[gs-bugs] [Bug 690599] New: bug in keystrcmp

bugs.ghostscript.com-bugzilla-daemon at ghostscript.com bugs.ghostscript.com-bugzilla-daemon at ghostscript.com
Sun Jul 5 21:10:59 PDT 2009


http://bugs.ghostscript.com/show_bug.cgi?id=690599

           Summary: bug in keystrcmp
           Product: MuPDF
           Version: unspecified
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P4
         Component: mupdf
        AssignedTo: tor.andersson at artifex.com
        ReportedBy: kkowalczyk at gmail.com
         QAContact: gs-bugs at ghostscript.com


The follwing recently introduced code in keystrcmp():

 if (fz_isstring(key))
   if (strlen(s) == fz_tostrlen(key))
     return memcmp(fz_tostrbuf(key), s, fz_tostrlen(key));

is not correct because it always returns -1 (i.e. s > key) if len(s) !=
len(key). The patch below is one possible fix. I briefly considered using
memcmp(fz_tostrbuf(key), s, min(fz_tostrlen(key), strlen(s)) but that also
doesn't work if one string is a prefix of the other (in which case it would
return 0 instead of 1 or -1). This came up in 
http://code.google.com/p/sumatrapdf/issues/detail?id=557 where outline entries
couldn't be retrieved from outline dictionary due to search in dictionary being
broken thus we couldn't retrieve destination object.

Index: fitz/obj_dict.c
===================================================================
--- fitz/obj_dict.c	(revision 1233)
+++ fitz/obj_dict.c	(working copy)
@@ -15,13 +15,31 @@
 	return -1;
 }
 
+static inline int cmpstr(char *s1, int s1len, char *s2)
+{
+	while ((s1len > 0) && *s2)
+	{
+		unsigned char c1 = *(unsigned char*)s1++;
+		unsigned char c2 = *(unsigned char*)s2++;
+		--s1len;
+		if (c1 > c2)
+			return 1;
+		if (c2 > c1)
+			return -1;
+	}
+	if (s1len > 0)
+		return 1;
+	if (*s2)
+		return -1;
+	return 0;
+}
+
 static inline int keystrcmp(fz_obj *key, char *s)
 {
 	if (fz_isname(key))
 		return strcmp(fz_toname(key), s);
 	if (fz_isstring(key))
-		if (strlen(s) == fz_tostrlen(key))
-			return memcmp(fz_tostrbuf(key), s, fz_tostrlen(key));
+		return cmpstr(fz_tostrbuf(key), fz_tostrlen(key), s);
 	return -1;
 }



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.



More information about the gs-bugs mailing list