...
 
Commits (3)
poppler (0.8.7-3) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix CVE-2009-3603 to CVE-2009-3609, CVE-2009-0755. Based on patches
by Marc Deslauriers
* Fix CVE-2009-3938
-- Moritz Muehlenhoff <jmm@debian.org> Tue, 24 Nov 2009 21:54:26 +0100
poppler (0.8.7-2) stable; urgency=high
* 11_JBIG2_CVEs.patch: backport several fixes related to parsing of
broken JBIG2 files.
CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180,
CVE-2009-1181, CVE-2009-1182, CVE-2009-1183, CVE-2009-1187,
CVE-2009-1188.
-- Josselin Mouette <joss@debian.org> Fri, 17 Apr 2009 11:07:07 +0200
poppler (0.8.7-1) unstable; urgency=low
* Bump up Standards-Version to 3.8.0.
......
This diff is collapsed.
This diff is collapsed.
#
# Description: fix denial of service via invalid Form Opt entry
# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=1fc342eadcbbb41302f190b215c5daf23c9ec9b1
# Ubuntu: https://bugs.edge.launchpad.net/poppler/+bug/321764
# Upstream: http://bugs.freedesktop.org/show_bug.cgi?id=19790
# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518478
#
diff -Nur -x '*.orig' -x '*~' poppler-0.8.7/poppler/Form.cc poppler-0.8.7.new/poppler/Form.cc
--- poppler-0.8.7/poppler/Form.cc 2008-07-25 18:23:10.000000000 -0400
+++ poppler-0.8.7.new/poppler/Form.cc 2009-10-19 07:52:40.000000000 -0400
@@ -446,7 +446,9 @@
obj3.free();
obj4.free();
} else {
- error(-1, "FormWidgetChoice:: invalid Opt entry\n");
+ error(-1, "FormWidgetChoice:: invalid %d Opt entry\n", i);
+ parent->_setChoiceExportVal(i, new GooString(""));
+ parent->_setChoiceOptionName(i, new GooString(""));
}
obj2.free();
}
diff -Naur poppler-0.8.7.orig/poppler/Stream.cc poppler-0.8.7/poppler/Stream.cc
--- poppler-0.8.7.orig/poppler/Stream.cc 2008-06-07 01:05:52.000000000 +0000
+++ poppler-0.8.7/poppler/Stream.cc 2009-11-24 21:27:45.000000000 +0000
@@ -381,6 +381,10 @@
} else {
imgLineSize = nVals;
}
+ if (width > INT_MAX / nComps) {
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
imgIdx = nVals;
}
diff -Naur poppler-0.8.7.orig/poppler/XRef.cc poppler-0.8.7/poppler/XRef.cc
--- poppler-0.8.7.orig/poppler/XRef.cc 2008-07-25 21:08:11.000000000 +0000
+++ poppler-0.8.7/poppler/XRef.cc 2009-11-24 21:27:45.000000000 +0000
@@ -57,6 +57,8 @@
// generation 0.
ObjectStream(XRef *xref, int objStrNumA);
+ GBool isOk() { return ok; }
+
~ObjectStream();
// Return the object number of this object stream.
@@ -72,6 +74,7 @@
int nObjects; // number of objects in the stream
Object *objs; // the objects (length = nObjects)
int *objNums; // the object numbers (length = nObjects)
+ GBool ok;
};
ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
@@ -85,6 +88,7 @@
nObjects = 0;
objs = NULL;
objNums = NULL;
+ ok = gFalse;
if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
goto err1;
@@ -110,8 +114,11 @@
goto err1;
}
- if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) {
- error(-1, "Invalid 'nObjects'");
+ // this is an arbitrary limit to avoid integer overflow problems
+ // in the 'new Object[nObjects]' call (Acrobat apparently limits
+ // object streams to 100-200 objects)
+ if (nObjects > 1000000) {
+ error(-1, "Too many objects in an object stream");
goto err1;
}
@@ -171,10 +178,10 @@
}
gfree(offsets);
+ ok = gTrue;
err1:
objStr.free();
- return;
}
ObjectStream::~ObjectStream() {
@@ -927,6 +934,11 @@
delete objStr;
}
objStr = new ObjectStream(this, e->offset);
+ if (!objStr->isOk()) {
+ delete objStr;
+ objStr = NULL;
+ goto err;
+ }
}
objStr->getObject(e->gen, num, obj);
break;
diff -Naur poppler-0.8.7.orig/splash/Splash.cc poppler-0.8.7/splash/Splash.cc
--- poppler-0.8.7.orig/splash/Splash.cc 2009-11-24 21:27:24.000000000 +0000
+++ poppler-0.8.7/splash/Splash.cc 2009-11-24 21:27:45.000000000 +0000
@@ -12,6 +12,7 @@
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashMath.h"
@@ -1986,6 +1987,9 @@
xq = w % scaledWidth;
// allocate pixel buffer
+ if (yp < 0 || yp > INT_MAX - 1) {
+ return splashErrBadArg;
+ }
pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
// initialize the pixel pipe
@@ -2286,6 +2290,9 @@
xq = w % scaledWidth;
// allocate pixel buffers
+ if (yp < 0 || yp > INT_MAX - 1) {
+ return splashErrBadArg;
+ }
colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
if (srcAlpha) {
alphaBuf = (Guchar *)gmallocn((yp + 1), w);
diff -Naur poppler-0.8.7.orig/splash/SplashBitmap.cc poppler-0.8.7/splash/SplashBitmap.cc
--- poppler-0.8.7.orig/splash/SplashBitmap.cc 2009-11-24 21:27:24.000000000 +0000
+++ poppler-0.8.7/splash/SplashBitmap.cc 2009-11-24 21:29:51.000000000 +0000
@@ -11,6 +11,7 @@
#endif
#include <stdio.h>
+#include <limits.h>
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
@@ -27,26 +28,48 @@
mode = modeA;
switch (mode) {
case splashModeMono1:
- rowSize = (width + 7) >> 3;
+ if (width > 0) {
+ rowSize = (width + 7) >> 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeMono8:
- rowSize = width;
+ if (width > 0) {
+ rowSize = width;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeRGB8:
case splashModeBGR8:
- rowSize = width * 3;
+ if (width > 0 && width <= INT_MAX / 3) {
+ rowSize = width * 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeXBGR8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#endif
}
- rowSize += rowPad - 1;
- rowSize -= rowSize % rowPad;
+ if (rowSize > 0) {
+ rowSize += rowPad - 1;
+ rowSize -= rowSize % rowPad;
+ }
data = (SplashColorPtr)gmalloc(rowSize * height);
if (!topDown) {
data += (height - 1) * rowSize;
diff -Naur poppler-0.8.7.orig/splash/SplashErrorCodes.h poppler-0.8.7/splash/SplashErrorCodes.h
--- poppler-0.8.7.orig/splash/SplashErrorCodes.h 2008-03-26 19:38:52.000000000 +0000
+++ poppler-0.8.7/splash/SplashErrorCodes.h 2009-11-24 21:27:45.000000000 +0000
@@ -27,6 +27,8 @@
#define splashErrSingularMatrix 8 // matrix is singular
-#define splashErrZeroImage 9 // image of 0x0
+#define splashErrBadArg 9 // bad argument
+
+#define splashErrZeroImage 254 // image of 0x0
#endif
Index: poppler-0.12.0/poppler/ABWOutputDev.cc
===================================================================
--- poppler-0.12.0.orig/poppler/ABWOutputDev.cc
+++ poppler-0.8.7/poppler/ABWOutputDev.cc
@@ -20,6 +20,7 @@
#include <stdarg.h>
#include <stddef.h>
#include <ctype.h>
+#include <float.h>
#include <math.h>
#include "goo/GooString.h"
#include "goo/GooList.h"
@@ -36,6 +37,23 @@
#include <libxml/xpath.h>
#include <libxml/xpathInternals.h>
+#define MAX(a, b) (((a) > (b)) ? (a) : (b))
+
+// 1: potential -
+// DBL_MAX_10_EXP: 10^x
+// 1: last digit before '.'
+// 1: '.'
+// 6: digits after '.'
+// 1: '\0' at the end
+#define BUFLEN_FOR_DOUBLE (1 + DBL_MAX_10_EXP + 1 + 1 + 6 + 1)
+
+// potential -, INT_MAX is 2147483647, and the trailing '\0'
+#define BUFLEN_FOR_INT (1 + 10 + 1)
+
+//I wouldn't know what size this should safely be. I guess 64 bytes should be
+//enough for any unicode character
+#define BUFLEN_FOR_UNICODE_CHAR 64
+
// Inter-character space width which will cause addChar to start a new
// word.
@@ -157,7 +175,7 @@ void ABWOutputDev::splitNodes(float spli
xmlNodePtr N_move, N_cur, N_newH, N_newL;
char * propName;
const char *nodeName;
- char buf[20];
+ char buf[BUFLEN_FOR_DOUBLE];
if (direction == HORIZONTAL) {
propName = "Y1";
nodeName = "horizontal";
@@ -261,7 +279,7 @@ float ABWOutputDev::getBiggestSeperator(
}
void ABWOutputDev::updateFont(GfxState *state) {
- char buf[160];
+ char buf[BUFLEN_FOR_INT];
xmlNodePtr N_cur;
GfxFont *font;
bool found = false;
@@ -341,9 +359,7 @@ void ABWOutputDev::drawChar(GfxState *st
double originX, double originY,
CharCode code, int nBytes, Unicode *u, int uLen)
{
- //I wouldn't know what size this should safely be. I guess 64 bytes should be
- //enough for any unicode character
- char buf[64];
+ char buf[BUFLEN_FOR_UNICODE_CHAR];
int charLen;
x = dx;
y = dy;
@@ -401,7 +417,7 @@ void ABWOutputDev::endString(GfxState *s
}
void ABWOutputDev::beginWord(GfxState *state, double x, double y){
- char buf[20];
+ char buf[MAX(BUFLEN_FOR_INT, BUFLEN_FOR_DOUBLE)];
// printf("***BREAK!***\n");
endWord();
X1 = x;
@@ -421,7 +437,7 @@ void ABWOutputDev::beginWord(GfxState *s
}
void ABWOutputDev::endWord(){
- char buf[20];
+ char buf[BUFLEN_FOR_DOUBLE];
if (N_word) {
sprintf(buf, "%f", X2); xmlNewProp(N_word, BAD_CAST "X2", BAD_CAST buf);
sprintf(buf, "%f", Y2); xmlNewProp(N_word, BAD_CAST "Y2", BAD_CAST buf);
@@ -618,7 +634,7 @@ void ABWOutputDev::cleanUpNode(xmlNodePt
double tX1=-1, tX2=-1, tY1=-1, tY2=-1;
xmlNodePtr N_cur, N_next;
N_cur = N_parent->children;
- char buf[20];
+ char buf[MAX(BUFLEN_FOR_INT, BUFLEN_FOR_DOUBLE)];
int prevStyle = -1;
xmlChar *val;
int styleLength = xmlLsCountNode(N_styleset)+1;
@@ -995,16 +1011,22 @@ void ABWOutputDev::createABW() {
//change styles to abiword format
xmlNodePtr N_cur, N_next;
xmlAttrPtr N_prop;
- char buf[500];
for (N_cur = N_styleset->children; N_cur; N_cur = N_cur->next){
+ char *font = (char *)xmlGetProp(N_cur,BAD_CAST "font");
+ char *bold = (char *)xmlGetProp(N_cur,BAD_CAST "bold");
+ char *italic = (char *)xmlGetProp(N_cur,BAD_CAST "italic");
+ char buf[278 + BUFLEN_FOR_INT + 12 + strlen(font) + 1 + 12 + strlen(bold) + 1 + 12 + strlen(italic) + 1];
+
sprintf(buf,"margin-top:0pt; color:000000; margin-left:0pt; text-position:normal; widows:2; text-indent:0in; font-variant:normal; margin-right:0pt; lang:nl-NL; line-height:1.0; font-size:%dpt; text-decoration:none; margin-bottom:0pt; bgcolor:transparent; text-align:left; font-stretch:normal;",int(xmlXPathCastStringToNumber(xmlGetProp(N_cur,BAD_CAST "size"))));
strncat(buf,"font-family:",12);
- strncat(buf,(char *)xmlGetProp(N_cur,BAD_CAST "font"),strlen((char *)xmlGetProp(N_cur,BAD_CAST "font")));
+ strncat(buf,font,strlen(font));
strncat(buf,";",1);
strncat(buf,"font-weight:",12);
- strncat(buf,(char *)xmlGetProp(N_cur,BAD_CAST "bold"),strlen((char *)xmlGetProp(N_cur,BAD_CAST "bold")));
+ strncat(buf,bold,strlen(bold));
+ strncat(buf,";",1);
strncat(buf,"font-style:",12);
- strncat(buf,(char *)xmlGetProp(N_cur,BAD_CAST "italic"),strlen((char *)xmlGetProp(N_cur,BAD_CAST "italic")));
+ strncat(buf,italic,strlen(italic));
+ strncat(buf,";",1);
xmlSetProp(N_cur, BAD_CAST "props", BAD_CAST buf);
N_prop = xmlHasProp(N_cur, BAD_CAST "id");
if (N_prop != NULL) xmlRemoveProp(N_prop);
@@ -1036,7 +1058,6 @@ void ABWOutputDev::createABW() {
}
void ABWOutputDev::transformPage(xmlNodePtr N_parent){
- char buf[60];
xmlNodePtr N_cur, N_curLine, N_curText, N_curWord, text, space;
//translate the nodes into abiword nodes
if (xmlStrcasecmp(N_parent->name,BAD_CAST "page") == 0){
@@ -1085,6 +1106,7 @@ void ABWOutputDev::transformPage(xmlNode
xmlNewChild(N_text, NULL, BAD_CAST "cbr", NULL);
}
if (xmlStrcasecmp(N_parent->name,BAD_CAST "colset") == 0){
+ char buf[strlen("columns:") + BUFLEN_FOR_INT];
//fprintf(stderr,"Found a colset\n");
//create new section columns: count childNodes of N_cur
//recurse through chunks and create textNodes