[poppler/f19] Fix several crashers

mkasik mkasik at fedoraproject.org
Fri Dec 12 15:55:02 UTC 2014 

commit d556d4e7cf549b283349a75230cb23222b760fa1
Author: Marek Kasik <mkasik at redhat.com>
Date:   Fri Dec 12 16:52:56 2014 +0100

    Fix several crashers

 poppler-0.22.1-fofitype1.patch      |   31 +++++++++++++++++++++++++++++++
 poppler-0.22.1-pdfdoc-getpage.patch |   21 +++++++++++++++++++++
 poppler-0.22.1-xref-getentry.patch  |   30 ++++++++++++++++++++++++++++++
 poppler.spec                        |   12 +++++++++++-
 4 files changed, 93 insertions(+), 1 deletions(-)
---
diff --git a/poppler-0.22.1-fofitype1.patch b/poppler-0.22.1-fofitype1.patch
new file mode 100644
index 0000000..216a3aa
--- /dev/null
+++ b/poppler-0.22.1-fofitype1.patch
@@ -0,0 +1,31 @@
+commit f966b8766d40b2c912e69a1e17ef8cc4bd52be95
+Author: Carlos Garcia Campos <carlosgc at gnome.org>
+Date:   Tue Oct 21 16:42:27 2014 +0200
+
+    fofi: Fix a crash when parsing an invalid font due to a integer overflow
+    
+    This fixes a crash rendering trust_metrics.f2495.f0.pdf.
+
+diff --git a/fofi/FoFiType1.cc b/fofi/FoFiType1.cc
+index 8fa10a0..2245184 100644
+--- a/fofi/FoFiType1.cc
++++ b/fofi/FoFiType1.cc
+@@ -263,7 +263,7 @@ void FoFiType1::parse() {
+ 	    } else {
+ 	      break;
+ 	    }
+-	    for (; *p >= '0' && *p < '0' + base; ++p) {
++	    for (; *p >= '0' && *p < '0' + base && code < INT_MAX / (base + (*p - '0')); ++p) {
+ 	      code = code * base + (*p - '0');
+ 	    }
+ 	    for (; *p == ' ' || *p == '\t'; ++p) ;
+--- a/poppler/Error.h
++++ b/poppler/Error.h
+@@ -33,6 +33,7 @@
+ 
+ #include <stdarg.h>
+ #include "poppler-config.h"
++#include "goo/GooString.h"
+ 
+ enum ErrorCategory {
+   errSyntaxWarning,    // PDF syntax error which can be worked around;
diff --git a/poppler-0.22.1-pdfdoc-getpage.patch b/poppler-0.22.1-pdfdoc-getpage.patch
new file mode 100644
index 0000000..880079d
--- /dev/null
+++ b/poppler-0.22.1-pdfdoc-getpage.patch
@@ -0,0 +1,21 @@
+commit ee4a389872d86b619c677888da8f13f1f6c54472
+Author: Adrian Johnson <ajohnson at redneon.com>
+Date:   Mon Oct 20 22:32:30 2014 +1030
+
+    PDFDoc: fix crash when getPage() returns NULL
+    
+    Bug 85235
+
+diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
+index d1b5d7b..8fd5e18 100644
+--- a/poppler/PDFDoc.cc
++++ b/poppler/PDFDoc.cc
+@@ -626,7 +626,7 @@ int PDFDoc::savePageAs(GooString *name, int pageNo)
+   int keyLength;
+   xref->getEncryptionParameters(&fileKey, &encAlgorithm, &keyLength);
+ 
+-  if (pageNo < 1 || pageNo > getNumPages()) {
++  if (pageNo < 1 || pageNo > getNumPages() || !getCatalog()->getPage(pageNo)) {
+     error(errInternal, -1, "Illegal pageNo: {0:d}({1:d})", pageNo, getNumPages() );
+     return errOpenFile;
+   }
diff --git a/poppler-0.22.1-xref-getentry.patch b/poppler-0.22.1-xref-getentry.patch
new file mode 100644
index 0000000..785230e
--- /dev/null
+++ b/poppler-0.22.1-xref-getentry.patch
@@ -0,0 +1,30 @@
+commit d6ea8acbb348fdb43601a963ba5407e933565003
+Author: Adrian Johnson <ajohnson at redneon.com>
+Date:   Mon Nov 3 19:11:25 2014 +0100
+
+    fix crash in Xref::getEntry
+    
+    Bug 85234
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index 2560e3d..333f5ec 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1568,7 +1568,7 @@ GBool XRef::parseEntry(Goffset offset, XRefEntry *entry)
+ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+ {
+   std::vector<Guint> followedPrev;
+-  while (prevXRefOffset && (untilEntryNum == -1 || entries[untilEntryNum].type == xrefEntryNone)) {
++  while (prevXRefOffset && (untilEntryNum == -1 || (untilEntryNum < size && entries[untilEntryNum].type == xrefEntryNone))) {
+     bool followed = false;
+     for (size_t j = 0; j < followedPrev.size(); j++) {
+       if (followedPrev.at(j) == prevXRefOffset) {
+@@ -1606,7 +1606,7 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+ 
+ XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
+ {
+-  if (entries[i].type == xrefEntryNone) {
++  if (i >= size || entries[i].type == xrefEntryNone) {
+ 
+     if ((!xRefStream) && mainXRefEntriesOffset) {
+       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
diff --git a/poppler.spec b/poppler.spec
index df1c149..7bd4ca1 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -1,7 +1,7 @@
 Summary: PDF rendering library
 Name: poppler
 Version: 0.22.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 Group: Development/Libraries
 URL:     http://poppler.freedesktop.org/
@@ -22,6 +22,10 @@ Patch3: poppler-0.22.1-CVE-2013-4474.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1164389
 Patch4: poppler-0.22.1-pdfdetach.patch
 
+Patch5: poppler-0.22.1-fofitype1.patch
+Patch6: poppler-0.22.1-pdfdoc-getpage.patch
+Patch7: poppler-0.22.1-xref-getentry.patch
+
 Requires: poppler-data >= 0.4.0
 BuildRequires: automake libtool
 BuildRequires: gettext-devel
@@ -140,6 +144,9 @@ Requires: %{name}-glib%{?_isa} = %{version}-%{release}
 %patch2 -p1 -b .CVE-2013-4473
 %patch3 -p1 -b .CVE-2013-4474
 %patch4 -p1 -b .pdfdetach
+%patch5 -p1 -b .fofitype1
+%patch6 -p1 -b .pdfdoc-getpage
+%patch7 -p1 -b .xref-getentry
 
 iconv -f iso-8859-1 -t utf-8 < "utils/pdftohtml.1" > "utils/pdftohtml.1.utf8"
 mv "utils/pdftohtml.1.utf8" "utils/pdftohtml.1"
@@ -262,6 +269,9 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 
 
 %changelog
+* Fri Dec 12 2014 Marek Kasik <mkasik at redhat.com> 0.22.1-7
+- Fix several crashers
+
 * Fri Dec 12 2014 Marek Kasik <mkasik at redhat.com> 0.22.1-6
 - Fix crash when getPage() returns NULL
 - Resolves: #1164389

More information about the scm-commits mailing list