /ReusableStreamDecode filter -+ } stopped -+ { -+ pop null -+% ( **** Error: Failed to read ICC profile for an ICCBased colour space.\n) pdfformaterror -+% ( Falling back to a colour space determined by the /N value.\n) pdfformaterror -+ }if -+ /DataSource exch put - dup /.hash 0 put % placeholder for use by seticc icc_profile_cache key - % Check that the number of components (/N) defined in the ICCBased - % dictionry matches the actual profile. Bug #696120 --- -1.8.3.1 - diff --git a/PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch b/PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch deleted file mode 100644 index 02d1989630c10b84011fcef1e48601096321cbdd..0000000000000000000000000000000000000000 --- a/PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch +++ /dev/null @@ -1,83 +0,0 @@ -From ebabebad34a3811230b7bfe351eface7f5efc8a9 Mon Sep 17 00:00:00 2001 -From: Ken Sharp -Date: Wed, 8 Apr 2020 16:06:44 +0100 -Subject: [PATCH] PostScript interpreter - don't leave A85Decode pdf_rules - uninitialised - -Bug #702319 "Read of uninitialized value according to valgrind..." - -There are a number of other bugs which relate to this particular problem: -690976, 692983 and 693485. The problem has come about as a cumulative -result of working on these bugs. - -Starting with commit : -http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e0ecca32ecd12dae3310fac4b65dc224031c85a2 -for bug 690976 a new flag 'pdf_rules' was added to the Ascii85Decode -state. This is initialised from the dictionary operand in PostScript -by zA85D() in zfdecode.c. When this flag is true the ASCII85Decode -filter will silently accept just '~' as a valid termination for a string -(should be '~>'). - -However this is not the only way to initialise an Ascii85Decode filter, -the PostScript token scanner can also use s_A85D_init_inline() which -does not initialise the flag. From this point we have the potential -for testing an unitialised variable in s_A85D_process(), if we get an -encoded string which terminates with a '~' and the filter was -instantiated from PostScript. - -When fixing bug 692983, this commit: -http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d561224d1495321d40012230abbcf835b298f557 - -Alex specifically added a comment that pdf_rules must not be initialised -in s_A85D_init_inline() but didn't say why! The reason is that the -regular stream initialisation code (s_A85D-init) also uses this inline -function, so if it altered pdf_rules it would overwrite the value -previously set by zA85D(). - -Since the initialisation is done in two places, the only way to fix this -is to initialise pdf_rules in gs_scan_token() which this commit duly -does. I've also added comments in s_A85D_init_inline to explain more -clearly *why* pdf_rules must not be initialised here. ---- - base/sa85d.h | 9 ++++++++- - psi/iscan.c | 4 ++++ - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/base/sa85d.h b/base/sa85d.h -index 6e74622..8685af7 100644 ---- a/base/sa85d.h -+++ b/base/sa85d.h -@@ -41,7 +41,14 @@ typedef struct stream_A85D_state_s { - (ss)->min_left = 1; \ - (ss)->word = 0; \ - (ss)->odd = 0; \ -- /* pdf_rules should not be initialized here */ \ -+ /* pdf_rules should not be initialized here. This flag is initialised in\ -+ * zA85D to either true or false, and this inline function is called *after*\ -+ * that in s_A85D_init to do the remaining initialisation. However, this\ -+ * inline function is also called from gs_scan_token to handle inline\ -+ * ASCII85 strings. These are not to be interpreted using PDF rules\ -+ * and so we must not set the flag here, but in the relevant calling\ -+ * functions.\ -+ */ \ - (ss)->require_eod=false; \ - END - extern const stream_template s_A85D_template; -diff --git a/psi/iscan.c b/psi/iscan.c -index e5956e1..9b7151a 100644 ---- a/psi/iscan.c -+++ b/psi/iscan.c -@@ -581,6 +581,10 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate) - s_A85D_init_inline(&sstate.s_ss.a85d); - sstate.s_ss.st.templat = &s_A85D_template; - sstate.s_ss.a85d.require_eod = true; -+ /* If this is an inline ASCII string, interpret it normally, throw an error -+ * if it fails rather than ignoring it as PDF (Acrobat) does. -+ */ -+ sstate.s_ss.a85d.pdf_rules = false; - goto str; - } - sputback_inline(s, sptr, endptr); --- -1.8.3.1 - diff --git a/backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch b/backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch new file mode 100644 index 0000000000000000000000000000000000000000..ef8050f388f970bcd8880be28efb01738bc13bf3 --- /dev/null +++ b/backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch @@ -0,0 +1,25 @@ +From 830afae5454dea3bff903869d82022306890a96c Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Fri, 1 Oct 2021 12:44:44 +0100 +Subject: [PATCH] Bug 704405: Fix typo in no-forked lcms2 code. + +--- + base/gsicc_lcms2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gsicc_lcms2.c b/base/gsicc_lcms2.c +index ccf1d70..9badb6d 100644 +--- a/base/gsicc_lcms2.c ++++ b/base/gsicc_lcms2.c +@@ -462,7 +462,7 @@ int + gscms_transform_color(gx_device *dev, gsicc_link_t *icclink, void *inputcolor, + void *outputcolor, int num_bytes) + { +- return gscms_transformm_color_const(dev, icclink, inputcolor, outputcolor, num_bytes); ++ return gscms_transform_color_const(dev, icclink, inputcolor, outputcolor, num_bytes); + } + + int +-- +2.27.0 + diff --git a/ghostscript-9.52.tar.xz b/ghostscript-9.55.0.tar.xz similarity index 56% rename from ghostscript-9.52.tar.xz rename to ghostscript-9.55.0.tar.xz index 1914db7309e933958db9b3dd6a44c7fefc8884a7..384e7a7a8df348a91c8d62ef6bbcca81781e8c2d 100644 Binary files a/ghostscript-9.52.tar.xz and b/ghostscript-9.55.0.tar.xz differ diff --git a/ghostscript.spec b/ghostscript.spec index 4c91df5dbef3a777ebc402a1dcc6e84260fe88c4..247113a5f0a0af5083b78cf41473290b2f12abf1 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -8,42 +8,15 @@ %global google_droid_fontpath %%(dirname $(fc-list : file | grep "DroidSansFallback")) Name: ghostscript -Version: 9.52 -Release: 5 +Version: 9.55.0 +Release: 1 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch -Patch1: jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch -Patch2: jbig2dec-Add-overflow-detection-for-IAID-context-size.patch -Patch3: jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch -Patch4: Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch -Patch5: jbig2dec-Always-use-uint32_t-when-counting-pages.patch -Patch6: PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch -Patch7: jbig2dec-Fix-two-overlooked-warnings.patch -Patch8: jbig2dec-Use-correct-define-for-maxium-value-of-type.patch -Patch9: Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch -Patch10: Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch -Patch11: Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch -Patch12: Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch -Patch13: Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch -Patch14: Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch -Patch15: jbig2dec-Plug-leak-of-image-upon-error.patch -Patch16: jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch -Patch17: jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch -Patch18: PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch -Patch19: Bug-702322-fix-uninitalized-data-reads.patch -Patch20: Bug-702320-Valgrind-complains-about-UMR.patch -Patch21: Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch -Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch -Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch -Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch -Patch25: Bug-702582-CVE-2020-15900-Memory-Corruption-in-Ghost.patch -Patch26: oss-fuzz-22182-validate-glyph-offset-length-values.patch -Patch27: oss-fuzz-23637-Fix-error-code-confusion.patch -Patch28: oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch +Patch1: backport-Bug-704405-Fix-typo-in-non-forked-lcms2-code.patch BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel @@ -204,6 +177,12 @@ install -m 0755 -d %{buildroot}%{_datadir}/%{name}/conf.d/ %{_bindir}/dvipdf %changelog +* Sat Dec 11 2021 yangzhuangzhuang - 9.55.0-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:update version to 9.55.0 + * Mon Apr 19 2021 panxiaohe - 9.52-5 - Type:enhancement - ID:NA diff --git a/jbig2dec-Add-overflow-detection-for-IAID-context-size.patch b/jbig2dec-Add-overflow-detection-for-IAID-context-size.patch deleted file mode 100644 index 22f34b22d5d70eec63c3ccf25565a479d1df4d7a..0000000000000000000000000000000000000000 --- a/jbig2dec-Add-overflow-detection-for-IAID-context-size.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 30842ee99923fa10a7301494fd08b998e7acf57b Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Sun, 15 Sep 2019 18:12:31 +0200 -Subject: [PATCH] jbig2dec: Add overflow detection for IAID context size. - ---- - jbig2dec/jbig2_arith_iaid.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/jbig2dec/jbig2_arith_iaid.c b/jbig2dec/jbig2_arith_iaid.c -index 78dc830..bbc38a0 100644 ---- a/jbig2dec/jbig2_arith_iaid.c -+++ b/jbig2dec/jbig2_arith_iaid.c -@@ -44,9 +44,18 @@ struct _Jbig2ArithIaidCtx { - Jbig2ArithIaidCtx * - jbig2_arith_iaid_ctx_new(Jbig2Ctx *ctx, int SBSYMCODELEN) - { -- Jbig2ArithIaidCtx *result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1); -- int ctx_size = 1 << SBSYMCODELEN; -+ Jbig2ArithIaidCtx *result; -+ size_t ctx_size; - -+ if (sizeof(ctx_size) * 8 <= SBSYMCODELEN) -+ { -+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "requested IAID arithmetic coding state size too large"); -+ return NULL; -+ } -+ -+ ctx_size = 1 << SBSYMCODELEN; -+ -+ result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1); - if (result == NULL) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed to allocate IAID arithmetic coding state"); - return NULL; --- -1.8.3.1 - diff --git a/jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch b/jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch deleted file mode 100644 index b6fbe42e6cdca039d54bd05aa098b13d31aa3fa0..0000000000000000000000000000000000000000 --- a/jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch +++ /dev/null @@ -1,94 +0,0 @@ -From dc6b8098b52db7e1a9b20c1ef6f1006555c04b1b Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Fri, 27 Mar 2020 05:41:07 +0800 -Subject: [PATCH] jbig2dec: Adjust number of bytes consumed by MMR decoder. - -The MMR decoder pre-buffers up to 32 bits of encoded input data in a word -buffer before they are consumed by the MMR decoder. Once bits are consumed, the -pre-buffer will be filled up with more input data. When filling up the buffer -the decoder would previously stay clear of reading data belonging to succeeding -segments, but still indicated that it consumed those bytes it never read. Once -finished the MMR decoder lied to the caller by propagating the incorrect number -of consumed bytes. The caller subtracted the consumed number of bytes from the -size and end up in underflow causing the next MMR decoding to first read input -data at the wrong location, later ending up attempting to read outside the MMR -encoded input buffer. - -Now, the MMR decoder keeps track of how many bits it has consumed and -accurately rounds this number up to a whole number of bytes to the caller. - -Fixes OSS-fuzz issue 17855. - -Thanks to OSS-fuzz for reporting. ---- - jbig2dec/jbig2_mmr.c | 27 ++++++++++++++++----------- - 1 file changed, 16 insertions(+), 11 deletions(-) - -diff --git a/jbig2dec/jbig2_mmr.c b/jbig2dec/jbig2_mmr.c -index 8029c81..94ff429 100644 ---- a/jbig2dec/jbig2_mmr.c -+++ b/jbig2dec/jbig2_mmr.c -@@ -45,6 +45,7 @@ typedef struct { - uint32_t height; - const byte *data; - size_t size; -+ size_t consumed_bits; - uint32_t data_index; - uint32_t bit_index; - uint32_t word; -@@ -58,30 +59,34 @@ typedef struct { - static void - jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size) - { -- size_t i; -- uint32_t word = 0; -- - mmr->width = width; - mmr->height = height; - mmr->data = data; - mmr->size = size; - mmr->data_index = 0; -- mmr->bit_index = 0; -+ mmr->bit_index = 32; -+ mmr->word = 0; -+ mmr->consumed_bits = 0; - -- for (i = 0; i < size && i < 4; i++) -- word |= (data[i] << ((3 - i) << 3)); -- mmr->word = word; -+ while (mmr->bit_index >= 8 && mmr->data_index < mmr->size) { -+ mmr->bit_index -= 8; -+ mmr->word |= (mmr->data[mmr->data_index] << mmr->bit_index); -+ mmr->data_index++; -+ } - } - - static void - jbig2_decode_mmr_consume(Jbig2MmrCtx *mmr, int n_bits) - { -+ mmr->consumed_bits += n_bits; -+ if (mmr->consumed_bits > mmr->size * 8) -+ mmr->consumed_bits = mmr->size * 8; -+ - mmr->word <<= n_bits; - mmr->bit_index += n_bits; -- while (mmr->bit_index >= 8) { -+ while (mmr->bit_index >= 8 && mmr->data_index < mmr->size) { - mmr->bit_index -= 8; -- if (mmr->data_index + 4 < mmr->size) -- mmr->word |= (mmr->data[mmr->data_index + 4] << mmr->bit_index); -+ mmr->word |= (mmr->data[mmr->data_index] << mmr->bit_index); - mmr->data_index++; - } - } -@@ -1259,6 +1264,6 @@ jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, - jbig2_decode_mmr_consume(&mmr, 24); - } - -- *consumed_bytes += mmr.data_index + (mmr.bit_index >> 3) + (mmr.bit_index > 0 ? 1 : 0); -+ *consumed_bytes += (mmr.consumed_bits + 7) / 8; - return code; - } --- -1.8.3.1 - diff --git a/jbig2dec-Always-use-uint32_t-when-counting-pages.patch b/jbig2dec-Always-use-uint32_t-when-counting-pages.patch deleted file mode 100644 index 44448be1e6fae09d9b6ee9440f14365e123c7483..0000000000000000000000000000000000000000 --- a/jbig2dec-Always-use-uint32_t-when-counting-pages.patch +++ /dev/null @@ -1,78 +0,0 @@ -From ff53af0d4ff9291aa5039522f5553a2850dd569d Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Thu, 12 Mar 2020 00:26:59 +0800 -Subject: [PATCH] jbig2dec: Always use uint32_t when counting pages. - ---- - jbig2dec/jbig2.c | 4 ++-- - jbig2dec/jbig2_page.c | 10 +++++++++- - jbig2dec/jbig2_priv.h | 4 ++-- - 3 files changed, 13 insertions(+), 5 deletions(-) - -diff --git a/jbig2dec/jbig2.c b/jbig2dec/jbig2.c -index 126e7a9..9fbb340 100644 ---- a/jbig2dec/jbig2.c -+++ b/jbig2dec/jbig2.c -@@ -154,7 +154,7 @@ jbig2_ctx_new_imp(Jbig2Allocator *allocator, Jbig2Options options, Jbig2GlobalCt - return NULL; - } - { -- int index; -+ uint32_t index; - - for (index = 0; index < result->max_page_index; index++) { - result->pages[index].state = JBIG2_PAGE_FREE; -@@ -412,7 +412,7 @@ Jbig2Allocator * - jbig2_ctx_free(Jbig2Ctx *ctx) - { - Jbig2Allocator *ca; -- int i; -+ uint32_t i; - - if (ctx == NULL) - return NULL; -diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c -index 21483e8..31b31f7 100644 ---- a/jbig2dec/jbig2_page.c -+++ b/jbig2dec/jbig2_page.c -@@ -72,13 +72,21 @@ jbig2_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_dat - - /* find a free page */ - { -- int index, j; -+ size_t index, j; - - index = ctx->current_page; - while (ctx->pages[index].state != JBIG2_PAGE_FREE) { - index++; - if (index >= ctx->max_page_index) { - /* grow the list */ -+ -+ if (ctx->max_page_index == SIZE_MAX) { -+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many pages in jbig2 image"); -+ } -+ else if (ctx->max_page_index > (SIZE_MAX >> 2)) { -+ ctx->max_page_index = SIZE_MAX; -+ } -+ - pages = jbig2_renew(ctx, ctx->pages, Jbig2Page, (ctx->max_page_index <<= 2)); - if (pages == NULL) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to reallocate pages"); -diff --git a/jbig2dec/jbig2_priv.h b/jbig2dec/jbig2_priv.h -index e5a1eb5..d464208 100644 ---- a/jbig2dec/jbig2_priv.h -+++ b/jbig2dec/jbig2_priv.h -@@ -101,8 +101,8 @@ struct _Jbig2Ctx { - - /* list of decoded pages, including the one in progress, - currently stored as a contiguous, 0-indexed array. */ -- int current_page; -- int max_page_index; -+ uint32_t current_page; -+ uint32_t max_page_index; - Jbig2Page *pages; - }; - --- -1.8.3.1 - diff --git a/jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch b/jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch deleted file mode 100644 index 1e3410fdb400be258179b276278fd11d01e03b1e..0000000000000000000000000000000000000000 --- a/jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 92faea67b31570e84b978a77b43c8f38bdad7bd4 Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Tue, 1 Oct 2019 18:08:34 +0200 -Subject: [PATCH] jbig2dec: Avoid warning by copying bytes instead of - characters. - ---- - jbig2dec/jbig2dec.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c -index 39f487e..d7d0aef 100644 ---- a/jbig2dec/jbig2dec.c -+++ b/jbig2dec/jbig2dec.c -@@ -458,6 +458,7 @@ make_output_filename(const char *input_filename, const char *extension) - { - char *output_filename; - const char *c, *e; -+ int extlen; - int len; - - if (extension == NULL) { -@@ -488,16 +489,18 @@ make_output_filename(const char *input_filename, const char *extension) - if (e != NULL) - len -= strlen(e); - -+ extlen = strlen(extension); -+ - /* allocate enough space for the base + ext */ -- output_filename = (char *)malloc(len + strlen(extension) + 1); -+ output_filename = (char *)malloc(len + extlen + 1); - if (output_filename == NULL) { - fprintf(stderr, "failed to allocate memory for output filename\n"); - exit(1); - } - -- strncpy(output_filename, c, len); -- strncpy(output_filename + len, extension, strlen(extension)); -- *(output_filename + len + strlen(extension)) = '\0'; -+ memcpy(output_filename, c, len); -+ memcpy(output_filename + len, extension, extlen); -+ *(output_filename + len + extlen) = '\0'; - - /* return the new string */ - return (output_filename); --- -1.8.3.1 - diff --git a/jbig2dec-Fix-two-overlooked-warnings.patch b/jbig2dec-Fix-two-overlooked-warnings.patch deleted file mode 100644 index fd8af9fce4b15a7ac47444c69a28205e029fa106..0000000000000000000000000000000000000000 --- a/jbig2dec-Fix-two-overlooked-warnings.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4f0c17451afb66e6fcf3bd453490b4b9d2b06b42 Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Sat, 21 Mar 2020 16:20:28 +0800 -Subject: [PATCH] jbig2dec: Fix two overlooked warnings. - -While working to fix all warnings seen when -Wsign-conversion is -enabled, these two warnings were accidentally introduced by commit -ff53af0d4ff9291aa5039522f5553a2850dd569d and not noticed in the -avalanche of warnings emitted due to -Wsign-conversion. This commit -changes the indicies to the type of the limit variable, fixing the -warnings. ---- - jbig2dec/jbig2_page.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c -index 31b31f7..bc89a43 100644 ---- a/jbig2dec/jbig2_page.c -+++ b/jbig2dec/jbig2_page.c -@@ -319,7 +319,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, uint32_ - Jbig2Image * - jbig2_page_out(Jbig2Ctx *ctx) - { -- int index; -+ uint32_t index; - - /* search for a completed page */ - for (index = 0; index < ctx->max_page_index; index++) { -@@ -348,7 +348,7 @@ jbig2_page_out(Jbig2Ctx *ctx) - void - jbig2_release_page(Jbig2Ctx *ctx, Jbig2Image *image) - { -- int index; -+ uint32_t index; - - if (image == NULL) - return; --- -1.8.3.1 - diff --git a/jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch b/jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch deleted file mode 100644 index 48d14b808935cff51d5d06f94b52d1d95abb7291..0000000000000000000000000000000000000000 --- a/jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 716560bf5f2bc4b821ca6924ec648ca4949826bb Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Sun, 15 Sep 2019 17:31:48 +0200 -Subject: [PATCH] jbig2dec: Handle under-/overflow detection and messaging - better. - -Previously SYMWIDTH was capped too early in order to prevent underflow -Moreover TOTWIDTH was allowed to overflow. - -Now the value DW is checked compared to SYMWIDTH, preventing over -underflow and overflow at the correct limits, and an overflow -check has been added for TOTWIDTH. ---- - jbig2dec/jbig2_symbol_dict.c | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c -index e606529..bc6e98c 100644 ---- a/jbig2dec/jbig2_symbol_dict.c -+++ b/jbig2dec/jbig2_symbol_dict.c -@@ -428,14 +428,24 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - break; - } - -+ if (DW < 0 && SYMWIDTH < (uint32_t) -DW) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); -+ goto cleanup; -+ } -+ if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); -+ goto cleanup; -+ } -+ - SYMWIDTH = SYMWIDTH + DW; -- TOTWIDTH = TOTWIDTH + SYMWIDTH; -- if ((int32_t) SYMWIDTH < 0) { -- code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1); -+ if (SYMWIDTH > UINT32_MAX - TOTWIDTH) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1); - goto cleanup; - } -+ -+ TOTWIDTH = TOTWIDTH + SYMWIDTH; - #ifdef JBIG2_DEBUG -- jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH); -+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH); - #endif - /* 6.5.5 (4c.ii) */ - if (!params->SDHUFF || params->SDREFAGG) { --- -1.8.3.1 - diff --git a/jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch b/jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch deleted file mode 100644 index 6a96f56debe350c92d81d2db0cfa3cf1a29006c1..0000000000000000000000000000000000000000 --- a/jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch +++ /dev/null @@ -1,41 +0,0 @@ -From d8ed6363166841dcb067d7adc6ad6b52a1b1f90c Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Sun, 5 Apr 2020 12:24:36 +0800 -Subject: [PATCH] jbig2dec: Initiate variable before avoids using uninited data - during cleanup. - -Fixes OSS-fuzz issue 21571. -Also fixes Coverity CID 355467. - -Thanks to OSS-fuzz for reporting. ---- - jbig2dec/jbig2_text.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c -index 61dc815..d49303a 100644 ---- a/jbig2dec/jbig2_text.c -+++ b/jbig2dec/jbig2_text.c -@@ -593,6 +593,9 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - uint32_t table_index = 0; - const Jbig2HuffmanParams *huffman_params = NULL; - -+ /* zero params to ease cleanup later */ -+ memset(¶ms, 0, sizeof(Jbig2TextRegionParams)); -+ - /* 7.4.1 */ - if (segment->data_length < 17) { - code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -@@ -614,9 +617,6 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - - jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "text region header flags 0x%04x", flags); - -- /* zero params to ease cleanup later */ -- memset(¶ms, 0, sizeof(Jbig2TextRegionParams)); -- - params.SBHUFF = flags & 0x0001; - params.SBREFINE = flags & 0x0002; - params.LOGSBSTRIPS = (flags & 0x000c) >> 2; --- -1.8.3.1 - diff --git a/jbig2dec-Plug-leak-of-image-upon-error.patch b/jbig2dec-Plug-leak-of-image-upon-error.patch deleted file mode 100644 index 47a3630a977ba90615cc4517d1ae2caa7de6916b..0000000000000000000000000000000000000000 --- a/jbig2dec-Plug-leak-of-image-upon-error.patch +++ /dev/null @@ -1,104 +0,0 @@ -From f14f35c6e3218554cd351b848447cfa83b3c4256 Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Thu, 26 Mar 2020 14:20:11 +0800 -Subject: [PATCH] jbig2dec: Plug leak of image upon error. - -Fixes OSS-Fuzz issue 17513. - -Thanks to OSS-fuzz for reporting. ---- - jbig2dec/jbig2_text.c | 39 ++++++++++++++++++++++++--------------- - 1 file changed, 24 insertions(+), 15 deletions(-) - -diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c -index 6d983b6..61dc815 100644 ---- a/jbig2dec/jbig2_text.c -+++ b/jbig2dec/jbig2_text.c -@@ -594,8 +594,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - const Jbig2HuffmanParams *huffman_params = NULL; - - /* 7.4.1 */ -- if (segment->data_length < 17) -- goto too_short; -+ if (segment->data_length < 17) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -+ goto cleanup2; -+ } - jbig2_get_region_segment_info(®ion_info, segment_data); - offset += 17; - /* Check for T.88 amendment 3 */ -@@ -603,8 +605,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "region segment flags indicate use of colored bitmap (NYI)"); - - /* 7.4.3.1.1 */ -- if (segment->data_length - offset < 2) -- goto too_short; -+ if (segment->data_length - offset < 2) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -+ goto cleanup2; -+ } - flags = jbig2_get_uint16(segment_data + offset); - offset += 2; - -@@ -633,8 +637,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - - if (params.SBHUFF) { /* Huffman coding */ - /* 7.4.3.1.2 */ -- if (segment->data_length - offset < 2) -- goto too_short; -+ if (segment->data_length - offset < 2) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -+ goto cleanup2; -+ } - huffman_flags = jbig2_get_uint16(segment_data + offset); - offset += 2; - -@@ -643,8 +649,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - } else { /* arithmetic coding */ - - /* 7.4.3.1.3 */ -- if (segment->data_length - offset < 4) -- goto too_short; -+ if (segment->data_length - offset < 4) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -+ goto cleanup2; -+ } - if ((params.SBREFINE) && !(params.SBRTEMPLATE)) { - params.sbrat[0] = segment_data[offset]; - params.sbrat[1] = segment_data[offset + 1]; -@@ -655,8 +663,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - } - - /* 7.4.3.1.4 */ -- if (segment->data_length - offset < 4) -- goto too_short; -+ if (segment->data_length - offset < 4) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -+ goto cleanup2; -+ } - params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset); - offset += 4; - -@@ -922,8 +932,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - goto cleanup2; - } - -- if (offset >= segment->data_length) -- goto too_short; -+ if (offset >= segment->data_length) { -+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); -+ goto cleanup2; -+ } - ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset); - if (ws == NULL) { - code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to allocate word stream when handling text region image"); -@@ -1028,7 +1040,4 @@ cleanup1: - jbig2_free(ctx->allocator, dicts); - - return code; -- --too_short: -- return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); - } --- -1.8.3.1 diff --git a/jbig2dec-Use-correct-define-for-maxium-value-of-type.patch b/jbig2dec-Use-correct-define-for-maxium-value-of-type.patch deleted file mode 100644 index 39a194911b08137f2dffd7f2081001e21dc63bef..0000000000000000000000000000000000000000 --- a/jbig2dec-Use-correct-define-for-maxium-value-of-type.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a80f7f12e7a2fb0caa1ea9ac6fa8981cc539a1bc Mon Sep 17 00:00:00 2001 -From: Sebastian Rasmussen -Date: Sat, 21 Mar 2020 15:59:21 +0800 -Subject: [PATCH] jbig2dec: Use correct define for maxium value of type. - -Fixes Coverity CID 355177. ---- - jbig2dec/jbig2_page.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c -index bc89a43..92486dd 100644 ---- a/jbig2dec/jbig2_page.c -+++ b/jbig2dec/jbig2_page.c -@@ -80,11 +80,11 @@ jbig2_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_dat - if (index >= ctx->max_page_index) { - /* grow the list */ - -- if (ctx->max_page_index == SIZE_MAX) { -+ if (ctx->max_page_index == UINT32_MAX) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many pages in jbig2 image"); - } -- else if (ctx->max_page_index > (SIZE_MAX >> 2)) { -- ctx->max_page_index = SIZE_MAX; -+ else if (ctx->max_page_index > (UINT32_MAX >> 2)) { -+ ctx->max_page_index = UINT32_MAX; - } - - pages = jbig2_renew(ctx, ctx->pages, Jbig2Page, (ctx->max_page_index <<= 2)); --- -1.8.3.1 - diff --git a/lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch b/lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch deleted file mode 100644 index e783ad0058b25b734db7fe66f22e773b4a9c439f..0000000000000000000000000000000000000000 --- a/lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch +++ /dev/null @@ -1,27 +0,0 @@ -From d9b37029db10bdeaf5eaee00bac2eb0653644c77 Mon Sep 17 00:00:00 2001 -From: Robin Watts -Date: Sat, 9 May 2020 17:45:01 +0100 -Subject: [PATCH] lgtm.com tweak: Make it clear that something isn't a typo. - -Use "INTERPATCH_PADDING != 0" rather than "INTERPATCH_PADDING" to -avoid the appearance of a typo. ---- - base/gxshade6.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/base/gxshade6.c b/base/gxshade6.c -index 85b8d76..e48bcfb 100644 ---- a/base/gxshade6.c -+++ b/base/gxshade6.c -@@ -2389,7 +2389,7 @@ fill_wedges_aux(patch_fill_state_t *pfs, int k, int ka, - pfs->inside = save_inside; - return code; - } else { -- if (INTERPATCH_PADDING && (wedge_type & interpatch_padding)) { -+ if ((INTERPATCH_PADDING != 0) && (wedge_type & interpatch_padding)) { - code = mesh_padding(pfs, &pole[0], &pole[3], c0, c1); - if (code < 0) - return code; --- -1.8.3.1 - diff --git a/oss-fuzz-22182-validate-glyph-offset-length-values.patch b/oss-fuzz-22182-validate-glyph-offset-length-values.patch deleted file mode 100644 index 0b9d93539758733848d9527609247b0313ffb955..0000000000000000000000000000000000000000 --- a/oss-fuzz-22182-validate-glyph-offset-length-values.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 889df15d7c69e1fc90c6491f574352cacf9bc065 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Thu, 11 Jun 2020 11:54:32 +0100 -Subject: [PATCH] oss-fuzz 22182: validate glyph offset/length values - -Check if the glyph offset and offset + length are larger than the size of the -font stream before we can use it. ---- - psi/zfapi.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/psi/zfapi.c b/psi/zfapi.c -index eac2ce3e2..5193aff74 100644 ---- a/psi/zfapi.c -+++ b/psi/zfapi.c -@@ -1694,19 +1694,29 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, int char_code, byte *buf, - glyph_length = gs_fapi_glyph_invalid_index; - } - else { -- ulong noffs; -+ ulong noffs, endoffs; -+ int code; - /* If we haven't got a len_glyphs array, try using the offset of the next glyph offset - * to work out the length - */ - error = sfnt_get_glyph_offset(pdr, pfont42, char_code + 1, &noffs); - if (error == 0) { - glyph_length = noffs - offset0; -+ code = sfnt_get_sfnt_length(pdr, &endoffs); -+ if (code < 0) { -+ glyph_length = gs_fapi_glyph_invalid_index; -+ } -+ else { -+ if (glyph_length + offset0 > endoffs) { -+ glyph_length = gs_fapi_glyph_invalid_index; -+ } -+ } - } - else { - /* And if we can't get the next glyph offset, use the end of the sfnt data - * to work out the length. - */ -- int code = sfnt_get_sfnt_length(pdr, &noffs); -+ code = sfnt_get_sfnt_length(pdr, &noffs); - if (code < 0) { - glyph_length = gs_fapi_glyph_invalid_index; - } --- -2.27.0 - diff --git a/oss-fuzz-23637-Fix-error-code-confusion.patch b/oss-fuzz-23637-Fix-error-code-confusion.patch deleted file mode 100644 index 74fd271b5af66384402c284379ed4151adbd7e9d..0000000000000000000000000000000000000000 --- a/oss-fuzz-23637-Fix-error-code-confusion.patch +++ /dev/null @@ -1,47 +0,0 @@ -From bbd106e8f9345296cb5b5a452487bda603d54173 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Mon, 21 Sep 2020 22:16:34 +0100 -Subject: [PATCH] oss-fuzz 23637: Fix error code confusion - -Confusion of error codes meant we were allocating space for glyph data, -but never copying the data into it. Thus the memory sanitizer error. ---- - psi/zfapi.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/psi/zfapi.c b/psi/zfapi.c -index aa988ed6e..d38f56498 100644 ---- a/psi/zfapi.c -+++ b/psi/zfapi.c -@@ -2118,15 +2118,14 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, gs_glyph char_code, byte *buf, int buf_lengt - } - else { - ulong noffs, endoffs; -- int code; - /* If we haven't got a len_glyphs array, try using the offset of the next glyph offset - * to work out the length - */ - error = sfnt_get_glyph_offset(pdr, pfont42, char_code + 1, &noffs); - if (error == 0) { - glyph_length = noffs - offset0; -- code = sfnt_get_sfnt_length(pdr, &endoffs); -- if (code < 0) { -+ error = sfnt_get_sfnt_length(pdr, &endoffs); -+ if (error < 0) { - glyph_length = gs_fapi_glyph_invalid_index; - } - else { -@@ -2139,8 +2138,8 @@ FAPI_FF_get_glyph(gs_fapi_font *ff, gs_glyph char_code, byte *buf, int buf_lengt - /* And if we can't get the next glyph offset, use the end of the sfnt data - * to work out the length. - */ -- code = sfnt_get_sfnt_length(pdr, &noffs); -- if (code < 0) { -+ error = sfnt_get_sfnt_length(pdr, &noffs); -+ if (error < 0) { - glyph_length = gs_fapi_glyph_invalid_index; - } - else { --- -2.27.0 - diff --git a/oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch b/oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch deleted file mode 100644 index 618c415d567cf0c7a16fe22e051f380fc35f1051..0000000000000000000000000000000000000000 --- a/oss-fuzz-23946-Move-buffer-bounds-check-to-before-us.patch +++ /dev/null @@ -1,41 +0,0 @@ -From fd902c6702ef81008d7c91b09a0723661c0f9201 Mon Sep 17 00:00:00 2001 -From: Chris Liddell -Date: Thu, 1 Oct 2020 16:06:31 +0100 -Subject: [PATCH] oss-fuzz 23946: Move buffer bounds check to *before* using - it! - -ASCII85Decode filter: We correctly bounds check the buffer size, but dumbly -were doing so *after* we'd used the relevant indices into the buffer. Change -that order, and add another check. ---- - base/sa85d.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/base/sa85d.c b/base/sa85d.c -index f9fa57fed..0fbef465a 100644 ---- a/base/sa85d.c -+++ b/base/sa85d.c -@@ -135,9 +135,9 @@ s_A85D_process(stream_state * st, stream_cursor_read * pr, - * So we allow CR/LF between them. */ - /* PDF further relaxes the requirements and accepts bare '~'. - */ -- while ((p[i] == 13 || p[i] == 10) && (p+i <= rlimit)) -+ while ((p + i <= rlimit) && (p[i] == 13 || p[i] == 10)) - i++; -- if (p[i] != '>') { -+ if (p + i <= rlimit && p[i] != '>') { - if (ss->pdf_rules) { - if (p[i] == 13 || p[i] == 10) { - if (!last) -@@ -146,7 +146,7 @@ s_A85D_process(stream_state * st, stream_cursor_read * pr, - p--; - } - } else { -- if (p+i == rlimit) { -+ if (p + i == rlimit) { - if (last) - status = ERRC; - else --- -2.27.0 -