rpms/poppler/F-11 poppler-0.10.7-CVE-2009-3607.patch, NONE, 1.1 poppler-0.10.7-CVE-2009-360x.patch, NONE, 1.1 poppler-0.10.7-gmallocn.patch, NONE, 1.1 poppler.spec, 1.86, 1.87

Sun Oct 25 22:37:39 UTC 2009

Author: rdieter

Update of /cvs/pkgs/rpms/poppler/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6946

Modified Files:
	poppler.spec 
Added Files:
	poppler-0.10.7-CVE-2009-3607.patch 
	poppler-0.10.7-CVE-2009-360x.patch 
	poppler-0.10.7-gmallocn.patch 
Log Message:
* Sun Oct 25 2009 Rex Dieter <rdieter at fedoraproject.org> - 0.10.7-3
- CVE-2009-3603 xpdf/popppler: SplashBitmap::SplashBitmap
  integer overflow (#526915)
- CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow
  and missing allocation return value check(#526911)
- CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep
  integer overflow (#526877)
- CVE-2009-3607 poppler: create_surface_from_thumbnail_data
  integer overflow (#526924)
- CVE-2009-3608 xpdf/poppler: integer overflow in
  ObjectStream::ObjectStream (#526637)
- CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream
  integer overflow (#526893)


poppler-0.10.7-CVE-2009-3607.patch:
 poppler-page.cc |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

--- NEW FILE poppler-0.10.7-CVE-2009-3607.patch ---
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b70609

CVE-2009-3607

diff -pruN poppler-0.10.7.orig/glib/poppler-page.cc poppler-0.10.7/glib/poppler-page.cc
--- poppler-0.10.7.orig/glib/poppler-page.cc	2009-10-25 18:30:05.000000000 +0100
+++ poppler-0.10.7/glib/poppler-page.cc	2009-10-25 18:30:34.000000000 +0100
@@ -575,28 +575,28 @@ create_surface_from_thumbnail_data (guch
 				    gint    rowstride)
 {
   guchar *cairo_pixels;
+  gint cairo_stride;
   cairo_surface_t *surface;
-  static cairo_user_data_key_t key;
   int j;
 
-  cairo_pixels = (guchar *)g_malloc (4 * width * height);
-  surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
-						 CAIRO_FORMAT_RGB24,
-						 width, height, 4 * width);
-  cairo_surface_set_user_data (surface, &key,
-			       cairo_pixels, (cairo_destroy_func_t)g_free);
+  surface = cairo_image_surface_create (CAIRO_FORMAT_RGB24, width, height);
+  if (cairo_surface_status (surface))
+    return NULL;
+
+  cairo_pixels = cairo_image_surface_get_data (surface);
+  cairo_stride = cairo_image_surface_get_stride (surface);
 
   for (j = height; j; j--) {
     guchar *p = data;
     guchar *q = cairo_pixels;
     guchar *end = p + 3 * width;
-	  
+
     while (p < end) {
 #if G_BYTE_ORDER == G_LITTLE_ENDIAN
       q[0] = p[2];
       q[1] = p[1];
       q[2] = p[0];
-#else	  
+#else
       q[1] = p[0];
       q[2] = p[1];
       q[3] = p[2];
@@ -606,7 +606,7 @@ create_surface_from_thumbnail_data (guch
     }
 
     data += rowstride;
-    cairo_pixels += 4 * width;
+    cairo_pixels += cairo_stride;
   }
 
   return surface;

poppler-0.10.7-CVE-2009-360x.patch:
 poppler/Stream.cc         |    4 ++++
 poppler/XRef.cc           |   15 ++++++++++++---
 poppler/XRef.h            |    3 +++
 splash/Splash.cc          |    7 +++++++
 splash/SplashBitmap.cc    |   37 ++++++++++++++++++++++++++++++-------
 splash/SplashErrorCodes.h |    4 +++-
 6 files changed, 59 insertions(+), 11 deletions(-)

--- NEW FILE poppler-0.10.7-CVE-2009-360x.patch ---
http://cgit.freedesktop.org/poppler/poppler/commit/?id=1082e1671a

CVE-2009-3603 CVE-2009-3608 CVE-2009-3609

diff -pruN poppler-0.10.7.orig/poppler/Stream.cc poppler-0.10.7/poppler/Stream.cc
--- poppler-0.10.7.orig/poppler/Stream.cc	2009-05-16 17:27:41.000000000 +0200
+++ poppler-0.10.7/poppler/Stream.cc	2009-10-24 20:14:48.000000000 +0200
@@ -403,6 +403,10 @@ ImageStream::ImageStream(Stream *strA, i
   } else {
     imgLineSize = nVals;
   }
+  if (width > INT_MAX / nComps) {
+    // force a call to gmallocn(-1,...), which will throw an exception
+    imgLineSize = -1;
+  }
   imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
   imgIdx = nVals;
 }
diff -pruN poppler-0.10.7.orig/poppler/XRef.cc poppler-0.10.7/poppler/XRef.cc
--- poppler-0.10.7.orig/poppler/XRef.cc	2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/poppler/XRef.cc	2009-10-24 20:26:33.000000000 +0200
@@ -80,6 +80,7 @@ ObjectStream::ObjectStream(XRef *xref, i
   objs = NULL;
   objNums = NULL;
   offsets = NULL;
+  ok = gFalse;
 
   if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
     goto err1;
@@ -106,8 +107,11 @@ ObjectStream::ObjectStream(XRef *xref, i
     goto err1;
   }
 
-  if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) {
-    error(-1, "Invalid 'nObjects'");
+  // this is an arbitrary limit to avoid integer overflow problems
+  // in the 'new Object[nObjects]' call (Acrobat apparently limits
+  // object streams to 100-200 objects)
+  if (nObjects > 1000000) {
+    error(-1, "Too many objects in an object stream");
     goto err1;
   }
  
@@ -167,10 +171,10 @@ ObjectStream::ObjectStream(XRef *xref, i
   }
 
 //   gfree(offsets);
+  ok = gTrue;
 
  err1:
   objStr.free();
-  return;
 }
 
 ObjectStream::~ObjectStream() {
@@ -948,6 +952,11 @@ Object *XRef::fetch(int num, int gen, Ob
 	delete objStr;
       }
       objStr = new ObjectStream(this, e->offset);
+      if (!objStr->isOk()) {
+	delete objStr;
+	objStr = NULL;
+	goto err;
+      }
     }
     objStr->getObject(e->gen, num, obj);
     break;
diff -pruN poppler-0.10.7.orig/poppler/XRef.h poppler-0.10.7/poppler/XRef.h
--- poppler-0.10.7.orig/poppler/XRef.h	2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/poppler/XRef.h	2009-10-24 20:27:32.000000000 +0200
@@ -44,6 +44,8 @@ public:
   // generation 0.
   ObjectStream(XRef *xref, int objStrNumA);
 
+  GBool isOk() { return ok; }
+
   ~ObjectStream();
 
   // Return the object number of this object stream.
@@ -64,6 +66,7 @@ private:
   int *objNums;			// the object numbers (length = nObjects)
   int *offsets;			// the object offsets (length = nObjects)
   Guint firstOffset;
+  GBool ok;
 };
 
 
diff -pruN poppler-0.10.7.orig/splash/Splash.cc poppler-0.10.7/splash/Splash.cc
--- poppler-0.10.7.orig/splash/Splash.cc	2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/splash/Splash.cc	2009-10-24 20:14:48.000000000 +0200
@@ -27,6 +27,7 @@
 
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include "goo/gmem.h"
 #include "SplashErrorCodes.h"
 #include "SplashMath.h"
@@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(Splash
   xq = w % scaledWidth;
 
   // allocate pixel buffer
+  if (yp < 0 || yp > INT_MAX - 1) {
+    return splashErrBadArg;
+  }
   pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
 
   // initialize the pixel pipe
@@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImag
   xq = w % scaledWidth;
 
   // allocate pixel buffers
+  if (yp < 0 || yp > INT_MAX - 1) {
+    return splashErrBadArg;
+  }
   colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
   if (srcAlpha) {
     alphaBuf = (Guchar *)gmallocn((yp + 1), w);
diff -pruN poppler-0.10.7.orig/splash/SplashBitmap.cc poppler-0.10.7/splash/SplashBitmap.cc
--- poppler-0.10.7.orig/splash/SplashBitmap.cc	2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/splash/SplashBitmap.cc	2009-10-24 20:15:05.000000000 +0200
@@ -26,6 +26,7 @@
 #endif
 
 #include <stdio.h>
+#include <limits.h>
 #include "goo/gmem.h"
 #include "SplashErrorCodes.h"
 #include "SplashBitmap.h"
@@ -42,26 +43,48 @@ SplashBitmap::SplashBitmap(int widthA, i
   mode = modeA;
   switch (mode) {
   case splashModeMono1:
-    rowSize = (width + 7) >> 3;
+    if (width > 0) {
+      rowSize = (width + 7) >> 3;
+    } else {
+      rowSize = -1;
+    }
     break;
   case splashModeMono8:
-    rowSize = width;
+    if (width > 0) {
+      rowSize = width;
+    } else {
+      rowSize = -1;
+    }
     break;
   case splashModeRGB8:
   case splashModeBGR8:
-    rowSize = width * 3;
+    if (width > 0 && width <= INT_MAX / 3) {
+      rowSize = width * 3;
+    } else {
+      rowSize = -1;
+    }
     break;
   case splashModeXBGR8:
-    rowSize = width * 4;
+    if (width > 0 && width <= INT_MAX / 4) {
+      rowSize = width * 4;
+    } else {
+      rowSize = -1;
+    }
     break;
 #if SPLASH_CMYK
   case splashModeCMYK8:
-    rowSize = width * 4;
+    if (width > 0 && width <= INT_MAX / 4) {
+      rowSize = width * 4;
+    } else {
+      rowSize = -1;
+    }
     break;
 #endif
   }
-  rowSize += rowPad - 1;
-  rowSize -= rowSize % rowPad;
+  if (rowSize > 0) {
+    rowSize += rowPad - 1;
+    rowSize -= rowSize % rowPad;
+  }
   data = (SplashColorPtr)gmallocn(rowSize, height);
   if (!topDown) {
     data += (height - 1) * rowSize;
diff -pruN poppler-0.10.7.orig/splash/SplashErrorCodes.h poppler-0.10.7/splash/SplashErrorCodes.h
--- poppler-0.10.7.orig/splash/SplashErrorCodes.h	2009-05-02 14:14:56.000000000 +0200
+++ poppler-0.10.7/splash/SplashErrorCodes.h	2009-10-24 20:14:48.000000000 +0200
@@ -41,6 +41,8 @@
 
 #define splashErrSingularMatrix  8	// matrix is singular
 
-#define splashErrZeroImage       9      // image of 0x0
+#define splashErrBadArg          9      // bad argument
+
+#define splashErrZeroImage     254      // image of 0x0
 
 #endif

poppler-0.10.7-gmallocn.patch:
 glib/poppler-page.cc       |    2 +-
 goo/gmem.cc                |   26 ++++++++++++++++++++++++++
 goo/gmem.h                 |    2 ++
 poppler/ArthurOutputDev.cc |    2 +-
 poppler/CairoOutputDev.cc  |   16 ++++++++--------
 poppler/GfxState.cc        |    8 ++++----
 poppler/PSOutputDev.cc     |    4 ++--
 poppler/SplashOutputDev.cc |   18 +++++++++---------
 splash/Splash.cc           |    6 +++---
 splash/SplashBitmap.cc     |    2 +-
 splash/SplashFTFont.cc     |    2 +-
 11 files changed, 58 insertions(+), 30 deletions(-)

--- NEW FILE poppler-0.10.7-gmallocn.patch ---
http://cgit.freedesktop.org/poppler/poppler/commit/?id=0131f0a01c
http://cgit.freedesktop.org/poppler/poppler/commit/?id=7b2d314a61
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c399b2d512
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2
http://cgit.freedesktop.org/poppler/poppler/commit/?id=284a928996
http://cgit.freedesktop.org/poppler/poppler/commit/?id=5d328282da

CVE-2009-0791/CVE-2009-3605 CVE-2009-3604 CVE-2009-3606

diff -pruN poppler-0.10.7.orig/glib/poppler-page.cc poppler-0.10.7/glib/poppler-page.cc
--- poppler-0.10.7.orig/glib/poppler-page.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/glib/poppler-page.cc	2009-10-24 20:01:57.000000000 +0200
@@ -291,7 +291,7 @@ poppler_page_prepare_output_dev (Poppler
 
   output_dev = page->document->output_dev;
   cairo_rowstride = cairo_width * 4;
-  cairo_data = (guchar *) gmalloc (cairo_height * cairo_rowstride);
+  cairo_data = (guchar *) gmallocn (cairo_height, cairo_rowstride);
   if (transparent)
       memset (cairo_data, 0x00, cairo_height * cairo_rowstride);
   else
diff -pruN poppler-0.10.7.orig/goo/gmem.cc poppler-0.10.7/goo/gmem.cc
--- poppler-0.10.7.orig/goo/gmem.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/goo/gmem.cc	2009-10-24 20:01:57.000000000 +0200
@@ -206,6 +206,32 @@ void *gmallocn_checkoverflow(int nObjs, 
   return gmalloc(n);
 }
 
+void *gmallocn3(int a, int b, int c) GMEM_EXCEP {
+  int n = a * b;
+  if (b <= 0 || a < 0 || a >= INT_MAX / b) {
+#if USE_EXCEPTIONS
+    throw GMemException();
+#else
+    fprintf(stderr, "Bogus memory allocation size\n");
+    exit(1);
+#endif
+  }
+  return gmallocn(n, c);
+}
+
+void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP {
+  int n = a * b;
+  if (b <= 0 || a < 0 || a >= INT_MAX / b) {
+#if USE_EXCEPTIONS
+    throw GMemException();
+#else
+    fprintf(stderr, "Bogus memory allocation size\n");
+    return NULL;
+#endif
+  }
+  return gmallocn_checkoverflow(n, c);
+}
+
 void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP {
   int n;
 
diff -pruN poppler-0.10.7.orig/goo/gmem.h poppler-0.10.7/goo/gmem.h
--- poppler-0.10.7.orig/goo/gmem.h	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/goo/gmem.h	2009-10-24 20:01:57.000000000 +0200
@@ -70,6 +70,8 @@ extern void *grealloc(void *p, size_t si
  */
 extern void *gmallocn(int nObjs, int objSize) GMEM_EXCEP;
 extern void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP;
+extern void *gmallocn3(int a, int b, int c) GMEM_EXCEP;
+extern void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP;
 extern void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP;
 extern void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP;
 
diff -pruN poppler-0.10.7.orig/poppler/ArthurOutputDev.cc poppler-0.10.7/poppler/ArthurOutputDev.cc
--- poppler-0.10.7.orig/poppler/ArthurOutputDev.cc	2009-05-16 17:27:41.000000000 +0200
+++ poppler-0.10.7/poppler/ArthurOutputDev.cc	2009-10-24 20:01:57.000000000 +0200
@@ -752,7 +752,7 @@ void ArthurOutputDev::drawImage(GfxState
   QMatrix matrix;
   int is_identity_transform;
   
-  buffer = (unsigned char *)gmalloc (width * height * 4);
+  buffer = (unsigned char *)gmallocn3(width, height, 4);
 
   /* TODO: Do we want to cache these? */
   imgStr = new ImageStream(str, width,
diff -pruN poppler-0.10.7.orig/poppler/CairoOutputDev.cc poppler-0.10.7/poppler/CairoOutputDev.cc
--- poppler-0.10.7.orig/poppler/CairoOutputDev.cc	2009-05-16 17:27:41.000000000 +0200
+++ poppler-0.10.7/poppler/CairoOutputDev.cc	2009-10-24 20:01:57.000000000 +0200
@@ -550,7 +550,7 @@ void CairoOutputDev::beginString(GfxStat
   if (!currentFont)
     return;
 
-  glyphs = (cairo_glyph_t *) gmalloc (len * sizeof (cairo_glyph_t));
+  glyphs = (cairo_glyph_t *) gmallocn (len, sizeof (cairo_glyph_t));
   glyphCount = 0;
 }
 
@@ -1007,7 +1007,7 @@ void CairoOutputDev::drawImageMaskRegula
   int row_stride;
 
   row_stride = (width + 3) & ~3;
-  buffer = (unsigned char *) malloc (height * row_stride);
+  buffer = (unsigned char *) gmallocn (height, row_stride);
   if (buffer == NULL) {
     error(-1, "Unable to allocate memory for image.");
     return;
@@ -1174,7 +1174,7 @@ void CairoOutputDev::drawImageMaskPresca
   invert_bit = invert ? 1 : 0;
 
   row_stride = (scaledWidth + 3) & ~3;
-  buffer = (unsigned char *) malloc (scaledHeight * row_stride);
+  buffer = (unsigned char *) gmallocn (scaledHeight, row_stride);
   if (buffer == NULL) {
     error(-1, "Unable to allocate memory for image.");
     return;
@@ -1367,7 +1367,7 @@ void CairoOutputDev::drawMaskedImage(Gfx
 
   int row_stride = (maskWidth + 3) & ~3;
   unsigned char *maskBuffer;
-  maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight);
+  maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight);
   unsigned char *maskDest;
   cairo_surface_t *maskImage;
   cairo_pattern_t *maskPattern;
@@ -1402,7 +1402,7 @@ void CairoOutputDev::drawMaskedImage(Gfx
   cairo_matrix_t matrix;
   int is_identity_transform;
 
-  buffer = (unsigned char *)gmalloc (width * height * 4);
+  buffer = (unsigned char *)gmallocn3 (width, height, 4);
 
   /* TODO: Do we want to cache these? */
   imgStr = new ImageStream(str, width,
@@ -1494,7 +1494,7 @@ void CairoOutputDev::drawSoftMaskedImage
 
   int row_stride = (maskWidth + 3) & ~3;
   unsigned char *maskBuffer;
-  maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight);
+  maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight);
   unsigned char *maskDest;
   cairo_surface_t *maskImage;
   cairo_pattern_t *maskPattern;
@@ -1521,7 +1521,7 @@ void CairoOutputDev::drawSoftMaskedImage
   cairo_matrix_t maskMatrix;
   int is_identity_transform;
 
-  buffer = (unsigned char *)gmalloc (width * height * 4);
+  buffer = (unsigned char *)gmallocn3 (width, height, 4);
 
   /* TODO: Do we want to cache these? */
   imgStr = new ImageStream(str, width,
@@ -1616,7 +1616,7 @@ void CairoOutputDev::drawImage(GfxState 
   cairo_matrix_t matrix;
   int is_identity_transform;
   
-  buffer = (unsigned char *)gmallocn (width, height * 4);
+  buffer = (unsigned char *)gmallocn3 (width, height, 4);
 
   /* TODO: Do we want to cache these? */
   imgStr = new ImageStream(str, width,
diff -pruN poppler-0.10.7.orig/poppler/GfxState.cc poppler-0.10.7/poppler/GfxState.cc
--- poppler-0.10.7.orig/poppler/GfxState.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/poppler/GfxState.cc	2009-10-24 20:01:57.000000000 +0200
@@ -1201,7 +1201,7 @@ void GfxIndexedColorSpace::getRGBLine(Gu
   int i, j, n;
 
   n = base->getNComps();
-  line = (Guchar *) gmalloc (length * n);
+  line = (Guchar *) gmallocn (length, n);
   for (i = 0; i < length; i++)
     for (j = 0; j < n; j++)
       line[i * n + j] = lookup[in[i] * n + j];
@@ -3424,7 +3424,7 @@ GfxImageColorMap::GfxImageColorMap(int b
     nComps2 = colorSpace2->getNComps();
     lookup2 = indexedCS->getLookup();
     colorSpace2->getDefaultRanges(x, y, indexHigh);
-    byte_lookup = (Guchar *)gmalloc ((maxPixel + 1) * nComps2);
+    byte_lookup = (Guchar *)gmallocn ((maxPixel + 1), nComps2);
     for (k = 0; k < nComps2; ++k) {
       lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1,
 					   sizeof(GfxColorComp));
@@ -3572,7 +3572,7 @@ void GfxImageColorMap::getGrayLine(Gucha
   switch (colorSpace->getMode()) {
   case csIndexed:
   case csSeparation:
-    tmp_line = (Guchar *) gmalloc (length * nComps2);
+    tmp_line = (Guchar *) gmallocn (length, nComps2);
     for (i = 0; i < length; i++) {
       for (j = 0; j < nComps2; j++) {
 	tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j];
@@ -3602,7 +3602,7 @@ void GfxImageColorMap::getRGBLine(Guchar
   switch (colorSpace->getMode()) {
   case csIndexed:
   case csSeparation:
-    tmp_line = (Guchar *) gmalloc (length * nComps2);
+    tmp_line = (Guchar *) gmallocn (length, nComps2);
     for (i = 0; i < length; i++) {
       for (j = 0; j < nComps2; j++) {
 	tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j];
diff -pruN poppler-0.10.7.orig/poppler/PSOutputDev.cc poppler-0.10.7/poppler/PSOutputDev.cc
--- poppler-0.10.7.orig/poppler/PSOutputDev.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/poppler/PSOutputDev.cc	2009-10-24 20:01:57.000000000 +0200
@@ -2323,7 +2323,7 @@ GooString *PSOutputDev::setupExternalCID
   if ((ffTT = FoFiTrueType::load(fileName->getCString(), faceIndex))) {
       int n = ((GfxCIDFont *)font)->getCIDToGIDLen();
       if (n) {
-	codeToGID = (Gushort *)gmalloc(n * sizeof(Gushort));
+	codeToGID = (Gushort *)gmallocn(n, sizeof(Gushort));
 	memcpy(codeToGID, ((GfxCIDFont *)font)->getCIDToGID(), n * sizeof(Gushort));
       } else {
 	codeToGID = ((GfxCIDFont *)font)->getCodeToGIDMap(ffTT, &n);
@@ -4502,7 +4502,7 @@ void PSOutputDev::doImageL1Sep(GfxImageC
 	     width, -height, height);
 
   // allocate a line buffer
-  lineBuf = (Guchar *)gmalloc(4 * width);
+  lineBuf = (Guchar *)gmallocn(width, 4);
 
   // set up to process the data stream
   imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
diff -pruN poppler-0.10.7.orig/poppler/SplashOutputDev.cc poppler-0.10.7/poppler/SplashOutputDev.cc
--- poppler-0.10.7.orig/poppler/SplashOutputDev.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/poppler/SplashOutputDev.cc	2009-10-24 20:01:57.000000000 +0200
@@ -2013,7 +2013,7 @@ void SplashOutputDev::drawImage(GfxState
       break;
     case splashModeRGB8:
     case splashModeBGR8:
-      imgData.lookup = (SplashColorPtr)gmalloc(3 * n);
+      imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
       for (i = 0; i < n; ++i) {
 	pix = (Guchar)i;
 	colorMap->getRGB(&pix, &rgb);
@@ -2023,7 +2023,7 @@ void SplashOutputDev::drawImage(GfxState
       }
       break;
     case splashModeXBGR8:
-      imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+      imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
       for (i = 0; i < n; ++i) {
 	pix = (Guchar)i;
 	colorMap->getRGB(&pix, &rgb);
@@ -2035,7 +2035,7 @@ void SplashOutputDev::drawImage(GfxState
       break;
 #if SPLASH_CMYK
     case splashModeCMYK8:
-      imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+      imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
       for (i = 0; i < n; ++i) {
 	pix = (Guchar)i;
 	colorMap->getCMYK(&pix, &cmyk);
@@ -2278,7 +2278,7 @@ void SplashOutputDev::drawMaskedImage(Gf
 	break;
       case splashModeRGB8:
       case splashModeBGR8:
-	imgData.lookup = (SplashColorPtr)gmalloc(3 * n);
+	imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
 	for (i = 0; i < n; ++i) {
 	  pix = (Guchar)i;
 	  colorMap->getRGB(&pix, &rgb);
@@ -2288,7 +2288,7 @@ void SplashOutputDev::drawMaskedImage(Gf
 	}
 	break;
       case splashModeXBGR8:
-	imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+	imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
 	for (i = 0; i < n; ++i) {
 	  pix = (Guchar)i;
 	  colorMap->getRGB(&pix, &rgb);
@@ -2300,7 +2300,7 @@ void SplashOutputDev::drawMaskedImage(Gf
 	break;
 #if SPLASH_CMYK
       case splashModeCMYK8:
-	imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+	imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
 	for (i = 0; i < n; ++i) {
 	  pix = (Guchar)i;
 	  colorMap->getCMYK(&pix, &cmyk);
@@ -2421,7 +2421,7 @@ void SplashOutputDev::drawSoftMaskedImag
       break;
     case splashModeRGB8:
     case splashModeBGR8:
-      imgData.lookup = (SplashColorPtr)gmalloc(3 * n);
+      imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
       for (i = 0; i < n; ++i) {
 	pix = (Guchar)i;
 	colorMap->getRGB(&pix, &rgb);
@@ -2431,7 +2431,7 @@ void SplashOutputDev::drawSoftMaskedImag
       }
       break;
     case splashModeXBGR8:
-      imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+      imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
       for (i = 0; i < n; ++i) {
 	pix = (Guchar)i;
 	colorMap->getRGB(&pix, &rgb);
@@ -2443,7 +2443,7 @@ void SplashOutputDev::drawSoftMaskedImag
       break;
 #if SPLASH_CMYK
     case splashModeCMYK8:
-      imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+      imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
       for (i = 0; i < n; ++i) {
 	pix = (Guchar)i;
 	colorMap->getCMYK(&pix, &cmyk);
diff -pruN poppler-0.10.7.orig/splash/Splash.cc poppler-0.10.7/splash/Splash.cc
--- poppler-0.10.7.orig/splash/Splash.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/splash/Splash.cc	2009-10-24 20:01:57.000000000 +0200
@@ -2001,7 +2001,7 @@ SplashError Splash::fillImageMask(Splash
   xq = w % scaledWidth;
 
   // allocate pixel buffer
-  pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
+  pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
 
   // initialize the pixel pipe
   pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
@@ -2301,9 +2301,9 @@ SplashError Splash::drawImage(SplashImag
   xq = w % scaledWidth;
 
   // allocate pixel buffers
-  colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
+  colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
   if (srcAlpha) {
-    alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
+    alphaBuf = (Guchar *)gmallocn((yp + 1), w);
   } else {
     alphaBuf = NULL;
   }
diff -pruN poppler-0.10.7.orig/splash/SplashBitmap.cc poppler-0.10.7/splash/SplashBitmap.cc
--- poppler-0.10.7.orig/splash/SplashBitmap.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/splash/SplashBitmap.cc	2009-10-24 20:01:57.000000000 +0200
@@ -68,7 +68,7 @@ SplashBitmap::SplashBitmap(int widthA, i
     rowSize = -rowSize;
   }
   if (alphaA) {
-    alpha = (Guchar *)gmalloc(width * height);
+    alpha = (Guchar *)gmallocn(width, height);
   } else {
     alpha = NULL;
   }
diff -pruN poppler-0.10.7.orig/splash/SplashFTFont.cc poppler-0.10.7/splash/SplashFTFont.cc
--- poppler-0.10.7.orig/splash/SplashFTFont.cc	2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/splash/SplashFTFont.cc	2009-10-24 20:01:57.000000000 +0200
@@ -243,7 +243,7 @@ GBool SplashFTFont::makeGlyph(int c, int
   } else {
     rowSize = (bitmap->w + 7) >> 3;
   }
-  bitmap->data = (Guchar *)gmalloc(rowSize * bitmap->h);
+  bitmap->data = (Guchar *)gmallocn_checkoverflow(rowSize, bitmap->h);
   bitmap->freeData = gTrue;
   for (i = 0, p = bitmap->data, q = slot->bitmap.buffer;
        i < bitmap->h;


Index: poppler.spec
===================================================================
RCS file: /cvs/pkgs/rpms/poppler/F-11/poppler.spec,v
retrieving revision 1.86
retrieving revision 1.87
diff -u -p -r1.86 -r1.87
--- poppler.spec	23 Jun 2009 17:28:33 -0000	1.86
+++ poppler.spec	25 Oct 2009 22:37:39 -0000	1.87
@@ -3,7 +3,7 @@
 Summary: PDF rendering library
 Name: poppler
 Version: 0.10.7
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2 and Redistributable, no modification permitted
 # the code is GPLv2
 # the charmap data in /usr/share/poppler is redistributable
@@ -18,6 +18,13 @@ BuildRoot: %{_tmppath}/%{name}-%{version
 # reduce lib deps in -qt/-qt4 pkg-config support
 Patch50: poppler-0.11.0-pkg_config.patch
 
+# gmalloc hardening fixes
+Patch60: poppler-0.10.7-gmallocn.patch
+# security fixes from xpdf 3.02pl4 / 1082e1671a
+Patch61: poppler-0.10.7-CVE-2009-360x.patch
+# CVE-2009-3607 / c839b70609
+Patch62: poppler-0.10.7-CVE-2009-3607.patch
+
 BuildRequires: automake libtool
 BuildRequires: gtk2-devel
 BuildRequires: cairo-devel
@@ -112,6 +119,9 @@ converting PDF files to a number of othe
 pushd %{name}-%{version}
 %patch0 -p0 -b .objstream
 %patch50 -p1 -b .pkg_config
+%patch60 -p1 -b .gmallocn
+%patch61 -p1 -b .CVE-2009-360x
+%patch62 -p1 -b .CVE-2009-3607
 # hammer to nuke rpaths, recheck on new releases
 autoreconf -i -f
 popd
@@ -223,6 +233,20 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sun Oct 25 2009 Rex Dieter <rdieter at fedoraproject.org> - 0.10.7-3
+- CVE-2009-3603 xpdf/popppler: SplashBitmap::SplashBitmap
+  integer overflow (#526915)
+- CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow
+  and missing allocation return value check(#526911)
+- CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep
+  integer overflow (#526877)
+- CVE-2009-3607 poppler: create_surface_from_thumbnail_data
+  integer overflow (#526924)
+- CVE-2009-3608 xpdf/poppler: integer overflow in
+  ObjectStream::ObjectStream (#526637)
+- CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream
+  integer overflow (#526893)
+
 * Mon Jun 22 2009 Rex Dieter <rdieter at fedoraproject.org> - 0.10.7-2
 - reduce lib deps in qt/qt4 pkg-config support
 


