diff --git a/test/bug-hunting/cve.py b/test/bug-hunting/cve.py index 1bf8d3b2c..18c524358 100644 --- a/test/bug-hunting/cve.py +++ b/test/bug-hunting/cve.py @@ -14,32 +14,45 @@ else: CPPCHECK_PATH = '../../cppcheck' TEST_SUITE = 'cve' -RUN_CLANG = ('--clang' in sys.argv) +def test(test_folder): + print(test_folder) + + cmd_file = os.path.join(test_folder, 'cmd.txt') + expected_file = os.path.join(test_folder, 'expected.txt') -def check(): cmd = [CPPCHECK_PATH, '-D__GNUC__', '--bug-hunting', '--inconclusive', '--platform=unix64', - '--inline-suppr', - '--enable=information', - TEST_SUITE] - if RUN_CLANG: - cmd.append('--clang') - print(' '.join(cmd)) + '--template={file}:{line}:{id}', + '-rp=' + test_folder, + test_folder] + + if os.path.isfile(cmd_file): + for line in open(cmd_file, 'rt'): + if len(line) > 1: + cmd.append(line.strip()) p = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) comm = p.communicate() stdout = comm[0].decode(encoding='utf-8', errors='ignore') stderr = comm[1].decode(encoding='utf-8', errors='ignore') - # Ensure there are no unmatched suppressions - if '[unmatchedSuppression]' in stderr: - print('FAILED: There are unmatched suppressions') - sys.exit(1) - else: - print('SUCCESS') + with open(expected_file, 'rt') as f: + for expected in f.readlines(): + if expected.strip() not in stderr.split('\n'): + print('FAILED. Expected result not found: ' + expected) + print('Command:') + print(' '.join(cmd)) + print('Output:') + print(stderr) + sys.exit(1) +if len(sys.argv) > 1: + test(sys.argv[1]) + sys.exit(0) + +for test_folder in sorted(glob.glob(TEST_SUITE + '/CVE*')): + test(test_folder) -check() diff --git a/test/bug-hunting/cve/CVE-2018-19872/expected.txt b/test/bug-hunting/cve/CVE-2018-19872/expected.txt new file mode 100644 index 000000000..07ba035ca --- /dev/null +++ b/test/bug-hunting/cve/CVE-2018-19872/expected.txt @@ -0,0 +1,2 @@ +qppmhandler.cpp:223:bughuntingDivByZero +qppmhandler.cpp:255:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2018-19872/qppmhandler.cpp b/test/bug-hunting/cve/CVE-2018-19872/qppmhandler.cpp index 1c4f07bc4..e9f5a905f 100644 --- a/test/bug-hunting/cve/CVE-2018-19872/qppmhandler.cpp +++ b/test/bug-hunting/cve/CVE-2018-19872/qppmhandler.cpp @@ -220,7 +220,7 @@ static bool read_pbm_body(QIODevice *device, char type, int w, int h, int mcc, Q return false; if (nbits == 8 && mcc < 255) { for (int i = 0; i < pbm_bpl; i++) - p[i] = (p[i] * 255) / mcc; // cppcheck-suppress bughuntingDivByZero + p[i] = (p[i] * 255) / mcc; } } } @@ -252,7 +252,7 @@ static bool read_pbm_body(QIODevice *device, char type, int w, int h, int mcc, Q } } else { while (n--) { - *p++ = read_pbm_int(device) * 255 / mcc; // cppcheck-suppress bughuntingDivByZero + *p++ = read_pbm_int(device) * 255 / mcc; } } } else { // 32 bits diff --git a/test/bug-hunting/cve/CVE-2019-10018/Function.cc b/test/bug-hunting/cve/CVE-2019-10018/Function.cc index bc6bb299b..72cadd9be 100644 --- a/test/bug-hunting/cve/CVE-2019-10018/Function.cc +++ b/test/bug-hunting/cve/CVE-2019-10018/Function.cc @@ -1371,7 +1371,7 @@ int PostScriptFunction::exec(double *stack, int sp0) { if (sp + 1 >= psStackSize) { goto underflow; } - stack[sp + 1] = (int)stack[sp + 1] / (int)stack[sp]; // cppcheck-suppress bughuntingDivByZero + stack[sp + 1] = (int)stack[sp + 1] / (int)stack[sp]; ++sp; break; case psOpIndex: diff --git a/test/bug-hunting/cve/CVE-2019-10018/expected.txt b/test/bug-hunting/cve/CVE-2019-10018/expected.txt new file mode 100644 index 000000000..851e52fdd --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10018/expected.txt @@ -0,0 +1,2 @@ +Function.cc:1374:bughuntingDivByZero + diff --git a/test/bug-hunting/cve/CVE-2019-10019/PSOutputDev.cc b/test/bug-hunting/cve/CVE-2019-10019/PSOutputDev.cc index f09f41d4d..15a2a2339 100644 --- a/test/bug-hunting/cve/CVE-2019-10019/PSOutputDev.cc +++ b/test/bug-hunting/cve/CVE-2019-10019/PSOutputDev.cc @@ -1,6 +1,3 @@ -// Cppcheck bug hunting define: -#define HAVE_SPLASH 1 - //======================================================================== // // PSOutputDev.cc @@ -4198,7 +4195,7 @@ GBool PSOutputDev::checkPageSlice(Page *page, double hDPI, double vDPI, } nStripes = (int)ceil(((double)sliceW * (double)sliceH) / (double)globalParams->getPSRasterSliceSize()); - stripeH = (sliceH + nStripes - 1) / nStripes; // cppcheck-suppress bughuntingDivByZero + stripeH = (sliceH + nStripes - 1) / nStripes; // render the stripes for (stripeY = sliceY; stripeY < sliceH; stripeY += stripeH) { @@ -4345,6 +4342,7 @@ GBool PSOutputDev::checkPageSlice(Page *page, double hDPI, double vDPI, endPage(); return gFalse; + #else // HAVE_SPLASH error(errSyntaxWarning, -1, diff --git a/test/bug-hunting/cve/CVE-2019-10019/cmd.txt b/test/bug-hunting/cve/CVE-2019-10019/cmd.txt new file mode 100644 index 000000000..01699d982 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10019/cmd.txt @@ -0,0 +1 @@ +-DHAVE_SPLASH=1 diff --git a/test/bug-hunting/cve/CVE-2019-10019/expected.txt b/test/bug-hunting/cve/CVE-2019-10019/expected.txt new file mode 100644 index 000000000..920e7ee2d --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10019/expected.txt @@ -0,0 +1 @@ +PSOutputDev.cc:4198:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-10020/Splash.cc b/test/bug-hunting/cve/CVE-2019-10020/Splash.cc index a9030190c..77718abbe 100644 --- a/test/bug-hunting/cve/CVE-2019-10020/Splash.cc +++ b/test/bug-hunting/cve/CVE-2019-10020/Splash.cc @@ -5556,8 +5556,8 @@ void Splash::scaleImageYuXu(SplashImageSource src, void *srcData, yq = scaledHeight % srcHeight; // Bresenham parameters for x scale - xp = scaledWidth / srcWidth; // cppcheck-suppress bughuntingDivByZero - xq = scaledWidth % srcWidth; // cppcheck-suppress bughuntingDivByZero + xp = scaledWidth / srcWidth; + xq = scaledWidth % srcWidth; // allocate buffers lineBuf = (Guchar *)gmallocn(srcWidth, nComps); diff --git a/test/bug-hunting/cve/CVE-2019-10020/expected.txt b/test/bug-hunting/cve/CVE-2019-10020/expected.txt new file mode 100644 index 000000000..619e1df84 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10020/expected.txt @@ -0,0 +1,2 @@ +Splash.cc:5559:bughuntingDivByZero +Splash.cc:5560:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-10021/Stream.cc b/test/bug-hunting/cve/CVE-2019-10021/Stream.cc index f360af10c..4e9a2dc2f 100644 --- a/test/bug-hunting/cve/CVE-2019-10021/Stream.cc +++ b/test/bug-hunting/cve/CVE-2019-10021/Stream.cc @@ -356,7 +356,7 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) { nVals = width * nComps; inputLineSize = (nVals * nBits + 7) >> 3; - if (width > INT_MAX / nComps || // cppcheck-suppress bughuntingDivByZero + if (width > INT_MAX / nComps || nVals > (INT_MAX - 7) / nBits) { // force a call to gmallocn(-1,...), which will throw an exception inputLineSize = -1; diff --git a/test/bug-hunting/cve/CVE-2019-10021/expected.txt b/test/bug-hunting/cve/CVE-2019-10021/expected.txt new file mode 100644 index 000000000..9b67b40ef --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10021/expected.txt @@ -0,0 +1 @@ +Stream.cc:359:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-10023/Function.cc b/test/bug-hunting/cve/CVE-2019-10023/Function.cc index 31f31f8ab..72cadd9be 100644 --- a/test/bug-hunting/cve/CVE-2019-10023/Function.cc +++ b/test/bug-hunting/cve/CVE-2019-10023/Function.cc @@ -1417,7 +1417,7 @@ int PostScriptFunction::exec(double *stack, int sp0) { if (sp + 1 >= psStackSize) { goto underflow; } - stack[sp + 1] = (int)stack[sp + 1] % (int)stack[sp]; // cppcheck-suppress bughuntingDivByZero + stack[sp + 1] = (int)stack[sp + 1] % (int)stack[sp]; ++sp; break; case psOpMul: diff --git a/test/bug-hunting/cve/CVE-2019-10023/expected.txt b/test/bug-hunting/cve/CVE-2019-10023/expected.txt new file mode 100644 index 000000000..5866a9db2 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10023/expected.txt @@ -0,0 +1 @@ +Function.cc:1420:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-10024/Splash.cc b/test/bug-hunting/cve/CVE-2019-10024/Splash.cc index bd1b35290..77718abbe 100644 --- a/test/bug-hunting/cve/CVE-2019-10024/Splash.cc +++ b/test/bug-hunting/cve/CVE-2019-10024/Splash.cc @@ -5552,12 +5552,12 @@ void Splash::scaleImageYuXu(SplashImageSource src, void *srcData, int i; // Bresenham parameters for y scale - yp = scaledHeight / srcHeight; // cppcheck-suppress bughuntingDivByZero - yq = scaledHeight % srcHeight; // cppcheck-suppress bughuntingDivByZero + yp = scaledHeight / srcHeight; + yq = scaledHeight % srcHeight; // Bresenham parameters for x scale - xp = scaledWidth / srcWidth; // cppcheck-suppress bughuntingDivByZero - xq = scaledWidth % srcWidth; // cppcheck-suppress bughuntingDivByZero + xp = scaledWidth / srcWidth; + xq = scaledWidth % srcWidth; // allocate buffers lineBuf = (Guchar *)gmallocn(srcWidth, nComps); diff --git a/test/bug-hunting/cve/CVE-2019-10024/expected.txt b/test/bug-hunting/cve/CVE-2019-10024/expected.txt new file mode 100644 index 000000000..187d24aec --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10024/expected.txt @@ -0,0 +1,3 @@ +Splash.cc:5555:bughuntingDivByZero +Splash.cc:5556:bughuntingDivByZero + diff --git a/test/bug-hunting/cve/CVE-2019-10025/Stream.cc b/test/bug-hunting/cve/CVE-2019-10025/Stream.cc index d8fe24fff..4e9a2dc2f 100644 --- a/test/bug-hunting/cve/CVE-2019-10025/Stream.cc +++ b/test/bug-hunting/cve/CVE-2019-10025/Stream.cc @@ -357,7 +357,7 @@ ImageStream::ImageStream(Stream *strA, int widthA, int nCompsA, int nBitsA) { nVals = width * nComps; inputLineSize = (nVals * nBits + 7) >> 3; if (width > INT_MAX / nComps || - nVals > (INT_MAX - 7) / nBits) { // cppcheck-suppress bughuntingDivByZero + nVals > (INT_MAX - 7) / nBits) { // force a call to gmallocn(-1,...), which will throw an exception inputLineSize = -1; } diff --git a/test/bug-hunting/cve/CVE-2019-10025/expected.txt b/test/bug-hunting/cve/CVE-2019-10025/expected.txt new file mode 100644 index 000000000..c9f5498f1 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10025/expected.txt @@ -0,0 +1 @@ +Stream.cc:360:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-10026/Function.cc b/test/bug-hunting/cve/CVE-2019-10026/Function.cc index 6d90b36d7..72cadd9be 100644 --- a/test/bug-hunting/cve/CVE-2019-10026/Function.cc +++ b/test/bug-hunting/cve/CVE-2019-10026/Function.cc @@ -1472,9 +1472,9 @@ int PostScriptFunction::exec(double *stack, int sp0) { goto underflow; } if (k >= 0) { - k %= nn; // cppcheck-suppress bughuntingDivByZero + k %= nn; } else { - k = -k % nn; // cppcheck-suppress bughuntingDivByZero + k = -k % nn; if (k) { k = nn - k; } @@ -1483,7 +1483,7 @@ int PostScriptFunction::exec(double *stack, int sp0) { tmp[i] = stack[sp + i]; } for (i = 0; i < nn; ++i) { - stack[sp + i] = tmp[(i + k) % nn]; // cppcheck-suppress bughuntingDivByZero + stack[sp + i] = tmp[(i + k) % nn]; } break; case psOpRound: diff --git a/test/bug-hunting/cve/CVE-2019-10026/expected.txt b/test/bug-hunting/cve/CVE-2019-10026/expected.txt new file mode 100644 index 000000000..20c3b25d6 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-10026/expected.txt @@ -0,0 +1,4 @@ +Function.cc:1475:bughuntingDivByZero +Function.cc:1477:bughuntingDivByZero +Function.cc:1486:bughuntingDivByZero + diff --git a/test/bug-hunting/cve/CVE-2019-13390/cmd.txt b/test/bug-hunting/cve/CVE-2019-13390/cmd.txt new file mode 100644 index 000000000..1cf4f7c4f --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-13390/cmd.txt @@ -0,0 +1 @@ +-DCONFIG_ADX_MUXER=1 diff --git a/test/bug-hunting/cve/CVE-2019-13390/expected.txt b/test/bug-hunting/cve/CVE-2019-13390/expected.txt new file mode 100644 index 000000000..ac4e31270 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-13390/expected.txt @@ -0,0 +1 @@ +libavformat_rawenc.c:70:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-13390/libavformat_rawenc.c b/test/bug-hunting/cve/CVE-2019-13390/libavformat_rawenc.c index 8791b69bb..993d232b7 100644 --- a/test/bug-hunting/cve/CVE-2019-13390/libavformat_rawenc.c +++ b/test/bug-hunting/cve/CVE-2019-13390/libavformat_rawenc.c @@ -58,7 +58,7 @@ AVOutputFormat ff_ac3_muxer = { }; #endif -////#if CONFIG_ADX_MUXER +#if CONFIG_ADX_MUXER static int adx_write_trailer(AVFormatContext *s) { @@ -67,7 +67,7 @@ static int adx_write_trailer(AVFormatContext *s) if (pb->seekable & AVIO_SEEKABLE_NORMAL) { int64_t file_size = avio_tell(pb); - uint64_t sample_count = (file_size - 36) / par->channels / 18 * 32; // cppcheck-suppress bughuntingDivByZero + uint64_t sample_count = (file_size - 36) / par->channels / 18 * 32; if (sample_count <= UINT32_MAX) { avio_seek(pb, 12, SEEK_SET); avio_wb32(pb, sample_count); @@ -89,7 +89,7 @@ AVOutputFormat ff_adx_muxer = { .write_trailer = adx_write_trailer, .flags = AVFMT_NOTIMESTAMPS, }; -////#endif +#endif #if CONFIG_APTX_MUXER AVOutputFormat ff_aptx_muxer = { diff --git a/test/bug-hunting/cve/CVE-2019-14249/dwarf_elf_load_headers.c b/test/bug-hunting/cve/CVE-2019-14249/dwarf_elf_load_headers.c index 8092caf8f..bca948e8c 100644 --- a/test/bug-hunting/cve/CVE-2019-14249/dwarf_elf_load_headers.c +++ b/test/bug-hunting/cve/CVE-2019-14249/dwarf_elf_load_headers.c @@ -1835,7 +1835,7 @@ read_gs_section_group( return DW_DLV_ERROR; } dp = data; - count = seclen/psh->gh_entsize; // cppcheck-suppress bughuntingDivByZero + count = seclen/psh->gh_entsize; if (count > ep->f_loc_shdr.g_count) { /* Impossible */ free(data); diff --git a/test/bug-hunting/cve/CVE-2019-14249/expected.txt b/test/bug-hunting/cve/CVE-2019-14249/expected.txt new file mode 100644 index 000000000..12aae0486 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-14249/expected.txt @@ -0,0 +1 @@ +dwarf_elf_load_headers.c:1838:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-14284/expected.txt b/test/bug-hunting/cve/CVE-2019-14284/expected.txt new file mode 100644 index 000000000..efc4a1bd4 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-14284/expected.txt @@ -0,0 +1 @@ +floppy.c:2131:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-14284/floppy.c b/test/bug-hunting/cve/CVE-2019-14284/floppy.c index 930f9f1ec..9fb9b312a 100644 --- a/test/bug-hunting/cve/CVE-2019-14284/floppy.c +++ b/test/bug-hunting/cve/CVE-2019-14284/floppy.c @@ -2128,7 +2128,7 @@ static void setup_format_params(int track) /* position of logical sector 1 on this track */ n = (track_shift * format_req.track + head_shift * format_req.head) - % F_SECT_PER_TRACK; // cppcheck-suppress bughuntingDivByZero + % F_SECT_PER_TRACK; /* determine interleave */ il = 1; diff --git a/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.cc b/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.cc index 0be80093e..544f132da 100644 --- a/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.cc +++ b/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.cc @@ -4488,7 +4488,7 @@ void SplashOutputDev::setFreeTypeHinting(bool enable, bool enableSlightHintingA) enableSlightHinting = enableSlightHintingA; } -bool /*SplashOutputDev::*/tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *catalog, Object *str, +bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *catalog, Object *str, const double *ptm, int paintType, int /*tilingType*/, Dict *resDict, const double *mat, const double *bbox, int x0, int y0, int x1, int y1, @@ -4581,8 +4581,8 @@ bool /*SplashOutputDev::*/tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog surface_width = (int) ceil (fabs(kx)); surface_height = (int) ceil (fabs(ky)); // adjust repeat values to completely fill region - repeatX = result_width / surface_width; // cppcheck-suppress bughuntingDivByZero - repeatY = result_height / surface_height; // cppcheck-suppress bughuntingDivByZero + repeatX = result_width / surface_width; + repeatY = result_height / surface_height; if (surface_width * repeatX < result_width) repeatX++; if (surface_height * repeatY < result_height) diff --git a/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.h b/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.h new file mode 100644 index 000000000..ef95f7068 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-14494/SplashOutputDev.h @@ -0,0 +1,467 @@ +//======================================================================== +// +// SplashOutputDev.h +// +// Copyright 2003 Glyph & Cog, LLC +// +//======================================================================== + +//======================================================================== +// +// Modified under the Poppler project - http://poppler.freedesktop.org +// +// All changes made under the Poppler project to this file are licensed +// under GPL version 2 or later +// +// Copyright (C) 2005 Takashi Iwai +// Copyright (C) 2009-2016 Thomas Freitag +// Copyright (C) 2009 Carlos Garcia Campos +// Copyright (C) 2010 Christian Feuersänger +// Copyright (C) 2011 Andreas Hartmetz +// Copyright (C) 2011 Andrea Canciani +// Copyright (C) 2011, 2017 Adrian Johnson +// Copyright (C) 2012, 2015, 2018 Albert Astals Cid +// Copyright (C) 2015, 2016 William Bader +// Copyright (C) 2018 Stefan Brüns +// +// To see a description of the changes please see the Changelog file that +// came with your tarball or type make ChangeLog if you are building from git +// +//======================================================================== + +#ifndef SPLASHOUTPUTDEV_H +#define SPLASHOUTPUTDEV_H + +#include "splash/SplashTypes.h" +#include "splash/SplashPattern.h" +#include "poppler-config.h" +#include "OutputDev.h" +#include "GfxState.h" +#include "GlobalParams.h" + +class PDFDoc; +class Gfx8BitFont; +class SplashBitmap; +class Splash; +class SplashPath; +class SplashFontEngine; +class SplashFont; +class T3FontCache; +struct T3FontCacheTag; +struct T3GlyphStack; +struct SplashTransparencyGroup; + +//------------------------------------------------------------------------ +// Splash dynamic pattern +//------------------------------------------------------------------------ + +class SplashFunctionPattern: public SplashPattern { +public: + + SplashFunctionPattern(SplashColorMode colorMode, GfxState *state, GfxFunctionShading *shading); + + SplashPattern *copy() override { return new SplashFunctionPattern(colorMode, state, (GfxFunctionShading *) shading); } + + ~SplashFunctionPattern(); + + bool testPosition(int x, int y) override { return true; } + + bool isStatic() override { return false; } + + bool getColor(int x, int y, SplashColorPtr c) override; + + virtual GfxFunctionShading *getShading() { return shading; } + + bool isCMYK() override { return gfxMode == csDeviceCMYK; } + +protected: + Matrix ictm; + double xMin, yMin, xMax, yMax; + GfxFunctionShading *shading; + GfxState *state; + SplashColorMode colorMode; + GfxColorSpaceMode gfxMode; +}; + +class SplashUnivariatePattern: public SplashPattern { +public: + + SplashUnivariatePattern(SplashColorMode colorMode, GfxState *state, GfxUnivariateShading *shading); + + ~SplashUnivariatePattern(); + + bool getColor(int x, int y, SplashColorPtr c) override; + + bool testPosition(int x, int y) override; + + bool isStatic() override { return false; } + + virtual bool getParameter(double xs, double ys, double *t) = 0; + + virtual GfxUnivariateShading *getShading() { return shading; } + + bool isCMYK() override { return gfxMode == csDeviceCMYK; } + +protected: + Matrix ictm; + double t0, t1, dt; + GfxUnivariateShading *shading; + GfxState *state; + SplashColorMode colorMode; + GfxColorSpaceMode gfxMode; +}; + +class SplashAxialPattern: public SplashUnivariatePattern { +public: + + SplashAxialPattern(SplashColorMode colorMode, GfxState *state, GfxAxialShading *shading); + + SplashPattern *copy() override { return new SplashAxialPattern(colorMode, state, (GfxAxialShading *) shading); } + + ~SplashAxialPattern(); + + bool getParameter(double xs, double ys, double *t) override; + +private: + double x0, y0, x1, y1; + double dx, dy, mul; +}; + +// see GfxState.h, GfxGouraudTriangleShading +class SplashGouraudPattern: public SplashGouraudColor { +public: + + SplashGouraudPattern(bool bDirectColorTranslation, GfxState *state, GfxGouraudTriangleShading *shading); + + SplashPattern *copy() override { return new SplashGouraudPattern(bDirectColorTranslation, state, shading); } + + ~SplashGouraudPattern(); + + bool getColor(int x, int y, SplashColorPtr c) override { return false; } + + bool testPosition(int x, int y) override { return false; } + + bool isStatic() override { return false; } + + bool isCMYK() override { return gfxMode == csDeviceCMYK; } + + bool isParameterized() override { return shading->isParameterized(); } + int getNTriangles() override { return shading->getNTriangles(); } + void getTriangle(int i, double *x0, double *y0, double *color0, + double *x1, double *y1, double *color1, + double *x2, double *y2, double *color2) override + { shading->getTriangle(i, x0, y0, color0, x1, y1, color1, x2, y2, color2); } + + void getParameterizedColor(double t, SplashColorMode mode, SplashColorPtr c) override; + +private: + GfxGouraudTriangleShading *shading; + GfxState *state; + bool bDirectColorTranslation; + GfxColorSpaceMode gfxMode; +}; + +// see GfxState.h, GfxRadialShading +class SplashRadialPattern: public SplashUnivariatePattern { +public: + + SplashRadialPattern(SplashColorMode colorMode, GfxState *state, GfxRadialShading *shading); + + SplashPattern *copy() override { return new SplashRadialPattern(colorMode, state, (GfxRadialShading *) shading); } + + ~SplashRadialPattern(); + + bool getParameter(double xs, double ys, double *t) override; + +private: + double x0, y0, r0, dx, dy, dr; + double a, inva; +}; + +//------------------------------------------------------------------------ + +// number of Type 3 fonts to cache +#define splashOutT3FontCacheSize 8 + +//------------------------------------------------------------------------ +// SplashOutputDev +//------------------------------------------------------------------------ + +class SplashOutputDev: public OutputDev { +public: + + // Constructor. + SplashOutputDev(SplashColorMode colorModeA, int bitmapRowPadA, + bool reverseVideoA, SplashColorPtr paperColorA, + bool bitmapTopDownA = true, + SplashThinLineMode thinLineMode = splashThinLineDefault, + bool overprintPreviewA = globalParams->getOverprintPreview()); + + // Destructor. + ~SplashOutputDev(); + + //----- get info about output device + + // Does this device use tilingPatternFill()? If this returns false, + // tiling pattern fills will be reduced to a series of other drawing + // operations. + bool useTilingPatternFill() override { return true; } + + // Does this device use functionShadedFill(), axialShadedFill(), and + // radialShadedFill()? If this returns false, these shaded fills + // will be reduced to a series of other drawing operations. + bool useShadedFills(int type) override + { return (type >= 1 && type <= 5) ? true : false; } + + // Does this device use upside-down coordinates? + // (Upside-down means (0,0) is the top left corner of the page.) + bool upsideDown() override { return bitmapTopDown ^ bitmapUpsideDown; } + + // Does this device use drawChar() or drawString()? + bool useDrawChar() override { return true; } + + // Does this device use beginType3Char/endType3Char? Otherwise, + // text in Type 3 fonts will be drawn with drawChar/drawString. + bool interpretType3Chars() override { return true; } + + //----- initialization and control + + // Start a page. + void startPage(int pageNum, GfxState *state, XRef *xref) override; + + // End a page. + void endPage() override; + + //----- save/restore graphics state + void saveState(GfxState *state) override; + void restoreState(GfxState *state) override; + + //----- update graphics state + void updateAll(GfxState *state) override; + void updateCTM(GfxState *state, double m11, double m12, + double m21, double m22, double m31, double m32) override; + void updateLineDash(GfxState *state) override; + void updateFlatness(GfxState *state) override; + void updateLineJoin(GfxState *state) override; + void updateLineCap(GfxState *state) override; + void updateMiterLimit(GfxState *state) override; + void updateLineWidth(GfxState *state) override; + void updateStrokeAdjust(GfxState *state) override; + void updateFillColorSpace(GfxState *state) override; + void updateStrokeColorSpace(GfxState *state) override; + void updateFillColor(GfxState *state) override; + void updateStrokeColor(GfxState *state) override; + void updateBlendMode(GfxState *state) override; + void updateFillOpacity(GfxState *state) override; + void updateStrokeOpacity(GfxState *state) override; + void updatePatternOpacity(GfxState *state) override; + void clearPatternOpacity(GfxState *state) override; + void updateFillOverprint(GfxState *state) override; + void updateStrokeOverprint(GfxState *state) override; + void updateOverprintMode(GfxState *state) override; + void updateTransfer(GfxState *state) override; + + //----- update text state + void updateFont(GfxState *state) override; + + //----- path painting + void stroke(GfxState *state) override; + void fill(GfxState *state) override; + void eoFill(GfxState *state) override; + bool tilingPatternFill(GfxState *state, Gfx *gfx, Catalog *catalog, Object *str, + const double *pmat, int paintType, int tilingType, Dict *resDict, + const double *mat, const double *bbox, + int x0, int y0, int x1, int y1, + double xStep, double yStep) override; + bool functionShadedFill(GfxState *state, GfxFunctionShading *shading) override; + bool axialShadedFill(GfxState *state, GfxAxialShading *shading, double tMin, double tMax) override; + bool radialShadedFill(GfxState *state, GfxRadialShading *shading, double tMin, double tMax) override; + bool gouraudTriangleShadedFill(GfxState *state, GfxGouraudTriangleShading *shading) override; + + //----- path clipping + void clip(GfxState *state) override; + void eoClip(GfxState *state) override; + void clipToStrokePath(GfxState *state) override; + + //----- text drawing + void drawChar(GfxState *state, double x, double y, + double dx, double dy, + double originX, double originY, + CharCode code, int nBytes, Unicode *u, int uLen) override; + bool beginType3Char(GfxState *state, double x, double y, + double dx, double dy, + CharCode code, Unicode *u, int uLen) override; + void endType3Char(GfxState *state) override; + void beginTextObject(GfxState *state) override; + void endTextObject(GfxState *state) override; + + //----- image drawing + void drawImageMask(GfxState *state, Object *ref, Stream *str, + int width, int height, bool invert, + bool interpolate, bool inlineImg) override; + void setSoftMaskFromImageMask(GfxState *state, + Object *ref, Stream *str, + int width, int height, bool invert, + bool inlineImg, double *baseMatrix) override; + void unsetSoftMaskFromImageMask(GfxState *state, double *baseMatrix) override; + void drawImage(GfxState *state, Object *ref, Stream *str, + int width, int height, GfxImageColorMap *colorMap, + bool interpolate, int *maskColors, bool inlineImg) override; + void drawMaskedImage(GfxState *state, Object *ref, Stream *str, + int width, int height, + GfxImageColorMap *colorMap, + bool interpolate, + Stream *maskStr, int maskWidth, int maskHeight, + bool maskInvert, bool maskInterpolate) override; + void drawSoftMaskedImage(GfxState *state, Object *ref, Stream *str, + int width, int height, + GfxImageColorMap *colorMap, + bool interpolate, + Stream *maskStr, + int maskWidth, int maskHeight, + GfxImageColorMap *maskColorMap, + bool maskInterpolate) override; + + //----- Type 3 font operators + void type3D0(GfxState *state, double wx, double wy) override; + void type3D1(GfxState *state, double wx, double wy, + double llx, double lly, double urx, double ury) override; + + //----- transparency groups and soft masks + bool checkTransparencyGroup(GfxState *state, bool knockout) override; + void beginTransparencyGroup(GfxState *state, const double *bbox, + GfxColorSpace *blendingColorSpace, + bool isolated, bool knockout, + bool forSoftMask) override; + void endTransparencyGroup(GfxState *state) override; + void paintTransparencyGroup(GfxState *state, const double *bbox) override; + void setSoftMask(GfxState *state, const double *bbox, bool alpha, + Function *transferFunc, GfxColor *backdropColor) override; + void clearSoftMask(GfxState *state) override; + + //----- special access + + // Called to indicate that a new PDF document has been loaded. + void startDoc(PDFDoc *docA); + + void setPaperColor(SplashColorPtr paperColorA); + + bool isReverseVideo() { return reverseVideo; } + void setReverseVideo(bool reverseVideoA) { reverseVideo = reverseVideoA; } + + // Get the bitmap and its size. + SplashBitmap *getBitmap() { return bitmap; } + int getBitmapWidth(); + int getBitmapHeight(); + + // Returns the last rasterized bitmap, transferring ownership to the + // caller. + SplashBitmap *takeBitmap(); + + // Set this flag to true to generate an upside-down bitmap (useful + // for Windows BMP files). + void setBitmapUpsideDown(bool f) { bitmapUpsideDown = f; } + + // Get the Splash object. + Splash *getSplash() { return splash; } + + // Get the modified region. + void getModRegion(int *xMin, int *yMin, int *xMax, int *yMax); + + // Clear the modified region. + void clearModRegion(); + + SplashFont *getCurrentFont() { return font; } + + // If is true, don't draw horizontal text. + // If is true, don't draw rotated (non-horizontal) text. + void setSkipText(bool skipHorizTextA, bool skipRotatedTextA) + { skipHorizText = skipHorizTextA; skipRotatedText = skipRotatedTextA; } + + int getNestCount() { return nestCount; } + +#if 1 //~tmp: turn off anti-aliasing temporarily + bool getVectorAntialias() override; + void setVectorAntialias(bool vaa) override; +#endif + + bool getFontAntialias() { return fontAntialias; } + void setFontAntialias(bool anti) { fontAntialias = anti; } + + void setFreeTypeHinting(bool enable, bool enableSlightHinting); + +protected: + void doUpdateFont(GfxState *state); + +private: + bool univariateShadedFill(GfxState *state, SplashUnivariatePattern *pattern, double tMin, double tMax); + + void setupScreenParams(double hDPI, double vDPI); + SplashPattern *getColor(GfxGray gray); + SplashPattern *getColor(GfxRGB *rgb); +#ifdef SPLASH_CMYK + SplashPattern *getColor(GfxCMYK *cmyk); + SplashPattern *getColor(GfxColor *deviceN); +#endif + static void getMatteColor( SplashColorMode colorMode, GfxImageColorMap *colorMap, const GfxColor * matteColor, SplashColor splashMatteColor); + void setOverprintMask(GfxColorSpace *colorSpace, bool overprintFlag, + int overprintMode, const GfxColor *singleColor, bool grayIndexed = false); + SplashPath convertPath(GfxState *state, GfxPath *path, + bool dropEmptySubpaths); + void drawType3Glyph(GfxState *state, T3FontCache *t3Font, + T3FontCacheTag *tag, unsigned char *data); +#ifdef USE_CMS + bool useIccImageSrc(void *data); + static void iccTransform(void *data, SplashBitmap *bitmap); + static bool iccImageSrc(void *data, SplashColorPtr colorLine, + unsigned char *alphaLine); +#endif + static bool imageMaskSrc(void *data, SplashColorPtr line); + static bool imageSrc(void *data, SplashColorPtr colorLine, + unsigned char *alphaLine); + static bool alphaImageSrc(void *data, SplashColorPtr line, + unsigned char *alphaLine); + static bool maskedImageSrc(void *data, SplashColorPtr line, + unsigned char *alphaLine); + static bool tilingBitmapSrc(void *data, SplashColorPtr line, + unsigned char *alphaLine); + + bool keepAlphaChannel; // don't fill with paper color, keep alpha channel + + SplashColorMode colorMode; + int bitmapRowPad; + bool bitmapTopDown; + bool bitmapUpsideDown; + bool fontAntialias; + bool vectorAntialias; + bool overprintPreview; + bool enableFreeTypeHinting; + bool enableSlightHinting; + bool reverseVideo; // reverse video mode + SplashColor paperColor; // paper color + SplashScreenParams screenParams; + bool skipHorizText; + bool skipRotatedText; + + PDFDoc *doc; // the current document + XRef *xref; // the xref of the current document + + SplashBitmap *bitmap; + Splash *splash; + SplashFontEngine *fontEngine; + + T3FontCache * // Type 3 font cache + t3FontCache[splashOutT3FontCacheSize]; + int nT3Fonts; // number of valid entries in t3FontCache + T3GlyphStack *t3GlyphStack; // Type 3 glyph context stack + + SplashFont *font; // current font + bool needFontUpdate; // set when the font needs to be updated + SplashPath *textClipPath; // clipping path built with text object + + SplashTransparencyGroup * // transparency group stack + transpGroupStack; + int nestCount; +}; + +#endif diff --git a/test/bug-hunting/cve/CVE-2019-14494/expected.txt b/test/bug-hunting/cve/CVE-2019-14494/expected.txt new file mode 100644 index 000000000..a0c65509c --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-14494/expected.txt @@ -0,0 +1,3 @@ +SplashOutputDev.cc:4584:bughuntingDivByZero +SplashOutputDev.cc:4585:bughuntingDivByZero + diff --git a/test/bug-hunting/cve/CVE-2019-19888/expected.txt b/test/bug-hunting/cve/CVE-2019-19888/expected.txt new file mode 100644 index 000000000..5935b9652 --- /dev/null +++ b/test/bug-hunting/cve/CVE-2019-19888/expected.txt @@ -0,0 +1 @@ +jfif.c:430:bughuntingDivByZero diff --git a/test/bug-hunting/cve/CVE-2019-19888/jfif.c b/test/bug-hunting/cve/CVE-2019-19888/jfif.c index 8476ff5e6..d3daa1cea 100644 --- a/test/bug-hunting/cve/CVE-2019-19888/jfif.c +++ b/test/bug-hunting/cve/CVE-2019-19888/jfif.c @@ -426,7 +426,7 @@ int jfif_decode(void *ctxt, BMP *pb) mcuh = sfv_max * 8; jw = ALIGN(jfif->width , mcuw); jh = ALIGN(jfif->height, mcuh); - mcuc = jw / mcuw; // cppcheck-suppress bughuntingDivByZero + mcuc = jw / mcuw; mcur = jh / mcuh; //-- calculate mcu info