[poppler/f17] Backport several security fixes:
mkasik
mkasik at fedoraproject.org
Tue Mar 5 15:50:27 UTC 2013
commit 002ac41cb5253972689f1bc147afba3686d93fa4
Author: Marek Kasik <mkasik at redhat.com>
Date: Tue Mar 5 16:49:51 2013 +0100
Backport several security fixes:
CVE-2013-1788 (Invalid memory accesses)
CVE-2013-1790 (Read of uninitialized memory)
Resolves: #917113
poppler-0.18.4-CVE-2013-1788.patch | 75 ++++++++++++++++++++++++++++++++++++
poppler-0.18.4-CVE-2013-1790.patch | 23 +++++++++++
poppler.spec | 16 +++++++-
3 files changed, 113 insertions(+), 1 deletions(-)
---
diff --git a/poppler-0.18.4-CVE-2013-1788.patch b/poppler-0.18.4-CVE-2013-1788.patch
new file mode 100644
index 0000000..4691d3d
--- /dev/null
+++ b/poppler-0.18.4-CVE-2013-1788.patch
@@ -0,0 +1,75 @@
+--- poppler-0.18.4/poppler/Function.cc
++++ poppler-0.18.4/poppler/Function.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid at kde.org>
++// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid at kde.org>
+ // Copyright (C) 2006 Jeff Muizelaar <jeff at infidigm.net>
+ // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
+ // Copyright (C) 2011 Andrea Canciani <ranma42 at gmail.com>
+@@ -1002,6 +1002,10 @@ void PSStack::copy(int n) {
+ error(-1, "Stack underflow in PostScript function");
+ return;
+ }
++ if (unlikely(sp - n > psStackSize)) {
++ error(-1, "Stack underflow in PostScript function");
++ return;
++ }
+ if (!checkOverflow(n)) {
+ return;
+ }
+--- poppler-0.18.4/poppler/Stream.cc
++++ poppler-0.18.4/poppler/Stream.cc
+@@ -2132,7 +2133,8 @@ GBool CCITTFaxStream::isBinary(GBool las
+
+ // clip [-256,511] --> [0,255]
+ #define dctClipOffset 256
+-static Guchar dctClip[768];
++#define dctClipLength 768
++static Guchar dctClip[dctClipLength];
+ static int dctClipInit = 0;
+
+ // zig zag decode map
+@@ -3078,7 +3080,12 @@ void DCTStream::transformDataUnit(Gushor
+
+ // convert to 8-bit integers
+ for (i = 0; i < 64; ++i) {
+- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
++ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
++ if (unlikely(ix < 0 || ix >= dctClipLength)) {
++ dataOut[i] = 0;
++ } else {
++ dataOut[i] = dctClip[ix];
++ }
+ }
+ }
+
+--- poppler-0.18.4/splash/Splash.cc
++++ poppler-0.18.4/splash/Splash.cc
+@@ -14,7 +14,7 @@
+ // Copyright (C) 2005-2011 Albert Astals Cid <aacid at kde.org>
+ // Copyright (C) 2005 Marco Pesenti Gritti <mpg at redhat.com>
+ // Copyright (C) 2010, 2011 Thomas Freitag <Thomas.Freitag at alfa.de>
+-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
++// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger at googlemail.com>
+ // Copyright (C) 2011 William Bader <williambader at hotmail.com>
+ //
+ // To see a description of the changes please see the Changelog file that
+@@ -1521,11 +1521,14 @@ SplashPath *Splash::makeDashedPath(Splas
+ lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
+ lineDashStartOn = gTrue;
+ lineDashStartIdx = 0;
+- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
++ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+ lineDashStartOn = !lineDashStartOn;
+ lineDashStartPhase -= state->lineDash[lineDashStartIdx];
+ ++lineDashStartIdx;
+ }
++ if (unlikely(lineDashStartIdx == state->lineDashLength)) {
++ return new SplashPath();
++ }
+
+ dPath = new SplashPath();
+
diff --git a/poppler-0.18.4-CVE-2013-1790.patch b/poppler-0.18.4-CVE-2013-1790.patch
new file mode 100644
index 0000000..00f8b38
--- /dev/null
+++ b/poppler-0.18.4-CVE-2013-1790.patch
@@ -0,0 +1,23 @@
+--- poppler-0.18.4/poppler/Stream.cc
++++ poppler-0.18.4/poppler/Stream.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Jeff Muizelaar <jeff at infidigm.net>
+-// Copyright (C) 2006-2010 Albert Astals Cid <aacid at kde.org>
++// Copyright (C) 2006-2010, 2012, 2013 Albert Astals Cid <aacid at kde.org>
+ // Copyright (C) 2007 Krzysztof Kowalczyk <kkowalczyk at gmail.com>
+ // Copyright (C) 2008 Julien Rebetez <julien at fhtagn.net>
+ // Copyright (C) 2009 Carlos Garcia Campos <carlosgc at gnome.org>
+@@ -1595,8 +1595,9 @@ int CCITTFaxStream::lookChar() {
+ for (i = 0; codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i++] = columns;
+- refLine[i] = columns;
++ for (; i < columns + 2; ++i) {
++ refLine[i] = columns;
++ }
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
diff --git a/poppler.spec b/poppler.spec
index 1ad885b..70e4174 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -2,7 +2,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.18.4
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2
Group: Development/Libraries
URL: http://poppler.freedesktop.org/
@@ -18,6 +18,12 @@ Patch2: poppler-0.18.1-glib.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=817378
Patch3: poppler-0.18.4-set-mask-matrix.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=917108
+Patch4: poppler-0.18.4-CVE-2013-1788.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=917111
+Patch5: poppler-0.18.4-CVE-2013-1790.patch
+
Requires: poppler-data >= 0.4.0
BuildRequires: automake libtool
BuildRequires: gettext-devel
@@ -131,6 +137,8 @@ converting PDF files to a number of other formats.
%endif
%patch3 -p1 -b .set-mask-matrix
+%patch4 -p1 -b .CVE-2013-1788
+%patch5 -p1 -b .CVE-2013-1790
chmod -x goo/GooTimer.h
@@ -251,6 +259,12 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
%changelog
+* Tue Mar 5 2013 Marek Kasik <mkasik at redhat.com> 0.18.4-4
+- Backport several security fixes:
+- CVE-2013-1788 (Invalid memory accesses)
+- CVE-2013-1790 (Read of uninitialized memory)
+- Resolves: #917113
+
* Fri May 4 2012 Marek Kasik <mkasik at redhat.com> 0.18.4-3
- Backport of a patch which sets mask matrix before drawing an image with a mask
- Resolves: #817378
More information about the scm-commits
mailing list