Commit dbaefba7 authored by Pino Toscano's avatar Pino Toscano

fix CVE-2010-0207

patch adapted to be API-/ABI-compatible
parent b5024f64
......@@ -2,6 +2,7 @@ poppler (0.12.4-1.2+squeeze1) UNRELEASED; urgency=low
* Non-maintainer upload.
* Fix CVE-2010-0206.
* Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible.
-- Pino Toscano <pino@debian.org> Wed, 27 Jun 2012 18:36:18 +0200
......
Author: Albert Astals Cid <aacid@kde.org>
Author: Pino Toscano <pino@debian.org>
Description: Do not follow loops blindly
Fixes CVE-2010-0207.
.
Patch modified by keeping the readXRef and refXRefTable versions without the
additional GooVector parameter to avoi breaking API and ABI.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=28172
Applied-Upstream: commit:9eda6e8aaae412a9882141d1b5b8c7bf0c823c68
Last-Update: 2012-06-27
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -15,7 +15,7 @@
//
// Copyright (C) 2005 Dan Sheridan <dan.sheridan@postman.org.uk>
// Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
// Copyright (C) 2009 Ilya Gorenbein <igorenbein@finjan.com>
@@ -267,7 +267,8 @@ XRef::XRef(BaseStream *strA) {
// read the xref table
} else {
- while (readXRef(&pos)) ;
+ GooVector<Guint> followedXRefStm;
+ while (readXRef(&pos, &followedXRefStm)) ;
// if there was a problem with the xref table,
// try to reconstruct it
@@ -347,6 +348,11 @@ Guint XRef::getStartXref() {
// Read one xref table section. Also reads the associated trailer
// dictionary, and returns the prev pointer (if any).
GBool XRef::readXRef(Guint *pos) {
+ GooVector<Guint> followedXRefStm;
+ return readXRef(pos, &followedXRefStm);
+}
+
+GBool XRef::readXRef(Guint *pos, GooVector<Guint> *followedXRefStm) {
Parser *parser;
Object obj;
GBool more;
@@ -362,7 +368,7 @@ GBool XRef::readXRef(Guint *pos) {
// parse an old-style xref table
if (obj.isCmd("xref")) {
obj.free();
- more = readXRefTable(parser, pos);
+ more = readXRefTable(parser, pos, followedXRefStm);
// parse an xref stream
} else if (obj.isInt()) {
@@ -395,7 +401,12 @@ GBool XRef::readXRef(Guint *pos) {
return gFalse;
}
-GBool XRef::readXRefTable(Parser *parser, Guint *pos) {
+GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) {
+ GooVector<Guint> followedXRefStm;
+ return readXRefTable(parser, pos, &followedXRefStm);
+}
+
+GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) {
XRefEntry entry;
GBool more;
Object obj, obj2;
@@ -509,7 +520,15 @@ GBool XRef::readXRefTable(Parser *parser
// check for an 'XRefStm' key
if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
pos2 = (Guint)obj2.getInt();
- readXRef(&pos2);
+ for (uint i = 0; ok == gTrue && i < followedXRefStm->size(); ++i) {
+ if (followedXRefStm->at(i) == pos2) {
+ ok = gFalse;
+ }
+ }
+ if (ok) {
+ followedXRefStm->push_back(pos2);
+ readXRef(&pos2, followedXRefStm);
+ }
if (!ok) {
obj2.free();
goto err1;
--- a/poppler/XRef.h
+++ b/poppler/XRef.h
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
//
@@ -31,6 +31,7 @@
#endif
#include "goo/gtypes.h"
+#include "goo/GooVector.h"
#include "Object.h"
class Dict;
@@ -157,7 +158,9 @@ private:
Guint getStartXref();
GBool readXRef(Guint *pos);
+ GBool readXRef(Guint *pos, GooVector<Guint> *followedXRefStm);
GBool readXRefTable(Parser *parser, Guint *pos);
+ GBool readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm);
GBool readXRefStreamSection(Stream *xrefStr, int *w, int first, int n);
GBool readXRefStream(Stream *xrefStr, Guint *pos);
GBool constructXRef();
......@@ -3,3 +3,4 @@
03_CVE-2009-3938.patch
04_security.patch
05_CVE-2010-0206.patch
06_CVE-2010-0207.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment