fix a copy-and-paste mistake in parse_fonts Pretty sure that this got copied from below in 317cc8fb and should be dict_t, i.e. the case of the "font dictionary" being a (single) font resource itself.

fix broken indentation in page content code

fix wrong indentation in act_viol

free parse result ifdef LEAKCHECK This covers the main parse result and a possible "error parse", but not the calls to h_parse() in filters and parse_obj().

free the parse result from p_startxref

free parse result in act_viol

light style pass over act_viol

statically allocate global lzw decoder context Avoids the use of malloc(). Also factors out table initialization to a function lzw_init_table().

print an error message if /Root not found If we are actually processing page content, that is.

correctly look for /Root in the last trailer section A mistake snuck into commit 76e546ce, taking the last element of the xrefs array as the "last" trailer section. But the array is filled in reverse order by following the chain of startxref and /Prev pointers, so the (logical) last/latest section is xrefs[0].

fix format specifier for printing HBytes Since HBytes is a length/pointer pair and not a null-terminated string, we must pass the length as an argument to printf. The correct format specifier for that is "%.*s" (string with "precision" = length), not "%*s" (string with minimum field width).

add missing printf argument Forgotten in b3dda3fe when adding the input file name to error messages.

remove stale comment Finished reviewing past modifications to parse_xrefs(). NB: All code attributed to Sumit Ray has been removed from this function.

improve handling of parse errors in xref stream data Improve on the bugfix in commit a5abf1e2: - Reinstate the assert for 'res->ast != NULL'. If it fails, there is a bug in the parser, not an error in the input file. - Provide a distinct error message for the case where p_xref fails on a cross-reference stream because of invalid data. - Only skip storing the invalid section. Try to follow the /Prev entry in the stream dictionary to find more sections.

remove a comment I cannot tell what this refers to. The (nonexistent) else case of the if statement above it is simply the case of the object number in question not falling within this subsection. Anyway, the function lookup_xref() is a low-level utility used during parsing, not a place to produce error messages.

comments regarding act_ks_value HParseResult was introduced in 6b54ebfa (generally parse stream objects) to hold the result of parsing the stream data, including the application of any filters. This is produced in act_ks_value(). The fact that parse errors in stream data are thus detectable is in fact significant for xref stream processing, so we should not just return the bare data on error.

adjust comments

don't emulate VIOL in error messages While it might seem like a good idea to "grade" errors by severity, we are not *really* in any place to do so accurately. Our tasks are (a) to decide, internally, whether to print a message or silently ignore a malformation, and (b) to ultimately judge the file valid or invalid as a whole. Note that the latter part, as stated before, is not the responsibility of parse_xrefs(). Reinstate the input file name in these error messages. That information is useful when running the program on multiple files from a script, as we have been doing. While we're at it, fix style (line lengths).

add test cases for out-of-bounds xref pointers Both currently fail because the parser proper does not validate these offsets.

drop use of h_seek in parse_xrefs Now that we are validating the offset ourselves, we no longer need h_seek() to do our bounds checking. But add a defensive assert just in case.

bounds-check /Prev pointers Mirrors the check for startxref. I considered unifying the two into one test at the start of the loop, but then we would lose the information whether we got the offset from startxref or a /Prev.

report location of invalid startxref This is useful information, especially in hex, when looking into the file. The invalid value itself, on the other hand, is not so useful.

adjust error message The correct and standard format specifier for values of type size_t is %zu. There is no need to point out the valid bounds. Match style with the other messages.

remove useless/erroneous condition The offset can never be negative (size_t is unsigned). And this treated offset = 0 as out of bounds, which is nonsense. In fact, offset == size is also not invalid (it is the end of file).

revert parse_xrefs to its original signature Passing the aux struct by reference may look cleaner, but it was deliberate to keep parse_xrefs() independent of that struct, since the latter is conceptually part of the parser's interface and the former is not. Also, this way parse_xrefs() has a proper return value that signals success or failure. Plus, no ugly indirection or temporary variable is needed to access sz.