[poppler/f21] Fix several crashers
mkasik
mkasik at fedoraproject.org
Fri Dec 12 15:53:50 UTC 2014
commit a3fd83929c5383bdef944de03f36b22b2f78a1d8
Author: Marek Kasik <mkasik at redhat.com>
Date: Fri Dec 12 16:52:16 2014 +0100
Fix several crashers
poppler-0.26.2-fofitype1.patch | 21 +++++++++++++++++++++
poppler-0.26.2-pdfdoc-getpage.patch | 21 +++++++++++++++++++++
poppler-0.26.2-xref-getentry.patch | 30 ++++++++++++++++++++++++++++++
poppler.spec | 13 +++++++++++--
4 files changed, 83 insertions(+), 2 deletions(-)
---
diff --git a/poppler-0.26.2-fofitype1.patch b/poppler-0.26.2-fofitype1.patch
new file mode 100644
index 0000000..64876e8
--- /dev/null
+++ b/poppler-0.26.2-fofitype1.patch
@@ -0,0 +1,21 @@
+commit f966b8766d40b2c912e69a1e17ef8cc4bd52be95
+Author: Carlos Garcia Campos <carlosgc at gnome.org>
+Date: Tue Oct 21 16:42:27 2014 +0200
+
+ fofi: Fix a crash when parsing an invalid font due to a integer overflow
+
+ This fixes a crash rendering trust_metrics.f2495.f0.pdf.
+
+diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc
+index 8fa10a0..2245184 100644
+--- a/fofi/FoFiType1.cc
++++ b/fofi/FoFiType1.cc
+@@ -263,7 +263,7 @@ void FoFiType1::parse() {
+ } else {
+ break;
+ }
+- for (; *p >= '0' && *p < '0' + base; ++p) {
++ for (; *p >= '0' && *p < '0' + base && code < INT_MAX / (base + (*p - '0')); ++p) {
+ code = code * base + (*p - '0');
+ }
+ for (; *p == ' ' || *p == '\t'; ++p) ;
diff --git a/poppler-0.26.2-pdfdoc-getpage.patch b/poppler-0.26.2-pdfdoc-getpage.patch
new file mode 100644
index 0000000..880079d
--- /dev/null
+++ b/poppler-0.26.2-pdfdoc-getpage.patch
@@ -0,0 +1,21 @@
+commit ee4a389872d86b619c677888da8f13f1f6c54472
+Author: Adrian Johnson <ajohnson at redneon.com>
+Date: Mon Oct 20 22:32:30 2014 +1030
+
+ PDFDoc: fix crash when getPage() returns NULL
+
+ Bug 85235
+
+diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
+index d1b5d7b..8fd5e18 100644
+--- a/poppler/PDFDoc.cc
++++ b/poppler/PDFDoc.cc
+@@ -626,7 +626,7 @@ int PDFDoc::savePageAs(GooString *name, int pageNo)
+ int keyLength;
+ xref->getEncryptionParameters(&fileKey, &encAlgorithm, &keyLength);
+
+- if (pageNo < 1 || pageNo > getNumPages()) {
++ if (pageNo < 1 || pageNo > getNumPages() || !getCatalog()->getPage(pageNo)) {
+ error(errInternal, -1, "Illegal pageNo: {0:d}({1:d})", pageNo, getNumPages() );
+ return errOpenFile;
+ }
diff --git a/poppler-0.26.2-xref-getentry.patch b/poppler-0.26.2-xref-getentry.patch
new file mode 100644
index 0000000..1c8d80b
--- /dev/null
+++ b/poppler-0.26.2-xref-getentry.patch
@@ -0,0 +1,30 @@
+commit d6ea8acbb348fdb43601a963ba5407e933565003
+Author: Adrian Johnson <ajohnson at redneon.com>
+Date: Mon Nov 3 19:11:25 2014 +0100
+
+ fix crash in Xref::getEntry
+
+ Bug 85234
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index 2560e3d..333f5ec 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1568,7 +1568,7 @@ GBool XRef::parseEntry(Goffset offset, XRefEntry *entry)
+ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+ {
+ std::vector<Goffset> followedPrev;
+- while (prevXRefOffset && (untilEntryNum == -1 || entries[untilEntryNum].type == xrefEntryNone)) {
++ while (prevXRefOffset && (untilEntryNum == -1 || (untilEntryNum < size && entries[untilEntryNum].type == xrefEntryNone))) {
+ bool followed = false;
+ for (size_t j = 0; j < followedPrev.size(); j++) {
+ if (followedPrev.at(j) == prevXRefOffset) {
+@@ -1606,7 +1606,7 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+
+ XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
+ {
+- if (entries[i].type == xrefEntryNone) {
++ if (i >= size || entries[i].type == xrefEntryNone) {
+
+ if ((!xRefStream) && mainXRefEntriesOffset) {
+ if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
diff --git a/poppler.spec b/poppler.spec
index 659f0cd..8a58ce2 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -1,7 +1,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.26.2
-Release: 5%{?dist}
+Release: 6%{?dist}
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
Group: Development/Libraries
URL: http://poppler.freedesktop.org/
@@ -10,6 +10,10 @@ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1164389
Patch0: poppler-0.26.2-pdfdetach.patch
+Patch1: poppler-0.26.2-fofitype1.patch
+Patch2: poppler-0.26.2-pdfdoc-getpage.patch
+Patch3: poppler-0.26.2-xref-getentry.patch
+
## upstreamable patches
# fix configure checks for moc versions
Patch50: poppler-0.24.2-mocversiongrep.patch
@@ -150,7 +154,9 @@ Requires: %{name}-glib%{?_isa} = %{version}-%{release}
%prep
%setup -q
%patch0 -p1 -b .pdfdetach
-
+%patch1 -p1 -b .fofitype1
+%patch2 -p1 -b .pdfdoc-getpage
+%patch3 -p1 -b .xref-getentry
%patch50 -p1 -b .mocversiongrep
# hammer to nuke rpaths, recheck on new releases
@@ -293,6 +299,9 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
%changelog
+* Fri Dec 12 2014 Marek Kasik <mkasik at redhat.com> - 0.26.2-6
+- Fix several crashers
+
* Fri Dec 12 2014 Marek Kasik <mkasik at redhat.com> - 0.26.2-5
- Fix crash when getPage() returns NULL
- Resolves: #1164389
More information about the scm-commits
mailing list