[poppler/f18] Backport several security fixes:
mkasik
mkasik at fedoraproject.org
Tue Mar 5 15:49:24 UTC 2013
commit 0fef51c75fdd0252f1f6da38d51fd2774fdbb416
Author: Marek Kasik <mkasik at redhat.com>
Date: Tue Mar 5 16:48:53 2013 +0100
Backport several security fixes:
CVE-2013-1788 (Invalid memory accesses)
CVE-2013-1789 (Crash on certain documents)
CVE-2013-1790 (Read of uninitialized memory)
Resolves: #917113
poppler-0.20.2-CVE-2013-1788.patch | 129 ++++++++++++++++++++++++++++++++++++
poppler-0.20.2-CVE-2013-1789.patch | 60 +++++++++++++++++
poppler-0.20.2-CVE-2013-1790.patch | 23 +++++++
poppler.spec | 21 ++++++-
4 files changed, 232 insertions(+), 1 deletions(-)
---
diff --git a/poppler-0.20.2-CVE-2013-1788.patch b/poppler-0.20.2-CVE-2013-1788.patch
new file mode 100644
index 0000000..b06006a
--- /dev/null
+++ b/poppler-0.20.2-CVE-2013-1788.patch
@@ -0,0 +1,129 @@
+--- poppler-0.20.2/poppler/Function.cc
++++ poppler-0.20.2/poppler/Function.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid at kde.org>
++// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid at kde.org>
+ // Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
+ // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
+ // Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
+@@ -1063,6 +1063,10 @@ void PSStack::copy(int n) {
+ error(errSyntaxError, -1, "Stack underflow in PostScript function");
+ return;
+ }
++ if (unlikely(sp - n > psStackSize)) {
++ error(errSyntaxError, -1, "Stack underflow in PostScript function");
++ return;
++ }
+ if (!checkOverflow(n)) {
+ return;
+ }
+--- poppler-0.20.2/poppler/Stream.cc
++++ poppler-0.20.2/poppler/Stream.cc
+@@ -2384,7 +2384,8 @@ GBool CCITTFaxStream::isBinary(GBool las
+
+ // clip [-256,511] --> [0,255]
+ #define dctClipOffset 256
+-static Guchar dctClip[768];
++#define dctClipLength 768
++static Guchar dctClip[dctClipLength];
+ static int dctClipInit = 0;
+
+ // zig zag decode map
+@@ -3340,7 +3341,12 @@ void DCTStream::transformDataUnit(Gushor
+
+ // convert to 8-bit integers
+ for (i = 0; i < 64; ++i) {
+- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
++ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
++ if (unlikely(ix < 0 || ix >= dctClipLength)) {
++ dataOut[i] = 0;
++ } else {
++ dataOut[i] = dctClip[ix];
++ }
+ }
+ }
+
+--- poppler-0.20.2/splash/Splash.cc
++++ poppler-0.20.2/splash/Splash.cc
+@@ -14,7 +14,7 @@
+ // Copyright (C) 2005-2012 Albert Astals Cid <aacid at kde.org>
+ // Copyright (C) 2005 Marco Pesenti Gritti <mpg at redhat.com>
+ // Copyright (C) 2010-2012 Thomas Freitag <Thomas.Freitag at alfa.de>
+-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
++// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
+ // Copyright (C) 2011, 2012 William Bader <williambader at hotmail.com>
+ // Copyright (C) 2012 Markus Trippelsdorf <markus at trippelsdorf.de>
+ //
+@@ -2102,11 +2102,14 @@ SplashPath *Splash::makeDashedPath(Splas
+ lineDashStartOn = gTrue;
+ lineDashStartIdx = 0;
+ if (lineDashStartPhase > 0) {
+- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
++ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+ lineDashStartOn = !lineDashStartOn;
+ lineDashStartPhase -= state->lineDash[lineDashStartIdx];
+ ++lineDashStartIdx;
+ }
++ if (unlikely(lineDashStartIdx == state->lineDashLength)) {
++ return new SplashPath();
++ }
+ }
+
+ dPath = new SplashPath();
+@@ -3078,6 +3081,12 @@ void Splash::scaleMaskYdXu(SplashImageMa
+ Guchar *destPtr;
+ int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, d;
+ int i, j;
++
++ destPtr = dest->data;
++ if (destPtr == NULL) {
++ error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYdXu");
++ return;
++ }
+
+ // Bresenham parameters for y scale
+ yp = srcHeight / scaledHeight;
+@@ -3094,7 +3103,6 @@ void Splash::scaleMaskYdXu(SplashImageMa
+ // init y scale Bresenham
+ yt = 0;
+
+- destPtr = dest->data;
+ for (y = 0; y < scaledHeight; ++y) {
+
+ // y scale Bresenham
+@@ -3153,6 +3161,12 @@ void Splash::scaleMaskYuXd(SplashImageMa
+ Guchar *destPtr0, *destPtr;
+ int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, xx, d, d0, d1;
+ int i;
++
++ destPtr0 = dest->data;
++ if (destPtr0 == NULL) {
++ error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYuXd");
++ return;
++ }
+
+ // Bresenham parameters for y scale
+ yp = scaledHeight / srcHeight;
+@@ -3168,7 +3182,6 @@ void Splash::scaleMaskYuXd(SplashImageMa
+ // init y scale Bresenham
+ yt = 0;
+
+- destPtr0 = dest->data;
+ for (y = 0; y < srcHeight; ++y) {
+
+ // y scale Bresenham
+@@ -4480,6 +4493,11 @@ void Splash::vertFlipImage(SplashBitmap
+ Guchar *lineBuf;
+ Guchar *p0, *p1;
+ int w;
++
++ if (unlikely(img->data == NULL)) {
++ error(errInternal, -1, "img->data is NULL in Splash::vertFlipImage");
++ return;
++ }
+
+ w = width * nComps;
+ lineBuf = (Guchar *)gmalloc(w);
diff --git a/poppler-0.20.2-CVE-2013-1789.patch b/poppler-0.20.2-CVE-2013-1789.patch
new file mode 100644
index 0000000..ea8c9b9
--- /dev/null
+++ b/poppler-0.20.2-CVE-2013-1789.patch
@@ -0,0 +1,60 @@
+--- poppler-0.20.2/splash/Splash.cc
++++ poppler-0.20.2/splash/Splash.cc
+@@ -2807,6 +2807,11 @@ void Splash::arbitraryTransformMask(Spla
+ // scale the input image
+ scaledMask = scaleMask(src, srcData, srcWidth, srcHeight,
+ scaledWidth, scaledHeight);
++ if (scaledMask->data == NULL) {
++ error(errInternal, -1, "scaledMask->data is NULL in Splash::arbitraryTransformMask");
++ delete scaledMask;
++ return;
++ }
+
+ // construct the three sections
+ i = (vy[2] <= vy[3]) ? 2 : 3;
+@@ -3244,6 +3249,12 @@ void Splash::scaleMaskYuXu(SplashImageMa
+ int yp, yq, xp, xq, yt, y, yStep, xt, x, xStep, xx;
+ int i, j;
+
++ destPtr0 = dest->data;
++ if (destPtr0 == NULL) {
++ error(errInternal, -1, "dest->data is NULL in Splash::scaleMaskYuXu");
++ return;
++ }
++
+ // Bresenham parameters for y scale
+ yp = scaledHeight / srcHeight;
+ yq = scaledHeight % srcHeight;
+@@ -3258,7 +3269,6 @@ void Splash::scaleMaskYuXu(SplashImageMa
+ // init y scale Bresenham
+ yt = 0;
+
+- destPtr0 = dest->data;
+ for (y = 0; y < srcHeight; ++y) {
+
+ // y scale Bresenham
+@@ -3314,11 +3324,15 @@ void Splash::blitMask(SplashBitmap *src,
+
+ w = src->getWidth();
+ h = src->getHeight();
++ p = src->getDataPtr();
++ if (p == NULL) {
++ error(errInternal, -1, "src->getDataPtr() is NULL in Splash::blitMask");
++ return;
++ }
+ if (vectorAntialias && clipRes != splashClipAllInside) {
+ pipeInit(&pipe, xDest, yDest, state->fillPattern, NULL,
+ (Guchar)splashRound(state->fillAlpha * 255), gTrue, gFalse);
+ drawAAPixelInit();
+- p = src->getDataPtr();
+ for (y = 0; y < h; ++y) {
+ for (x = 0; x < w; ++x) {
+ pipe.shape = *p++;
+@@ -3328,7 +3342,6 @@ void Splash::blitMask(SplashBitmap *src,
+ } else {
+ pipeInit(&pipe, xDest, yDest, state->fillPattern, NULL,
+ (Guchar)splashRound(state->fillAlpha * 255), gTrue, gFalse);
+- p = src->getDataPtr();
+ if (clipRes == splashClipAllInside) {
+ for (y = 0; y < h; ++y) {
+ pipeSetXY(&pipe, xDest, yDest + y);
diff --git a/poppler-0.20.2-CVE-2013-1790.patch b/poppler-0.20.2-CVE-2013-1790.patch
new file mode 100644
index 0000000..c83b0ec
--- /dev/null
+++ b/poppler-0.20.2-CVE-2013-1790.patch
@@ -0,0 +1,23 @@
+--- poppler-0.20.2/poppler/Stream.cc
++++ poppler-0.20.2/poppler/Stream.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Jeff Muizelaar <jeff at infidigm.net>
+-// Copyright (C) 2006-2010, 2012 Albert Astals Cid <aacid at kde.org>
++// Copyright (C) 2006-2010, 2012, 2013 Albert Astals Cid <aacid at kde.org>
+ // Copyright (C) 2007 Krzysztof Kowalczyk <kkowalczyk at gmail.com>
+ // Copyright (C) 2008 Julien Rebetez <julien at fhtagn.net>
+ // Copyright (C) 2009 Carlos Garcia Campos <carlosgc at gnome.org>
+@@ -1710,8 +1710,9 @@ int CCITTFaxStream::lookChar() {
+ for (i = 0; i < columns && codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i++] = columns;
+- refLine[i] = columns;
++ for (; i < columns + 2; ++i) {
++ refLine[i] = columns;
++ }
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
diff --git a/poppler.spec b/poppler.spec
index ea6b308..8f1756b 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -1,7 +1,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.20.2
-Release: 9%{?dist}
+Release: 10%{?dist}
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
Group: Development/Libraries
URL: http://poppler.freedesktop.org/
@@ -24,6 +24,15 @@ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.gz
# (see header of the patch for complete list)
Patch1: poppler-0.20.3-5.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=917108
+Patch2: poppler-0.20.2-CVE-2013-1788.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=917109
+Patch3: poppler-0.20.2-CVE-2013-1789.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=917111
+Patch4: poppler-0.20.2-CVE-2013-1790.patch
+
Requires: poppler-data >= 0.4.0
BuildRequires: automake libtool
BuildRequires: gettext-devel
@@ -139,6 +148,9 @@ Requires: %{name}-glib%{?_isa} = %{version}-%{release}
%setup -q
%patch1 -p1 -b .0.20.5
+%patch2 -p1 -b .CVE-2013-1788
+%patch3 -p1 -b .CVE-2013-1789
+%patch4 -p1 -b .CVE-2013-1790
chmod -x goo/GooTimer.h
@@ -263,6 +275,13 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
%changelog
+* Tue Mar 5 2013 Marek Kasik <mkasik at redhat.com> 0.20.2-10
+- Backport several security fixes:
+- CVE-2013-1788 (Invalid memory accesses)
+- CVE-2013-1789 (Crash on certain documents)
+- CVE-2013-1790 (Read of uninitialized memory)
+- Resolves: #917113
+
* Tue Nov 13 2012 Marek Kasik <mkasik at redhat.com> 0.20.2-9
- Move poppler-glib-demo to new sub-package demos
- Resolves: #872338
More information about the scm-commits
mailing list