diff --git a/3rdparty/libmobi/src/compression.c b/3rdparty/libmobi/src/compression.c index 440f8da44..3eb0cc6fa 100644 --- a/3rdparty/libmobi/src/compression.c +++ b/3rdparty/libmobi/src/compression.c @@ -145,7 +145,10 @@ static MOBI_RET mobi_decompress_huffman_internal(MOBIBuffer *buf_out, MOBIBuffer if (!(t1 & 0x80)) { /* get offset from mincode, maxcode tables */ while (code < huffcdic->mincode_table[code_length]) { - code_length++; + if (++code_length >= HUFF_CODETABLE_SIZE) { + debug_print("Wrong offset to mincode table: %hhu\n", code_length); + return MOBI_DATA_CORRUPT; + } } maxcode = huffcdic->maxcode_table[code_length]; } diff --git a/3rdparty/libmobi/src/compression.h b/3rdparty/libmobi/src/compression.h index e18b3c7a7..59e116e02 100644 --- a/3rdparty/libmobi/src/compression.h +++ b/3rdparty/libmobi/src/compression.h @@ -20,6 +20,7 @@ /* FIXME: what is the reasonable value? */ #define MOBI_HUFFMAN_MAXDEPTH 20 /**< Maximal recursion level for huffman decompression routine */ +#define HUFF_CODETABLE_SIZE 33 /**< Size of min- and maxcode tables */ /** @@ -30,8 +31,8 @@ typedef struct { size_t index_read; /**< Number of indices parsed, used by parser */ size_t code_length; /**< Code length value stored in CDIC record header */ uint32_t table1[256]; /**< Table of big-endian indices from HUFF record data1 */ - uint32_t mincode_table[33]; /**< Table of big-endian mincodes from HUFF record data2 */ - uint32_t maxcode_table[33]; /**< Table of big-endian maxcodes from HUFF record data2 */ + uint32_t mincode_table[HUFF_CODETABLE_SIZE]; /**< Table of big-endian mincodes from HUFF record data2 */ + uint32_t maxcode_table[HUFF_CODETABLE_SIZE]; /**< Table of big-endian maxcodes from HUFF record data2 */ uint16_t *symbol_offsets; /**< Index of symbol offsets parsed from CDIC records (index_count entries) */ unsigned char **symbols; /**< Array of pointers to start of symbols data in each CDIC record (index = number of CDIC record) */ } MOBIHuffCdic; diff --git a/3rdparty/libmobi/src/read.c b/3rdparty/libmobi/src/read.c index 4e4677aad..4873f9e1a 100644 --- a/3rdparty/libmobi/src/read.c +++ b/3rdparty/libmobi/src/read.c @@ -571,7 +571,7 @@ MOBI_RET mobi_parse_huff(MOBIHuffCdic *huffcdic, const MOBIPdbRecord *record) { /* read 32 mincode-maxcode pairs from data2 big-endian */ huffcdic->mincode_table[0] = 0; huffcdic->maxcode_table[0] = 0xFFFFFFFF; - for (int i = 1; i < 33; i++) { + for (int i = 1; i < HUFF_CODETABLE_SIZE; i++) { const uint32_t mincode = buffer_get32(buf); const uint32_t maxcode = buffer_get32(buf); huffcdic->mincode_table[i] = mincode << (32 - i); diff --git a/3rdparty/libxml2/valid.c b/3rdparty/libxml2/valid.c index 6e53a76de..a6db60dd7 100644 --- a/3rdparty/libxml2/valid.c +++ b/3rdparty/libxml2/valid.c @@ -479,6 +479,35 @@ nodeVPop(xmlValidCtxtPtr ctxt) return (ret); } +/** + * xmlValidNormalizeString: + * @str: a string + * + * Normalize a string in-place. + */ +static void +xmlValidNormalizeString(xmlChar *str) { + xmlChar *dst; + const xmlChar *src; + + if (str == NULL) + return; + src = str; + dst = str; + + while (*src == 0x20) src++; + while (*src != 0) { + if (*src == 0x20) { + while (*src == 0x20) src++; + if (*src != 0) + *dst++ = 0x20; + } else { + *dst++ = *src++; + } + } + *dst = 0; +} + #ifdef DEBUG_VALID_ALGO static void xmlValidPrintNode(xmlNodePtr cur) { @@ -2539,6 +2568,24 @@ xmlDumpNotationTable(xmlBufferPtr buf, xmlNotationTablePtr table) { (xmlDictOwns(dict, (const xmlChar *)(str)) == 0))) \ xmlFree((char *)(str)); +static int +xmlIsStreaming(xmlValidCtxtPtr ctxt) { + xmlParserCtxtPtr pctxt; + + if (ctxt == NULL) + return(0); + /* + * These magic values are also abused to detect whether we're validating + * while parsing a document. In this case, userData points to the parser + * context. + */ + if ((ctxt->finishDtd != XML_CTXT_FINISH_DTD_0) && + (ctxt->finishDtd != XML_CTXT_FINISH_DTD_1)) + return(0); + pctxt = ctxt->userData; + return(pctxt->parseMode == XML_PARSE_READER); +} + /** * xmlFreeID: * @not: A id @@ -2582,7 +2629,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, if (doc == NULL) { return(NULL); } - if (value == NULL) { + if ((value == NULL) || (value[0] == 0)) { return(NULL); } if (attr == NULL) { @@ -2613,7 +2660,7 @@ xmlAddID(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, */ ret->value = xmlStrdup(value); ret->doc = doc; - if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { + if (xmlIsStreaming(ctxt)) { /* * Operating in streaming mode, attr is gonna disapear */ @@ -2935,7 +2982,7 @@ xmlAddRef(xmlValidCtxtPtr ctxt, xmlDocPtr doc, const xmlChar *value, * fill the structure. */ ret->value = xmlStrdup(value); - if ((ctxt != NULL) && (ctxt->vstateNr != 0)) { + if (xmlIsStreaming(ctxt)) { /* * Operating in streaming mode, attr is gonna disapear */ @@ -3068,6 +3115,7 @@ xmlRemoveRef(xmlDocPtr doc, xmlAttrPtr attr) { ID = xmlNodeListGetString(doc, attr->children, 1); if (ID == NULL) return(-1); + xmlValidNormalizeString(ID); ref_list = xmlHashLookup(table, ID); if(ref_list == NULL) { @@ -3955,8 +4003,7 @@ xmlValidateAttributeValue2(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlChar * xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlNodePtr elem, const xmlChar *name, const xmlChar *value) { - xmlChar *ret, *dst; - const xmlChar *src; + xmlChar *ret; xmlAttributePtr attrDecl = NULL; int extsubset = 0; @@ -3997,19 +4044,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, ret = xmlStrdup(value); if (ret == NULL) return(NULL); - src = value; - dst = ret; - while (*src == 0x20) src++; - while (*src != 0) { - if (*src == 0x20) { - while (*src == 0x20) src++; - if (*src != 0) - *dst++ = 0x20; - } else { - *dst++ = *src++; - } - } - *dst = 0; + xmlValidNormalizeString(ret); if ((doc->standalone) && (extsubset == 1) && (!xmlStrEqual(value, ret))) { xmlErrValidNode(ctxt, elem, XML_DTD_NOT_STANDALONE, "standalone: %s on %s value had to be normalized based on external subset declaration\n", @@ -4041,8 +4076,7 @@ xmlValidCtxtNormalizeAttributeValue(xmlValidCtxtPtr ctxt, xmlDocPtr doc, xmlChar * xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, const xmlChar *name, const xmlChar *value) { - xmlChar *ret, *dst; - const xmlChar *src; + xmlChar *ret; xmlAttributePtr attrDecl = NULL; if (doc == NULL) return(NULL); @@ -4072,19 +4106,7 @@ xmlValidNormalizeAttributeValue(xmlDocPtr doc, xmlNodePtr elem, ret = xmlStrdup(value); if (ret == NULL) return(NULL); - src = value; - dst = ret; - while (*src == 0x20) src++; - while (*src != 0) { - if (*src == 0x20) { - while (*src == 0x20) src++; - if (*src != 0) - *dst++ = 0x20; - } else { - *dst++ = *src++; - } - } - *dst = 0; + xmlValidNormalizeString(ret); return(ret); } diff --git a/3rdparty/lua-5.3.3/ldebug.c b/3rdparty/lua-5.3.3/ldebug.c index 2f8694eae..9f06f7b49 100644 --- a/3rdparty/lua-5.3.3/ldebug.c +++ b/3rdparty/lua-5.3.3/ldebug.c @@ -793,8 +793,11 @@ l_noret luaG_runerror(lua_State *L, const char *fmt, ...) msg = luaO_pushvfstring(L, fmt, argp); /* format message */ va_end(argp); - if (isLua(ci)) /* if Lua function, add source:line information */ + if (isLua(ci)){ /* if Lua function, add source:line information */ luaG_addinfo(L, msg, ci_func(ci)->p->source, currentline(ci)); + setobjs2s(L, L->top - 2, L->top - 1); /* remove 'msg' from the stack */ + L->top--; + } luaG_errormsg(L); } diff --git a/3rdparty/lua-5.3.3/lvm.c b/3rdparty/lua-5.3.3/lvm.c index e95a2972c..fc51af60c 100644 --- a/3rdparty/lua-5.3.3/lvm.c +++ b/3rdparty/lua-5.3.3/lvm.c @@ -579,8 +579,10 @@ void luaV_concat(lua_State *L, int total) for (n = 1; n < total && tostring(L, top - n - 1); n++) { size_t l = vslen(top - n - 1); - if (l >= (MAX_SIZE / sizeof(char)) - tl) + if (l_unlikely(l >= (MAX_SIZE/sizeof(char)) - tl)) { + L->top = top - total; /* pop strings to avoid wasting stack */ luaG_runerror(L, "string length overflow"); + } tl += l; } @@ -598,7 +600,7 @@ void luaV_concat(lua_State *L, int total) } total -= n - 1; /* got 'n' strings to create 1 new */ - L->top -= n - 1; /* popped 'n' strings and pushed one */ + L->top = top - (n - 1); /* popped 'n' strings and pushed one */ } while (total > 1); /* repeat until only 1 result left */ } diff --git a/3rdparty/openssl-OpenSSL_1_0_2i/crypto/x509/x509_cmp.c b/3rdparty/openssl-OpenSSL_1_0_2i/crypto/x509/x509_cmp.c index 49c71b912..e4aa712a3 100644 --- a/3rdparty/openssl-OpenSSL_1_0_2i/crypto/x509/x509_cmp.c +++ b/3rdparty/openssl-OpenSSL_1_0_2i/crypto/x509/x509_cmp.c @@ -87,6 +87,8 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) EVP_MD_CTX_init(&ctx); f = X509_NAME_oneline(a->cert_info->issuer, NULL, 0); + if (f == NULL) + goto err; if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) goto err; if (!EVP_DigestUpdate(&ctx, (unsigned char *)f, strlen(f))) diff --git a/src/dui-examples/DuiLib/Utils/stb_image.c b/src/dui-examples/DuiLib/Utils/stb_image.c index f7084dce1..547fd3dc5 100644 --- a/src/dui-examples/DuiLib/Utils/stb_image.c +++ b/src/dui-examples/DuiLib/Utils/stb_image.c @@ -2928,6 +2928,13 @@ static int stbi__process_frame_header(stbi__jpeg *z, int scan) if (z->img_comp[i].v > v_max) v_max = z->img_comp[i].v; } + // check that plane subsampling factors are integer ratios; our resamplers can't deal with fractional ratios + // and I've never seen a non-corrupted JPEG file actually use them + for (i=0; i < s->img_n; ++i) { + if (h_max % z->img_comp[i].h != 0) return stbi__err("bad H","Corrupt JPEG"); + if (v_max % z->img_comp[i].v != 0) return stbi__err("bad V","Corrupt JPEG"); + } + // compute interleaved mcu info z->img_h_max = h_max; z->img_v_max = v_max;