diff --git a/Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch b/Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch new file mode 100644 index 0000000000000000000000000000000000000000..78b264dd11f67a82ad95d185d12a30ed8b16f1e8 --- /dev/null +++ b/Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch @@ -0,0 +1,44 @@ +From efd0b47fe66a99097e200d76be1a4846ae2ef692 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry +Date: Wed, 6 May 2020 18:01:07 +0100 +Subject: [PATCH] Bug 697545 : Prevent memory leak in gx_path_assign_free. + +Prevent memory leak by freeing path on all errors. + +Error created using :- +MEMENTO_FAILAT=16246 ./membin/gpcl6 -sDEVICE=pbmraw -o /dev/null ./tests_private/pcl/pcl5cfts/fts.2120 +--- + base/gxpath.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/base/gxpath.c b/base/gxpath.c +index 4593d67..ffdea76 100644 +--- a/base/gxpath.c ++++ b/base/gxpath.c +@@ -323,6 +323,7 @@ gx_path_assign_preserve(gx_path * ppto, gx_path * ppfrom) + int + gx_path_assign_free(gx_path * ppto, gx_path * ppfrom) + { ++ int code = 0; + /* + * Detect the special case where both paths have non-shared local + * segments, since we can avoid allocating new segments in this case. +@@ -349,13 +350,10 @@ gx_path_assign_free(gx_path * ppto, gx_path * ppfrom) + #undef tosegs + } else { + /* In all other cases, just do assign + free. */ +- int code = gx_path_assign_preserve(ppto, ppfrom); +- +- if (code < 0) +- return code; ++ code = gx_path_assign_preserve(ppto, ppfrom); + } + gx_path_free(ppfrom, "gx_path_assign_free"); +- return 0; ++ return code; + } + + /* +-- +1.8.3.1 + diff --git a/Bug-697545-Prevent-numerous-memory-leaks.patch b/Bug-697545-Prevent-numerous-memory-leaks.patch new file mode 100644 index 0000000000000000000000000000000000000000..314379c0ff122900d69e97a95d364e543afee49a --- /dev/null +++ b/Bug-697545-Prevent-numerous-memory-leaks.patch @@ -0,0 +1,105 @@ +From 9e553991e4c99814eb342d83b4fb42b5af457390 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry +Date: Fri, 8 May 2020 21:50:30 +0100 +Subject: [PATCH] Bug 697545 : Prevent numerous memory leaks. + +Prevent memory leaks by propagating error codes and freeing loose objects. + +Also resolve some compiler warnings. + +Error created using :- +EMENTO_FAILAT=19484 ./membin/gpcl6 -sDEVICE=pbmraw -o /dev/null ./tests_private/pcl/pcl5efts/fts.0051 +--- + base/gscspace.c | 11 +++++++---- + base/gxclrast.c | 10 ++++++++-- + base/gxcpath.c | 4 +++- + 3 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/base/gscspace.c b/base/gscspace.c +index aa3e3cf..f00bdba 100644 +--- a/base/gscspace.c ++++ b/base/gscspace.c +@@ -329,8 +329,11 @@ gx_install_DeviceGray(gs_color_space * pcs, gs_gstate * pgs) + return 0; + + /* If we haven't initialised the iccmanager, do it now. */ +- if (pgs->icc_manager->default_gray == NULL) +- gsicc_init_iccmanager(pgs); ++ if (pgs->icc_manager->default_gray == NULL) { ++ int code = gsicc_init_iccmanager(pgs); ++ if (code < 0) ++ return code; ++ } + + /* pcs takes a reference to the default_gray profile data */ + pcs->cmm_icc_profile_data = pgs->icc_manager->default_gray; +@@ -677,7 +680,7 @@ int gx_set_overprint_cmyk(const gs_color_space * pcs, gs_gstate * pgs) + } + + if_debug1m(gs_debug_flag_overprint, pgs->memory, +- "[overprint] gx_set_overprint_cmyk. drawn_comps = 0x%x\n", drawn_comps); ++ "[overprint] gx_set_overprint_cmyk. drawn_comps = 0x%x\n", (uint)drawn_comps); + + if (drawn_comps == 0) + return gx_spot_colors_set_overprint(pcs, pgs); +@@ -760,7 +763,7 @@ int gx_set_overprint_cmyk(const gs_color_space * pcs, gs_gstate * pgs) + + if_debug2m(gs_debug_flag_overprint, pgs->memory, + "[overprint] gx_set_overprint_cmyk. retain_any_comps = %d, drawn_comps = 0x%x\n", +- params.retain_any_comps, params.drawn_comps); ++ params.retain_any_comps, (uint)(params.drawn_comps)); + + /* We are in CMYK, the profiles match and overprint is true. Set effective + overprint mode to overprint mode but only if effective has not already +diff --git a/base/gxclrast.c b/base/gxclrast.c +index 4e75d3e..65df9bd 100644 +--- a/base/gxclrast.c ++++ b/base/gxclrast.c +@@ -612,6 +612,8 @@ in: /* Initialize for a new page. */ + memset(&gs_gstate, 0, sizeof(gs_gstate)); + GS_STATE_INIT_VALUES_CLIST((&gs_gstate)); + code = gs_gstate_initialize(&gs_gstate, mem); ++ if (code < 0) ++ goto out; + gs_gstate.device = tdev; + gs_gstate.view_clip = NULL; /* Avoid issues in pdf14 fill stroke */ + gs_gstate.clip_path = &clip_path; +@@ -620,7 +622,9 @@ in: /* Initialize for a new page. */ + code = gs_note_error(gs_error_VMerror); + goto out; + } +- pcs->type->install_cspace(pcs, &gs_gstate); ++ code = pcs->type->install_cspace(pcs, &gs_gstate); ++ if (code < 0) ++ goto out; + gs_gstate.color[0].color_space = pcs; + rc_increment_cs(pcs); + gs_gstate.color[1].color_space = pcs; +@@ -2383,6 +2387,8 @@ idata: data_size = 0; + if (code < 0) { + if (pfs.dev != NULL) + term_patch_fill_state(&pfs); ++ gs_free_object(mem, pcs, "clist_playback_band(pcs)"); ++ gs_free_object(mem, cbuf_storage, "clist_playback_band(cbuf_storage)"); + gx_cpath_free(&clip_path, "clist_playback_band"); + if (pcpath != &clip_path) + gx_cpath_free(pcpath, "clist_playback_band"); +diff --git a/base/gxcpath.c b/base/gxcpath.c +index d9518b8..082c389 100644 +--- a/base/gxcpath.c ++++ b/base/gxcpath.c +@@ -403,8 +403,10 @@ gx_cpath_path_list_new(gs_memory_t *mem, gx_clip_path *pcpath, int rule, + rc_init_free(pcplist, mem, 1, rc_free_cpath_path_list); + if (pcpath!=NULL && !pcpath->path_valid) { + code = gx_path_init_contained_shared(&pcplist->path, NULL, mem, cname); +- if (code < 0) ++ if (code < 0) { ++ gs_free_object(mem, pcplist, "gx_cpath_path_list_new"); + return code; ++ } + code = gx_cpath_to_path(pcpath, &pcplist->path); + } else { + gx_path_init_local(&pcplist->path, mem); +-- +1.8.3.1 + diff --git a/Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch b/Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch new file mode 100644 index 0000000000000000000000000000000000000000..74ebfad738726c906e96773444c4c457034ccbb6 --- /dev/null +++ b/Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch @@ -0,0 +1,40 @@ +From ea9b3a676a516a603fabb593085d14a67356db6f Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Thu, 17 Oct 2019 01:48:00 +0200 +Subject: [PATCH] Bug 701721: jbig2dec: Fix under/overflow handling in + arithmetic integer decoder. + +The previous detection logic caused GCC's -Wlogical-op to trip. +Not only that, but the detection logic never took into account +that underflow is not possible (the worst case is V == INT32_MIN, +but offset is always > 0, so underflow cannot happen), nor take +varying offset values into account (hardcoded limits meant that +the offset was ignored even if it could not cause an overflow), +but instead could cause non-clamped values to be emitted. + +This corrected logic adheres to the Annex A. Table A.1 in the specification. +--- + jbig2dec/jbig2_arith_int.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/jbig2dec/jbig2_arith_int.c b/jbig2dec/jbig2_arith_int.c +index 7ad47ad..20b62df 100644 +--- a/jbig2dec/jbig2_arith_int.c ++++ b/jbig2dec/jbig2_arith_int.c +@@ -130,8 +130,11 @@ jbig2_arith_int_decode(Jbig2Ctx *ctx, Jbig2ArithIntCtx *actx, Jbig2ArithState *a + V = (V << 1) | bit; + } + +- /* make sure not to underflow/overflow 32 bit value */ +- if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436) ++ /* offset is always >=0, so underflow can't happen. */ ++ /* avoid overflow by clamping 32 bit value. */ ++ if (V > INT32_MAX - offset) ++ V = INT32_MAX; ++ else + V += offset; + V = S ? -V : V; + *p_result = V; +-- +1.8.3.1 + diff --git a/Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch b/Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d989343fc9944a04da7d5fb03cb291da703b9ad --- /dev/null +++ b/Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch @@ -0,0 +1,122 @@ +From 9dc0eb31d79bf819c97420aaf2f6fc5cf3a52c10 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Wed, 18 Mar 2020 15:11:01 +0000 +Subject: [PATCH] Bug 702196: Fix incorrect detection of "thin" lines while + stroking. + +When stroking lines, we spot whether a line is 'thin' (i.e. the +perpendicular width of the line is less than 1 pixel), and handle +those cases specially by using custom 'thin line' routines. This +gives more pleasing results than slavishly following the 'any part +of a pixel' rule. + +The current code makes this determination in 2 places. Firstly, +we calculate 'always_thin', by scaling the perpendicular vector +and seeing if all possible lines will be 'thin'. Secondly, in +the case when we aren't 'always_thin', we calculate it for each +line segment in turn by calling 'width_is_thin'. + +Unfortunately, the threshold used for the simple early rejection +test in 'width_is_thin' is wrong. Rather than checking against +0.5, we should be checking against sqrt(1/8). This causes lines +near 45 degrees to be improperly treated as thin. This is a +simple fix. + +This gives lots of progressions - so many that you wonder how we +never spotted this before. + +Unfortunately, buried in these progressions, there are a few files +which, while improved, are still imperfect. + +In some files, that use 'non-uniform' scales, (such as +(53 0 0 21 0 0 )) a stroke of constant width can 'pop' between +thick and thin as we move around the path; a near vertical +line segment may be thin, whereas a near horizontal line segment +might be thick due to the difference in scale. This is visually +jarring. + +To fix this, therefore, we'd need to modify the width_is_thin +testing in non-uniform cases, so that it gives us the same results +all the way around. Doing this would be complex, and ultimately +actually ends up equivalent to us just relying on "always_thin" +(with the exception of strictly vertical and horizontal line +segements). We therefore disable the non-orthogonal test in +'width_is_thin' entirely. +--- + base/gxstroke.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 47 insertions(+), 5 deletions(-) + +diff --git a/base/gxstroke.c b/base/gxstroke.c +index 52c1543..399c914 100644 +--- a/base/gxstroke.c ++++ b/base/gxstroke.c +@@ -1093,12 +1093,51 @@ width_is_thin(pl_ptr plp) + if ((dx = plp->vector.x) == 0) + return any_abs(wx) < fixed_half; + +- /* +- * If both horizontal and vertical widths are less than +- * 0.5, the line is thin. ++ /* For the longest time, we used to have a test here that ++ * attempted to trivially accept diagonal lines as being ++ * thin based on the components of the perpendicular ++ * width vector in device space as both being less than 0.5. ++ * Bug 702196 showed some examples where this was clearly ++ * wrong. ++ * ++ * The cause for this bug was that the 0.5 figure was wrong. ++ * For the point to be less than 1/2 a pixel perpendicular ++ * distant from the line, we'd need x^2 + y^2 < .5^2. ++ * For a 45 degree line, that'd be 2(x^2) < 1/4 = x^2 < 1/8 ++ * or x < sqr(1/8). 45 degree line is the "worst case", so ++ * if both horizontal and vertical widths are less than ++ * sqr(1/8), the line is thin. sqr(1/8) = 0.35355339059. ++ * So, we should be using sqr(1/8) rather than 0.5. ++ * ++ * Fixing this did indeed produce many many progressions, ++ * but left just the odd file still showing problems. ++ * ++ * Further investigations show that those cases were due to ++ * the use of "non-uniform" scaling matrices, for example ++ * (83 0 0 51 0 0). With such matrices, it's possible for ++ * nearly horizontal lines to be thin, but nearly vertical ++ * ones to be thick (or vice versa). Having the style of ++ * line "pop" between thick and thin in a single stroke ++ * looks very noticeable. ++ * ++ * We could change the trivial optimisation below to only ++ * apply in the 'uniform' case, but that would never actually ++ * trigger (as tested on the cluster), because all such ++ * cases are caught by the "always_thin" condition in the ++ * caller. ++ * ++ * Just removing the trivial test and leaving the 'complicated' ++ * test below us would leave us vulnerable to "popping", ++ * so we disable both. In practice this makes no difference ++ * to the number of tests showing diffs in the cluster. + */ +- if (any_abs(wx) < fixed_half && any_abs(wy) < fixed_half) +- return true; ++#if 0 /* DISABLED TEST, see above */ ++ { ++ /* thin_threshold = fixed sqr(1/8) - see above. */ ++ const fixed thin_threshold = float2fixed(0.35355339059f); ++ if (any_abs(wx) < thin_threshold && any_abs(wy) < thin_threshold) ++ return true; ++ } + + /* + * We have to do this the hard way, by actually computing the +@@ -1116,6 +1155,9 @@ width_is_thin(pl_ptr plp) + /* so we don't need to do any de-scaling for the test. */ + return fabs(num) < denom * 0.5; + } ++#else ++ return false; ++#endif + } + + /* Adjust the endpoints and width of a stroke segment along a specified axis */ +-- +1.8.3.1 + diff --git a/Bug-702320-Valgrind-complains-about-UMR.patch b/Bug-702320-Valgrind-complains-about-UMR.patch new file mode 100644 index 0000000000000000000000000000000000000000..3fa2cdfa7187b3ff4d8c59872b658b0600d4a0ca --- /dev/null +++ b/Bug-702320-Valgrind-complains-about-UMR.patch @@ -0,0 +1,54 @@ +From b503c46c124cf5aaa82a71e28f624f2ef2b71e71 Mon Sep 17 00:00:00 2001 +From: ray +Date: Fri, 10 Apr 2020 15:35:02 -0700 +Subject: [PATCH] Bug 702320: Valgrind complains about UMR. + +The file for this bug does show that the stroke_color stack based struct +in not initialized. Init fill_color and stroke_color. This is probably a +bug tail from the fill_stroke commit. + +Also explicitly set 'zeros' to 0 to clarify the expected contents. +--- + base/gxclbits.c | 3 +-- + base/gxclrast.c | 4 ++-- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/base/gxclbits.c b/base/gxclbits.c +index 3c65af9..519cdac 100644 +--- a/base/gxclbits.c ++++ b/base/gxclbits.c +@@ -82,7 +82,7 @@ go_process(stream_state * st, stream_cursor_read *pr, stream_cursor_write *pw, b + return -1; + return 0; + } +-static byte zeros[1< +Date: Thu, 9 Apr 2020 09:40:05 +0100 +Subject: [PATCH] Bug 702322: fix uninitalized data reads + +gs_scan_token() keeps a local copy of the scanner state, and copies from and to +the scanner state that is passed into it. There are several code paths that +can leave some important entries in the structure uninitalized when we copy the +local copy to the parameter. + +This just ensures those specific entries are always set to *something* sane. +--- + psi/iscan.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/psi/iscan.c b/psi/iscan.c +index 9b7151a..32d910f 100644 +--- a/psi/iscan.c ++++ b/psi/iscan.c +@@ -535,6 +535,16 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate) + return_error(gs_error_Fatal); + } + } ++ else { ++ /* We *may* use these in the event of returning to this function after ++ * a interruption, but not every code path below sets them. Set them ++ * to sane values here for safety. We can write the contents of sstate ++ * (back) to pstate before returning. ++ */ ++ sstate.s_da.base = sstate.s_da.next = &(sstate.s_da.buf[0]); ++ sstate.s_da.limit = sstate.s_da.next; ++ sstate.s_da.is_dynamic = false; ++ } + /* Fetch any state variables that are relevant even if */ + /* sstate.s_scan_type == scanning_none. */ + sstate.s_pstack = pstate->s_pstack; +-- +1.8.3.1 + diff --git a/Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch b/Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch new file mode 100644 index 0000000000000000000000000000000000000000..c6b5522495d240d87244209a307ccb2f90d48545 --- /dev/null +++ b/Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch @@ -0,0 +1,46 @@ +From 60a535f9f49fece2761a1c0c8069f87f7514182c Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Fri, 17 Apr 2020 16:22:06 +0800 +Subject: [PATCH] Bug 702335: jbig2dec: Refill input buffer upon failure to + parse segment header. + +Before commit 2b2dcf4ccf401ed210f03c858b304994749fd2b3 there was +a debug message when attempting to parse a a segment header and +the data supplied to jbig2dec was not enough. Commit 2b2dcf4 +incorrectly changed the debug message into a fatal error message, +due misinterpreting the message text as something that warranted +a fatal error. + +When data was supplied in chunks to jbig2_data_in() in repeated +calls such that a segment header's referred-to segment numbers +field straddled a chunk boundary then jbig2dec would indicate a +fatal error. The file in bug 702335 caused this to happen. + +Instead jbig2dec should be asking the caller for more data so +that the entire segment header can be parsed during a single call +to jbig2_data_in(). + +By convering the fatal error back to a a debug message the problem +is resolved. The message itself is also rewored to clearly +indicate that the situation is non-fatal and that the caller will +be asked to provide more data. +--- + jbig2dec/jbig2_segment.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c +index f901a03..d5c4075 100644 +--- a/jbig2dec/jbig2_segment.c ++++ b/jbig2dec/jbig2_segment.c +@@ -88,7 +88,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t + referred_to_segment_size = result->number <= 256 ? 1 : result->number <= 65536 ? 2 : 4; /* 7.2.5 */ + pa_size = result->flags & 0x40 ? 4 : 1; /* 7.2.6 */ + if (offset + referred_to_segment_count * referred_to_segment_size + pa_size + 4 > buf_size) { +- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, result->number, "insufficient data to parse segment header"); ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, result->number, "attempted to parse segment header with insufficient data, asking for more data"); + jbig2_free(ctx->allocator, result); + return NULL; + } +-- +1.8.3.1 + diff --git a/Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch b/Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch new file mode 100644 index 0000000000000000000000000000000000000000..27ecfd050863799c5f84694a7fdcea05aad94dee --- /dev/null +++ b/Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch @@ -0,0 +1,27 @@ +From b8bda01581b94e9159533460cfe79436f4d5ac21 Mon Sep 17 00:00:00 2001 +From: Michael Vrhel +Date: Mon, 30 Mar 2020 14:47:25 -0700 +Subject: [PATCH] Coverity 94826 Add missing offset to buffer size used for + clist cmd. + +--- + base/gxclpath.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/base/gxclpath.c b/base/gxclpath.c +index b2b946d..4a8902d 100644 +--- a/base/gxclpath.c ++++ b/base/gxclpath.c +@@ -486,7 +486,8 @@ cmd_write_unknown(gx_device_clist_writer * cldev, gx_clist_state * pcls, + sizeof(float) + /* line width */ + sizeof(float) + /* miter limit */ + 3 + /* bm_tk, op, and rend intent */ +- sizeof(float) * 2 + /* opacity/shape alpha */ ++ sizeof(cldev->gs_gstate.alphaisshape) + ++ sizeof(float) * 2 + /* ca CA */ + sizeof(cldev->gs_gstate.alpha) + ]; + byte *bp = buf; +-- +1.8.3.1 + diff --git a/Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch b/Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch new file mode 100644 index 0000000000000000000000000000000000000000..c38282f6be6446e30f1f895d42de4485a8931ce3 --- /dev/null +++ b/Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch @@ -0,0 +1,51 @@ +From 6a3c36f8c5e83448f5d1e5f24ee01c0e80a92877 Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Fri, 27 Mar 2020 13:54:02 -0700 +Subject: [PATCH] Fix Bug 702177: VMerrors with some BufferSpace and/or -K + limits. + +Interestingly, the two examples given in the bug succeed on Windows 64 +but don't on linux. The difference is due to an 8 byte difference in the +size of gx_clist_state (the per band writer state). In the case of the +Bug690546.pdf file, the space left in the BufferSpace area after the +logic increased it was only 2,200 bytes on linux, but was 12k bytes on +Windows (it made an extra pass through the automatic "increase space" +loop in gdev_prn_setup_as_command_list. Fix the calculation in +clist_init_states so that the amount of extra space corresponds to the +amount expected by clist command writing (data_bits_size + cmd_largest_size) +rather than the insufficient and arbitrary "100". + +Note that although the Bug692057.pdf returned VMerror from cmd_put_list_op, the +'fallback; method of gx_default_strip_tile_rectangle still produces the SAME +raster from psdcmyk16 and does not change the performance or clist file size +Robin's commit cbee0840 fixed this case. +--- + base/gxclist.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/base/gxclist.c b/base/gxclist.c +index 1819e58..667d9c0 100644 +--- a/base/gxclist.c ++++ b/base/gxclist.c +@@ -355,12 +355,13 @@ clist_init_states(gx_device * dev, byte * init_data, uint data_size) + /* Align to the natural boundary for ARM processors, bug 689600 */ + long alignment = (-(long)init_data) & (sizeof(init_data) - 1); + +- /* +- * The +100 in the next line is bogus, but we don't know what the +- * real check should be. We're effectively assuring that at least 100 +- * bytes will be available to buffer command operands. ++ /* Leave enough room after states for commands that write a reasonable ++ * amount of data. The cmd_largest_size and the data_bits_size should be ++ * enough to buffer command operands. The data_bits_size is the level ++ * at which commands should expect to split data across buffers. If this ++ * extra space is a little large, it doesn't really hurt. + */ +- if (state_size + sizeof(cmd_prefix) + cmd_largest_size + 100 + alignment > data_size) ++ if (state_size + sizeof(cmd_prefix) + cmd_largest_size + data_bits_size + alignment > data_size) + return_error(gs_error_rangecheck); + /* The end buffer position is not affected by alignment */ + cdev->cend = init_data + data_size; +-- +1.8.3.1 + diff --git a/Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch b/Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch new file mode 100644 index 0000000000000000000000000000000000000000..c711f7f9d9a1faa6658d43545cd9c0079d127e07 --- /dev/null +++ b/Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch @@ -0,0 +1,74 @@ +From cca279886b3bbb4d3af5768880565c9f7b372c08 Mon Sep 17 00:00:00 2001 +From: ray +Date: Mon, 23 Mar 2020 15:27:37 -0700 +Subject: [PATCH] Fix Bug 702181: SEGV when BufferSpace is at or above -K alloc + limit + +The issue with this file is that one of the pages is done in page mode because +it was so small, but the 'resize' call when doing page 2 was not checking the +allocation request against the limit, so the malloc would succeed, but the very +next (and all subsequent) allocations would fail. The gdev_prn_allocate would +capture the ecode, but would still call the clist_enable_multi_thread_render +resulting in the SEGV. + +Add the check in the gs_heap_resize_object function, and make sure and leave +the 'monitor' after failure, then don't call clist_enable_multi_thread if the +resize failed. +--- + base/gdevprn.c | 14 ++++++++------ + base/gsmalloc.c | 11 ++++++++++- + 2 files changed, 18 insertions(+), 7 deletions(-) + +diff --git a/base/gdevprn.c b/base/gdevprn.c +index c365509..ed89cd7 100644 +--- a/base/gdevprn.c ++++ b/base/gdevprn.c +@@ -520,13 +520,15 @@ gdev_prn_allocate(gx_device *pdev, gdev_prn_space_params *new_space_params, + if (ecode == 0) + ecode = code; + +- if ( code >= 0 || (reallocate && pass > 1) ) ++ if (code >= 0 || (reallocate && pass > 1)) + ppdev->procs = gs_clist_device_procs; +- /* +- * Now the device is a clist device, we enable multi-threaded rendering. +- * It will remain enabled, but that doesn't really cause any problems. +- */ +- clist_enable_multi_thread_render(pdev); ++ if (code > 0) { ++ /* ++ * Now the device is a clist device, we enable multi-threaded rendering. ++ * It will remain enabled, but that doesn't really cause any problems. ++ */ ++ clist_enable_multi_thread_render(pdev); ++ } + } else { + /* Render entirely in memory. */ + gx_device *bdev = (gx_device *)pmemdev; +diff --git a/base/gsmalloc.c b/base/gsmalloc.c +index 14979e8..2fbccab 100644 +--- a/base/gsmalloc.c ++++ b/base/gsmalloc.c +@@ -279,9 +279,18 @@ gs_heap_resize_object(gs_memory_t * mem, void *obj, size_t new_num_elements, + return obj; + if (mmem->monitor) + gx_monitor_enter(mmem->monitor); /* Exclusive access */ ++ if (new_size > mmem->limit - sizeof(gs_malloc_block_t)) { ++ /* too large to allocate; also avoids overflow. */ ++ if (mmem->monitor) ++ gx_monitor_leave(mmem->monitor); /* Done with exclusive access */ ++ return 0; ++ } + new_ptr = (gs_malloc_block_t *) gs_realloc(ptr, old_size, new_size); +- if (new_ptr == 0) ++ if (new_ptr == 0) { ++ if (mmem->monitor) ++ gx_monitor_leave(mmem->monitor); /* Done with exclusive access */ + return 0; ++ } + if (new_ptr->prev) + new_ptr->prev->next = new_ptr; + else +-- +1.8.3.1 + diff --git a/Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch b/Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ac4fa3d5e253c6392b55743c2405d0dbff137cf --- /dev/null +++ b/Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch @@ -0,0 +1,44 @@ +From d49dbf133ac49d09d626bab08ee92835a50a646a Mon Sep 17 00:00:00 2001 +From: ray +Date: Tue, 24 Mar 2020 16:49:13 -0700 +Subject: [PATCH] Fix bug 702182: VMerror due to leaks in pattern cache due to + locking. + +If the tile being loaded by the clist reader was already in the cache and +was locked, the slot would be re-loaded (with the same tile) without freeing +up the previously loaded tile. It would be nicer to be able to skip reading +the tile in this case, but we need to consume the data from the clist sequence, +so just unlock it so it can be freed, then re-load it (presumably setting the +lock again). +--- + base/gsptype1.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/base/gsptype1.c b/base/gsptype1.c +index 7d4714f..c39f039 100644 +--- a/base/gsptype1.c ++++ b/base/gsptype1.c +@@ -2117,8 +2117,20 @@ gx_dc_pattern_read( + /* the following works for raster or clist patterns */ + cache_space_needed = buf.size_b + buf.size_c; + } ++ ++ /* Free up any unlocked patterns if needed */ + gx_pattern_cache_ensure_space((gs_gstate *)pgs, cache_space_needed); + ++ /* If the pattern tile is already in the cache, make sure it isn't locked */ ++ /* The lock will be reset below, but the read logic needs to finish loading the pattern. */ ++ ptile = &(pgs->pattern_cache->tiles[buf.id % pgs->pattern_cache->num_tiles]); ++ if (ptile->id != gs_no_id && ptile->is_locked) { ++ /* we shouldn't have miltiple tiles locked, but check if OK before unlocking */ ++ if (ptile->id != buf.id) ++ return_error(gs_error_unregistered); /* can't unlock some other tile in this slot */ ++ code = gx_pattern_cache_entry_set_lock(pgs, buf.id, false); /* make sure not locked */ ++ } ++ /* get_entry will free the tile in the cache slot if it isn't empty */ + code = gx_pattern_cache_get_entry((gs_gstate *)pgs, /* Break 'const'. */ + buf.id, &ptile); + if (code < 0) +-- +1.8.3.1 + diff --git a/Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch b/Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch new file mode 100644 index 0000000000000000000000000000000000000000..44aef09335502d54f09f53a9b139c4adc088f0a0 --- /dev/null +++ b/Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch @@ -0,0 +1,74 @@ +From b09cbe8e577fb14504932dc8d9096187ec4e0840 Mon Sep 17 00:00:00 2001 +From: Ray Johnston +Date: Sun, 29 Mar 2020 15:32:36 -0700 +Subject: [PATCH] Fix infinite loop in PDF interpreter 'pagespotcolors' + procedure + +The file tests_private/pdf/uploads/poc1_pdf_gs.pdf has the single page +Parent object as itself. This only showed up with "DeviceN" devices that +search the PDF for the number of spot colorants on the page. + +Note that this file is broken in other respects since it has a /Count +of 9 pages, but only a single page. This change also adds handling for +the //null object returned when a page isn't found since there isn't +actually a second page, and adds an error message when this is the case. +--- + Resource/Init/pdf_main.ps | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/Resource/Init/pdf_main.ps b/Resource/Init/pdf_main.ps +index 2d896b2..7a3b91f 100644 +--- a/Resource/Init/pdf_main.ps ++++ b/Resource/Init/pdf_main.ps +@@ -513,7 +513,12 @@ currentdict /runpdfstring .undef + { + dup /Page# exch store + QUIET not { (Page ) print dup //== exec flush } if +- pdfgetpage pdfshowpage ++ pdfgetpage ++ dup //null ne { pdfshowpage } { ++ ( **** Error: Page #) pdfformaterror Page# 10 string cvs pdfformaterror ++ ( not found.\n) pdfformaterror ++ /dopdfpages cvx /syntaxerror signalerror ++ } ifelse + }{ + pop + }ifelse +@@ -2076,14 +2081,19 @@ currentdict /xref-char-dict undef + /pdffindpageref { % pdffindpage + dup pdffindpage? + % Stack: index countleft noderef +- 1 index 1 ne { pop pop /pdffindpage cvx /rangecheck signalerror } if +- exch pop +- PageIndex 2 index 1 sub 65533 .min 2 index oforce put +- PageNumbers 1 index oforce 3 index dup 65534 le +- { put } +- { pop pop pop } % don't store more than 65534 pagenumbers ++ dup //null ne { ++ 1 index 1 ne { pop pop /pdffindpage cvx /rangecheck signalerror } if ++ exch pop ++ PageIndex 2 index 1 sub 65533 .min 2 index oforce put ++ PageNumbers 1 index oforce 3 index dup 65534 le ++ { put } ++ { pop pop pop } % don't store more than 65534 pagenumbers ++ ifelse ++ } { ++ exch pop % return the //null ++ } + ifelse +- exch pop ++ exch pop % pop the page number, return the object or null + } bind executeonly def + /pdffindpage { % pdffindpage + pdffindpageref oforce +@@ -3311,6 +3321,7 @@ currentdict /PDF2PS_matrix_key undef + { + /Parent knownoget + { ++ dup /Pages known not { pop exit } if % not a valid Page Tree ancestor + dup 4 1 roll + resourcespotcolors + 3 -1 roll +-- +1.8.3.1 + diff --git a/PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch b/PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch new file mode 100644 index 0000000000000000000000000000000000000000..08dc87308637518e1dbada8a1dacd3f83a8f9a95 --- /dev/null +++ b/PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch @@ -0,0 +1,47 @@ +From a45d7217c8c1578475ee9204d1f4ad46520f44d1 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Sat, 21 Mar 2020 10:00:42 +0000 +Subject: [PATCH] PDF interpreter - swallow errors reading ICC profiles and + continue + +Bug #702240 "Invalid ICC profile aborts PDF ineterpretation" + +The file contains an ICCbased space which references an embedded ICC +profile, which is Flate compressed. The compressed stream has been +corrupted and cannot be decompressed. + +This causes the colour space code to throw an ioerror and terminate +interpretation, Acrobat (as usual) doesn't even give a warning. + +This commit checks for an error creating the ReusableStreamDecode and +if it fails sets the Data Source in the stream dictionary to null. We +will later use the /N value in the stream dictionary to set a reasonable +fallback space (in this case CMYK). +--- + Resource/Init/pdf_draw.ps | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/Resource/Init/pdf_draw.ps b/Resource/Init/pdf_draw.ps +index 1deb052..9d818de 100644 +--- a/Resource/Init/pdf_draw.ps ++++ b/Resource/Init/pdf_draw.ps +@@ -874,7 +874,15 @@ currentdict /csncompdict undef + dup dup 1 oget + mark exch { oforce } forall .dicttomark + dup dup //true resolvestream +- /ReusableStreamDecode filter /DataSource exch put ++ { ++ /ReusableStreamDecode filter ++ } stopped ++ { ++ pop null ++% ( **** Error: Failed to read ICC profile for an ICCBased colour space.\n) pdfformaterror ++% ( Falling back to a colour space determined by the /N value.\n) pdfformaterror ++ }if ++ /DataSource exch put + dup /.hash 0 put % placeholder for use by seticc icc_profile_cache key + % Check that the number of components (/N) defined in the ICCBased + % dictionry matches the actual profile. Bug #696120 +-- +1.8.3.1 + diff --git a/PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch b/PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch new file mode 100644 index 0000000000000000000000000000000000000000..02d1989630c10b84011fcef1e48601096321cbdd --- /dev/null +++ b/PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch @@ -0,0 +1,83 @@ +From ebabebad34a3811230b7bfe351eface7f5efc8a9 Mon Sep 17 00:00:00 2001 +From: Ken Sharp +Date: Wed, 8 Apr 2020 16:06:44 +0100 +Subject: [PATCH] PostScript interpreter - don't leave A85Decode pdf_rules + uninitialised + +Bug #702319 "Read of uninitialized value according to valgrind..." + +There are a number of other bugs which relate to this particular problem: +690976, 692983 and 693485. The problem has come about as a cumulative +result of working on these bugs. + +Starting with commit : +http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e0ecca32ecd12dae3310fac4b65dc224031c85a2 +for bug 690976 a new flag 'pdf_rules' was added to the Ascii85Decode +state. This is initialised from the dictionary operand in PostScript +by zA85D() in zfdecode.c. When this flag is true the ASCII85Decode +filter will silently accept just '~' as a valid termination for a string +(should be '~>'). + +However this is not the only way to initialise an Ascii85Decode filter, +the PostScript token scanner can also use s_A85D_init_inline() which +does not initialise the flag. From this point we have the potential +for testing an unitialised variable in s_A85D_process(), if we get an +encoded string which terminates with a '~' and the filter was +instantiated from PostScript. + +When fixing bug 692983, this commit: +http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d561224d1495321d40012230abbcf835b298f557 + +Alex specifically added a comment that pdf_rules must not be initialised +in s_A85D_init_inline() but didn't say why! The reason is that the +regular stream initialisation code (s_A85D-init) also uses this inline +function, so if it altered pdf_rules it would overwrite the value +previously set by zA85D(). + +Since the initialisation is done in two places, the only way to fix this +is to initialise pdf_rules in gs_scan_token() which this commit duly +does. I've also added comments in s_A85D_init_inline to explain more +clearly *why* pdf_rules must not be initialised here. +--- + base/sa85d.h | 9 ++++++++- + psi/iscan.c | 4 ++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +diff --git a/base/sa85d.h b/base/sa85d.h +index 6e74622..8685af7 100644 +--- a/base/sa85d.h ++++ b/base/sa85d.h +@@ -41,7 +41,14 @@ typedef struct stream_A85D_state_s { + (ss)->min_left = 1; \ + (ss)->word = 0; \ + (ss)->odd = 0; \ +- /* pdf_rules should not be initialized here */ \ ++ /* pdf_rules should not be initialized here. This flag is initialised in\ ++ * zA85D to either true or false, and this inline function is called *after*\ ++ * that in s_A85D_init to do the remaining initialisation. However, this\ ++ * inline function is also called from gs_scan_token to handle inline\ ++ * ASCII85 strings. These are not to be interpreted using PDF rules\ ++ * and so we must not set the flag here, but in the relevant calling\ ++ * functions.\ ++ */ \ + (ss)->require_eod=false; \ + END + extern const stream_template s_A85D_template; +diff --git a/psi/iscan.c b/psi/iscan.c +index e5956e1..9b7151a 100644 +--- a/psi/iscan.c ++++ b/psi/iscan.c +@@ -581,6 +581,10 @@ gs_scan_token(i_ctx_t *i_ctx_p, ref * pref, scanner_state * pstate) + s_A85D_init_inline(&sstate.s_ss.a85d); + sstate.s_ss.st.templat = &s_A85D_template; + sstate.s_ss.a85d.require_eod = true; ++ /* If this is an inline ASCII string, interpret it normally, throw an error ++ * if it fails rather than ignoring it as PDF (Acrobat) does. ++ */ ++ sstate.s_ss.a85d.pdf_rules = false; + goto str; + } + sputback_inline(s, sptr, endptr); +-- +1.8.3.1 + diff --git a/ghostscript.spec b/ghostscript.spec index a60daa311cc05513bee0f0b2a6f3979f9e553777..5fb5eb48e17fadf6da3aab6eee1263e9d226d475 100644 --- a/ghostscript.spec +++ b/ghostscript.spec @@ -9,13 +9,38 @@ Name: ghostscript Version: 9.52 -Release: 1 +Release: 2 Summary: An interpreter for PostScript and PDF files License: AGPLv3+ URL: https://ghostscript.com/ Source0: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs%{version_short}/ghostscript-%{version}.tar.xz -Patch1: ghostscript-9.23-100-run-dvipdf-securely.patch +Patch0: ghostscript-9.23-100-run-dvipdf-securely.patch +Patch1: jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch +Patch2: jbig2dec-Add-overflow-detection-for-IAID-context-size.patch +Patch3: jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch +Patch4: Bug-701721-jbig2dec-Fix-under-overflow-handling-in-arithmetic-integer-decoder.patch +Patch5: jbig2dec-Always-use-uint32_t-when-counting-pages.patch +Patch6: PDF-interpreter-swallow-errors-reading-ICC-profiles-and-continue.patch +Patch7: jbig2dec-Fix-two-overlooked-warnings.patch +Patch8: jbig2dec-Use-correct-define-for-maxium-value-of-type.patch +Patch9: Fix-Bug-702181-SEGV-when-BufferSpace-is-at-or-above-K-alloc-limit.patch +Patch10: Fix-bug-702182-VMerror-due-to-leaks-in-pattern-cache-due-to-locking.patch +Patch11: Bug-702196-Fix-incorrect-detection-of-thin-lines-while-stroking.patch +Patch12: Fix-Bug-702177-VMerrors-with-some-BufferSpace-andor-K-limits.patch +Patch13: Fix-infinite-loop-in-PDF-interpreter-pagespotcolors-procedure.patch +Patch14: Coverity-94826-Add-missing-offset-to-buffer-size-used-for-clist-cmd.patch +Patch15: jbig2dec-Plug-leak-of-image-upon-error.patch +Patch16: jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch +Patch17: jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch +Patch18: PostScript-interpreter-don-t-leave-A85Decode-pdf_rules-uninitialised.patch +Patch19: Bug-702322-fix-uninitalized-data-reads.patch +Patch20: Bug-702320-Valgrind-complains-about-UMR.patch +Patch21: Bug-702335-jbig2dec-Refill-input-buffer-upon-failure-to-parse-segment-header.patch +Patch22: Bug-697545-Prevent-memory-leak-in-gx-path-assign-free.patch +Patch23: Bug-697545-Prevent-numerous-memory-leaks.patch +Patch24: lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch + BuildRequires: automake gcc BuildRequires: adobe-mappings-cmap-devel adobe-mappings-pdf-devel BuildRequires: google-droid-sans-fonts urw-base35-fonts-devel @@ -175,6 +200,12 @@ make check %{_bindir}/dvipdf %changelog +* Tue Jun 30 2020 wangchen - 9.52-2 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:Sync some patches from community + * Mon May 11 2020 openEuler Buildteam - 9.52-1 - Type:requirement - ID:NA diff --git a/jbig2dec-Add-overflow-detection-for-IAID-context-size.patch b/jbig2dec-Add-overflow-detection-for-IAID-context-size.patch new file mode 100644 index 0000000000000000000000000000000000000000..22f34b22d5d70eec63c3ccf25565a479d1df4d7a --- /dev/null +++ b/jbig2dec-Add-overflow-detection-for-IAID-context-size.patch @@ -0,0 +1,37 @@ +From 30842ee99923fa10a7301494fd08b998e7acf57b Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Sun, 15 Sep 2019 18:12:31 +0200 +Subject: [PATCH] jbig2dec: Add overflow detection for IAID context size. + +--- + jbig2dec/jbig2_arith_iaid.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/jbig2dec/jbig2_arith_iaid.c b/jbig2dec/jbig2_arith_iaid.c +index 78dc830..bbc38a0 100644 +--- a/jbig2dec/jbig2_arith_iaid.c ++++ b/jbig2dec/jbig2_arith_iaid.c +@@ -44,9 +44,18 @@ struct _Jbig2ArithIaidCtx { + Jbig2ArithIaidCtx * + jbig2_arith_iaid_ctx_new(Jbig2Ctx *ctx, int SBSYMCODELEN) + { +- Jbig2ArithIaidCtx *result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1); +- int ctx_size = 1 << SBSYMCODELEN; ++ Jbig2ArithIaidCtx *result; ++ size_t ctx_size; + ++ if (sizeof(ctx_size) * 8 <= SBSYMCODELEN) ++ { ++ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "requested IAID arithmetic coding state size too large"); ++ return NULL; ++ } ++ ++ ctx_size = 1 << SBSYMCODELEN; ++ ++ result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1); + if (result == NULL) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed to allocate IAID arithmetic coding state"); + return NULL; +-- +1.8.3.1 + diff --git a/jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch b/jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6fbe42e6cdca039d54bd05aa098b13d31aa3fa0 --- /dev/null +++ b/jbig2dec-Adjust-number-of-bytes-consumed-by-MMR-decoder.patch @@ -0,0 +1,94 @@ +From dc6b8098b52db7e1a9b20c1ef6f1006555c04b1b Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Fri, 27 Mar 2020 05:41:07 +0800 +Subject: [PATCH] jbig2dec: Adjust number of bytes consumed by MMR decoder. + +The MMR decoder pre-buffers up to 32 bits of encoded input data in a word +buffer before they are consumed by the MMR decoder. Once bits are consumed, the +pre-buffer will be filled up with more input data. When filling up the buffer +the decoder would previously stay clear of reading data belonging to succeeding +segments, but still indicated that it consumed those bytes it never read. Once +finished the MMR decoder lied to the caller by propagating the incorrect number +of consumed bytes. The caller subtracted the consumed number of bytes from the +size and end up in underflow causing the next MMR decoding to first read input +data at the wrong location, later ending up attempting to read outside the MMR +encoded input buffer. + +Now, the MMR decoder keeps track of how many bits it has consumed and +accurately rounds this number up to a whole number of bytes to the caller. + +Fixes OSS-fuzz issue 17855. + +Thanks to OSS-fuzz for reporting. +--- + jbig2dec/jbig2_mmr.c | 27 ++++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/jbig2dec/jbig2_mmr.c b/jbig2dec/jbig2_mmr.c +index 8029c81..94ff429 100644 +--- a/jbig2dec/jbig2_mmr.c ++++ b/jbig2dec/jbig2_mmr.c +@@ -45,6 +45,7 @@ typedef struct { + uint32_t height; + const byte *data; + size_t size; ++ size_t consumed_bits; + uint32_t data_index; + uint32_t bit_index; + uint32_t word; +@@ -58,30 +59,34 @@ typedef struct { + static void + jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size) + { +- size_t i; +- uint32_t word = 0; +- + mmr->width = width; + mmr->height = height; + mmr->data = data; + mmr->size = size; + mmr->data_index = 0; +- mmr->bit_index = 0; ++ mmr->bit_index = 32; ++ mmr->word = 0; ++ mmr->consumed_bits = 0; + +- for (i = 0; i < size && i < 4; i++) +- word |= (data[i] << ((3 - i) << 3)); +- mmr->word = word; ++ while (mmr->bit_index >= 8 && mmr->data_index < mmr->size) { ++ mmr->bit_index -= 8; ++ mmr->word |= (mmr->data[mmr->data_index] << mmr->bit_index); ++ mmr->data_index++; ++ } + } + + static void + jbig2_decode_mmr_consume(Jbig2MmrCtx *mmr, int n_bits) + { ++ mmr->consumed_bits += n_bits; ++ if (mmr->consumed_bits > mmr->size * 8) ++ mmr->consumed_bits = mmr->size * 8; ++ + mmr->word <<= n_bits; + mmr->bit_index += n_bits; +- while (mmr->bit_index >= 8) { ++ while (mmr->bit_index >= 8 && mmr->data_index < mmr->size) { + mmr->bit_index -= 8; +- if (mmr->data_index + 4 < mmr->size) +- mmr->word |= (mmr->data[mmr->data_index + 4] << mmr->bit_index); ++ mmr->word |= (mmr->data[mmr->data_index] << mmr->bit_index); + mmr->data_index++; + } + } +@@ -1259,6 +1264,6 @@ jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, + jbig2_decode_mmr_consume(&mmr, 24); + } + +- *consumed_bytes += mmr.data_index + (mmr.bit_index >> 3) + (mmr.bit_index > 0 ? 1 : 0); ++ *consumed_bytes += (mmr.consumed_bits + 7) / 8; + return code; + } +-- +1.8.3.1 + diff --git a/jbig2dec-Always-use-uint32_t-when-counting-pages.patch b/jbig2dec-Always-use-uint32_t-when-counting-pages.patch new file mode 100644 index 0000000000000000000000000000000000000000..44448be1e6fae09d9b6ee9440f14365e123c7483 --- /dev/null +++ b/jbig2dec-Always-use-uint32_t-when-counting-pages.patch @@ -0,0 +1,78 @@ +From ff53af0d4ff9291aa5039522f5553a2850dd569d Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Thu, 12 Mar 2020 00:26:59 +0800 +Subject: [PATCH] jbig2dec: Always use uint32_t when counting pages. + +--- + jbig2dec/jbig2.c | 4 ++-- + jbig2dec/jbig2_page.c | 10 +++++++++- + jbig2dec/jbig2_priv.h | 4 ++-- + 3 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/jbig2dec/jbig2.c b/jbig2dec/jbig2.c +index 126e7a9..9fbb340 100644 +--- a/jbig2dec/jbig2.c ++++ b/jbig2dec/jbig2.c +@@ -154,7 +154,7 @@ jbig2_ctx_new_imp(Jbig2Allocator *allocator, Jbig2Options options, Jbig2GlobalCt + return NULL; + } + { +- int index; ++ uint32_t index; + + for (index = 0; index < result->max_page_index; index++) { + result->pages[index].state = JBIG2_PAGE_FREE; +@@ -412,7 +412,7 @@ Jbig2Allocator * + jbig2_ctx_free(Jbig2Ctx *ctx) + { + Jbig2Allocator *ca; +- int i; ++ uint32_t i; + + if (ctx == NULL) + return NULL; +diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c +index 21483e8..31b31f7 100644 +--- a/jbig2dec/jbig2_page.c ++++ b/jbig2dec/jbig2_page.c +@@ -72,13 +72,21 @@ jbig2_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_dat + + /* find a free page */ + { +- int index, j; ++ size_t index, j; + + index = ctx->current_page; + while (ctx->pages[index].state != JBIG2_PAGE_FREE) { + index++; + if (index >= ctx->max_page_index) { + /* grow the list */ ++ ++ if (ctx->max_page_index == SIZE_MAX) { ++ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many pages in jbig2 image"); ++ } ++ else if (ctx->max_page_index > (SIZE_MAX >> 2)) { ++ ctx->max_page_index = SIZE_MAX; ++ } ++ + pages = jbig2_renew(ctx, ctx->pages, Jbig2Page, (ctx->max_page_index <<= 2)); + if (pages == NULL) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to reallocate pages"); +diff --git a/jbig2dec/jbig2_priv.h b/jbig2dec/jbig2_priv.h +index e5a1eb5..d464208 100644 +--- a/jbig2dec/jbig2_priv.h ++++ b/jbig2dec/jbig2_priv.h +@@ -101,8 +101,8 @@ struct _Jbig2Ctx { + + /* list of decoded pages, including the one in progress, + currently stored as a contiguous, 0-indexed array. */ +- int current_page; +- int max_page_index; ++ uint32_t current_page; ++ uint32_t max_page_index; + Jbig2Page *pages; + }; + +-- +1.8.3.1 + diff --git a/jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch b/jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch new file mode 100644 index 0000000000000000000000000000000000000000..1e3410fdb400be258179b276278fd11d01e03b1e --- /dev/null +++ b/jbig2dec-Avoid-warning-by-copying-bytes-instead-of-characters.patch @@ -0,0 +1,48 @@ +From 92faea67b31570e84b978a77b43c8f38bdad7bd4 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Tue, 1 Oct 2019 18:08:34 +0200 +Subject: [PATCH] jbig2dec: Avoid warning by copying bytes instead of + characters. + +--- + jbig2dec/jbig2dec.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/jbig2dec/jbig2dec.c b/jbig2dec/jbig2dec.c +index 39f487e..d7d0aef 100644 +--- a/jbig2dec/jbig2dec.c ++++ b/jbig2dec/jbig2dec.c +@@ -458,6 +458,7 @@ make_output_filename(const char *input_filename, const char *extension) + { + char *output_filename; + const char *c, *e; ++ int extlen; + int len; + + if (extension == NULL) { +@@ -488,16 +489,18 @@ make_output_filename(const char *input_filename, const char *extension) + if (e != NULL) + len -= strlen(e); + ++ extlen = strlen(extension); ++ + /* allocate enough space for the base + ext */ +- output_filename = (char *)malloc(len + strlen(extension) + 1); ++ output_filename = (char *)malloc(len + extlen + 1); + if (output_filename == NULL) { + fprintf(stderr, "failed to allocate memory for output filename\n"); + exit(1); + } + +- strncpy(output_filename, c, len); +- strncpy(output_filename + len, extension, strlen(extension)); +- *(output_filename + len + strlen(extension)) = '\0'; ++ memcpy(output_filename, c, len); ++ memcpy(output_filename + len, extension, extlen); ++ *(output_filename + len + extlen) = '\0'; + + /* return the new string */ + return (output_filename); +-- +1.8.3.1 + diff --git a/jbig2dec-Fix-two-overlooked-warnings.patch b/jbig2dec-Fix-two-overlooked-warnings.patch new file mode 100644 index 0000000000000000000000000000000000000000..fd8af9fce4b15a7ac47444c69a28205e029fa106 --- /dev/null +++ b/jbig2dec-Fix-two-overlooked-warnings.patch @@ -0,0 +1,40 @@ +From 4f0c17451afb66e6fcf3bd453490b4b9d2b06b42 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Sat, 21 Mar 2020 16:20:28 +0800 +Subject: [PATCH] jbig2dec: Fix two overlooked warnings. + +While working to fix all warnings seen when -Wsign-conversion is +enabled, these two warnings were accidentally introduced by commit +ff53af0d4ff9291aa5039522f5553a2850dd569d and not noticed in the +avalanche of warnings emitted due to -Wsign-conversion. This commit +changes the indicies to the type of the limit variable, fixing the +warnings. +--- + jbig2dec/jbig2_page.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c +index 31b31f7..bc89a43 100644 +--- a/jbig2dec/jbig2_page.c ++++ b/jbig2dec/jbig2_page.c +@@ -319,7 +319,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, uint32_ + Jbig2Image * + jbig2_page_out(Jbig2Ctx *ctx) + { +- int index; ++ uint32_t index; + + /* search for a completed page */ + for (index = 0; index < ctx->max_page_index; index++) { +@@ -348,7 +348,7 @@ jbig2_page_out(Jbig2Ctx *ctx) + void + jbig2_release_page(Jbig2Ctx *ctx, Jbig2Image *image) + { +- int index; ++ uint32_t index; + + if (image == NULL) + return; +-- +1.8.3.1 + diff --git a/jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch b/jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch new file mode 100644 index 0000000000000000000000000000000000000000..48d14b808935cff51d5d06f94b52d1d95abb7291 --- /dev/null +++ b/jbig2dec-Handle-under-overflow-detection-and-messaging-better.patch @@ -0,0 +1,52 @@ +From 716560bf5f2bc4b821ca6924ec648ca4949826bb Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Sun, 15 Sep 2019 17:31:48 +0200 +Subject: [PATCH] jbig2dec: Handle under-/overflow detection and messaging + better. + +Previously SYMWIDTH was capped too early in order to prevent underflow +Moreover TOTWIDTH was allowed to overflow. + +Now the value DW is checked compared to SYMWIDTH, preventing over +underflow and overflow at the correct limits, and an overflow +check has been added for TOTWIDTH. +--- + jbig2dec/jbig2_symbol_dict.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c +index e606529..bc6e98c 100644 +--- a/jbig2dec/jbig2_symbol_dict.c ++++ b/jbig2dec/jbig2_symbol_dict.c +@@ -428,14 +428,24 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + break; + } + ++ if (DW < 0 && SYMWIDTH < (uint32_t) -DW) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); ++ goto cleanup; ++ } ++ if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); ++ goto cleanup; ++ } ++ + SYMWIDTH = SYMWIDTH + DW; +- TOTWIDTH = TOTWIDTH + SYMWIDTH; +- if ((int32_t) SYMWIDTH < 0) { +- code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1); ++ if (SYMWIDTH > UINT32_MAX - TOTWIDTH) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1); + goto cleanup; + } ++ ++ TOTWIDTH = TOTWIDTH + SYMWIDTH; + #ifdef JBIG2_DEBUG +- jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH); ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH); + #endif + /* 6.5.5 (4c.ii) */ + if (!params->SDHUFF || params->SDREFAGG) { +-- +1.8.3.1 + diff --git a/jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch b/jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch new file mode 100644 index 0000000000000000000000000000000000000000..6a96f56debe350c92d81d2db0cfa3cf1a29006c1 --- /dev/null +++ b/jbig2dec-Initiate-variable-before-avoids-using-uninited-data-during-cleanup.patch @@ -0,0 +1,41 @@ +From d8ed6363166841dcb067d7adc6ad6b52a1b1f90c Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Sun, 5 Apr 2020 12:24:36 +0800 +Subject: [PATCH] jbig2dec: Initiate variable before avoids using uninited data + during cleanup. + +Fixes OSS-fuzz issue 21571. +Also fixes Coverity CID 355467. + +Thanks to OSS-fuzz for reporting. +--- + jbig2dec/jbig2_text.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c +index 61dc815..d49303a 100644 +--- a/jbig2dec/jbig2_text.c ++++ b/jbig2dec/jbig2_text.c +@@ -593,6 +593,9 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + uint32_t table_index = 0; + const Jbig2HuffmanParams *huffman_params = NULL; + ++ /* zero params to ease cleanup later */ ++ memset(¶ms, 0, sizeof(Jbig2TextRegionParams)); ++ + /* 7.4.1 */ + if (segment->data_length < 17) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); +@@ -614,9 +617,6 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + + jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "text region header flags 0x%04x", flags); + +- /* zero params to ease cleanup later */ +- memset(¶ms, 0, sizeof(Jbig2TextRegionParams)); +- + params.SBHUFF = flags & 0x0001; + params.SBREFINE = flags & 0x0002; + params.LOGSBSTRIPS = (flags & 0x000c) >> 2; +-- +1.8.3.1 + diff --git a/jbig2dec-Plug-leak-of-image-upon-error.patch b/jbig2dec-Plug-leak-of-image-upon-error.patch new file mode 100644 index 0000000000000000000000000000000000000000..47a3630a977ba90615cc4517d1ae2caa7de6916b --- /dev/null +++ b/jbig2dec-Plug-leak-of-image-upon-error.patch @@ -0,0 +1,104 @@ +From f14f35c6e3218554cd351b848447cfa83b3c4256 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Thu, 26 Mar 2020 14:20:11 +0800 +Subject: [PATCH] jbig2dec: Plug leak of image upon error. + +Fixes OSS-Fuzz issue 17513. + +Thanks to OSS-fuzz for reporting. +--- + jbig2dec/jbig2_text.c | 39 ++++++++++++++++++++++++--------------- + 1 file changed, 24 insertions(+), 15 deletions(-) + +diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c +index 6d983b6..61dc815 100644 +--- a/jbig2dec/jbig2_text.c ++++ b/jbig2dec/jbig2_text.c +@@ -594,8 +594,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + const Jbig2HuffmanParams *huffman_params = NULL; + + /* 7.4.1 */ +- if (segment->data_length < 17) +- goto too_short; ++ if (segment->data_length < 17) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); ++ goto cleanup2; ++ } + jbig2_get_region_segment_info(®ion_info, segment_data); + offset += 17; + /* Check for T.88 amendment 3 */ +@@ -603,8 +605,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "region segment flags indicate use of colored bitmap (NYI)"); + + /* 7.4.3.1.1 */ +- if (segment->data_length - offset < 2) +- goto too_short; ++ if (segment->data_length - offset < 2) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); ++ goto cleanup2; ++ } + flags = jbig2_get_uint16(segment_data + offset); + offset += 2; + +@@ -633,8 +637,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + + if (params.SBHUFF) { /* Huffman coding */ + /* 7.4.3.1.2 */ +- if (segment->data_length - offset < 2) +- goto too_short; ++ if (segment->data_length - offset < 2) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); ++ goto cleanup2; ++ } + huffman_flags = jbig2_get_uint16(segment_data + offset); + offset += 2; + +@@ -643,8 +649,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + } else { /* arithmetic coding */ + + /* 7.4.3.1.3 */ +- if (segment->data_length - offset < 4) +- goto too_short; ++ if (segment->data_length - offset < 4) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); ++ goto cleanup2; ++ } + if ((params.SBREFINE) && !(params.SBRTEMPLATE)) { + params.sbrat[0] = segment_data[offset]; + params.sbrat[1] = segment_data[offset + 1]; +@@ -655,8 +663,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + } + + /* 7.4.3.1.4 */ +- if (segment->data_length - offset < 4) +- goto too_short; ++ if (segment->data_length - offset < 4) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); ++ goto cleanup2; ++ } + params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset); + offset += 4; + +@@ -922,8 +932,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data + goto cleanup2; + } + +- if (offset >= segment->data_length) +- goto too_short; ++ if (offset >= segment->data_length) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); ++ goto cleanup2; ++ } + ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset); + if (ws == NULL) { + code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to allocate word stream when handling text region image"); +@@ -1028,7 +1040,4 @@ cleanup1: + jbig2_free(ctx->allocator, dicts); + + return code; +- +-too_short: +- return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + } +-- +1.8.3.1 diff --git a/jbig2dec-Use-correct-define-for-maxium-value-of-type.patch b/jbig2dec-Use-correct-define-for-maxium-value-of-type.patch new file mode 100644 index 0000000000000000000000000000000000000000..39a194911b08137f2dffd7f2081001e21dc63bef --- /dev/null +++ b/jbig2dec-Use-correct-define-for-maxium-value-of-type.patch @@ -0,0 +1,32 @@ +From a80f7f12e7a2fb0caa1ea9ac6fa8981cc539a1bc Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Sat, 21 Mar 2020 15:59:21 +0800 +Subject: [PATCH] jbig2dec: Use correct define for maxium value of type. + +Fixes Coverity CID 355177. +--- + jbig2dec/jbig2_page.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c +index bc89a43..92486dd 100644 +--- a/jbig2dec/jbig2_page.c ++++ b/jbig2dec/jbig2_page.c +@@ -80,11 +80,11 @@ jbig2_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_dat + if (index >= ctx->max_page_index) { + /* grow the list */ + +- if (ctx->max_page_index == SIZE_MAX) { ++ if (ctx->max_page_index == UINT32_MAX) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many pages in jbig2 image"); + } +- else if (ctx->max_page_index > (SIZE_MAX >> 2)) { +- ctx->max_page_index = SIZE_MAX; ++ else if (ctx->max_page_index > (UINT32_MAX >> 2)) { ++ ctx->max_page_index = UINT32_MAX; + } + + pages = jbig2_renew(ctx, ctx->pages, Jbig2Page, (ctx->max_page_index <<= 2)); +-- +1.8.3.1 + diff --git a/lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch b/lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch new file mode 100644 index 0000000000000000000000000000000000000000..e783ad0058b25b734db7fe66f22e773b4a9c439f --- /dev/null +++ b/lgtmcom-tweak-Make-it-clear-that-something-isn-t-a-typo.patch @@ -0,0 +1,27 @@ +From d9b37029db10bdeaf5eaee00bac2eb0653644c77 Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Sat, 9 May 2020 17:45:01 +0100 +Subject: [PATCH] lgtm.com tweak: Make it clear that something isn't a typo. + +Use "INTERPATCH_PADDING != 0" rather than "INTERPATCH_PADDING" to +avoid the appearance of a typo. +--- + base/gxshade6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/base/gxshade6.c b/base/gxshade6.c +index 85b8d76..e48bcfb 100644 +--- a/base/gxshade6.c ++++ b/base/gxshade6.c +@@ -2389,7 +2389,7 @@ fill_wedges_aux(patch_fill_state_t *pfs, int k, int ka, + pfs->inside = save_inside; + return code; + } else { +- if (INTERPATCH_PADDING && (wedge_type & interpatch_padding)) { ++ if ((INTERPATCH_PADDING != 0) && (wedge_type & interpatch_padding)) { + code = mesh_padding(pfs, &pole[0], &pole[3], c0, c1); + if (code < 0) + return code; +-- +1.8.3.1 +