...
 
Commits (13)
poppler (0.12.4-1.2+squeeze1) stable; urgency=low
* Add myself as uploader.
* Fix CVE-2010-0206.
* Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible.
* Fix CVE-2010-4653; patch adapted to include object.h instead
of goo/GooLikely.h (non-existent in poppler 0.12.x).
* Backport upstream commits 7ba15d11e56175601104d125d5e4a47619c224bf and
55940e989701eb9118015e30f4f48eb654fa34c4 to fix GooString::insert;
patch upstream_fix-GooString-insert.diff. (Closes: #693817)
* Correctly initialize PSOutputDev::fontFileNameLen and
PSOutputDev::psFileNames; patch psoutputdev-initialize-vars.diff.
(Closes: #699421)
-- Pino Toscano <pino@debian.org> Thu, 14 Feb 2013 13:05:25 +0100
poppler (0.12.4-1.2) unstable; urgency=medium poppler (0.12.4-1.2) unstable; urgency=medium
* Non-maintainer upload by the Security Team * Non-maintainer upload by the Security Team
......
...@@ -4,7 +4,8 @@ Priority: optional ...@@ -4,7 +4,8 @@ Priority: optional
Maintainer: Loic Minier <lool@dooz.org> Maintainer: Loic Minier <lool@dooz.org>
Uploaders: Josselin Mouette <joss@debian.org>, Uploaders: Josselin Mouette <joss@debian.org>,
Dave Beckett <dajobe@debian.org>, Dave Beckett <dajobe@debian.org>,
Ross Burton <ross@debian.org> Ross Burton <ross@debian.org>,
Pino Toscano <pino@debian.org>
Build-Depends: cdbs (>= 0.4.52), Build-Depends: cdbs (>= 0.4.52),
debhelper (>= 5), debhelper (>= 5),
quilt, quilt,
......
From 30ea3ab8a1eecafb3366aef193910098fdb7ccc8 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 25 May 2010 23:07:56 +0100
Subject: [PATCH] Fix crash when parsing pdf in bug 28170
This code is a can of crashing worms :-7
---
poppler/JBIG2Stream.cc | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 97994bd..f16ad58 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -742,13 +742,18 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
Guint xx, yy;
slice = new JBIG2Bitmap(0, wA, hA);
- slice->clearToZero();
- for (yy = 0; yy < hA; ++yy) {
- for (xx = 0; xx < wA; ++xx) {
- if (getPixel(x + xx, y + yy)) {
- slice->setPixel(xx, yy);
+ if (slice->isOk()) {
+ slice->clearToZero();
+ for (yy = 0; yy < hA; ++yy) {
+ for (xx = 0; xx < wA; ++xx) {
+ if (getPixel(x + xx, y + yy)) {
+ slice->setPixel(xx, yy);
+ }
}
}
+ } else {
+ delete slice;
+ slice = NULL;
}
return slice;
}
@@ -3224,8 +3229,12 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint segNum, GBool imm,
// store the region bitmap
} else {
- bitmap->setSegNum(segNum);
- segments->append(bitmap);
+ if (bitmap) {
+ bitmap->setSegNum(segNum);
+ segments->append(bitmap);
+ } else {
+ error(curStr->getPos(), "readGenericRefinementRegionSeg with null bitmap");
+ }
}
// delete the referenced bitmap
--
1.7.10
Author: Albert Astals Cid <aacid@kde.org>
Author: Pino Toscano <pino@debian.org>
Description: Do not follow loops blindly
Fixes CVE-2010-0207.
.
Patch modified by keeping the readXRef and refXRefTable versions without the
additional GooVector parameter to avoid breaking API and ABI, and using
operator[int] instead of at(int) with GooVector, as the former does not exist
in 0.12.x.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=28172
Applied-Upstream: commit:9eda6e8aaae412a9882141d1b5b8c7bf0c823c68
Last-Update: 2012-06-27
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -15,7 +15,7 @@
//
// Copyright (C) 2005 Dan Sheridan <dan.sheridan@postman.org.uk>
// Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
// Copyright (C) 2009 Ilya Gorenbein <igorenbein@finjan.com>
@@ -267,7 +267,8 @@ XRef::XRef(BaseStream *strA) {
// read the xref table
} else {
- while (readXRef(&pos)) ;
+ GooVector<Guint> followedXRefStm;
+ while (readXRef(&pos, &followedXRefStm)) ;
// if there was a problem with the xref table,
// try to reconstruct it
@@ -347,6 +348,11 @@ Guint XRef::getStartXref() {
// Read one xref table section. Also reads the associated trailer
// dictionary, and returns the prev pointer (if any).
GBool XRef::readXRef(Guint *pos) {
+ GooVector<Guint> followedXRefStm;
+ return readXRef(pos, &followedXRefStm);
+}
+
+GBool XRef::readXRef(Guint *pos, GooVector<Guint> *followedXRefStm) {
Parser *parser;
Object obj;
GBool more;
@@ -362,7 +368,7 @@ GBool XRef::readXRef(Guint *pos) {
// parse an old-style xref table
if (obj.isCmd("xref")) {
obj.free();
- more = readXRefTable(parser, pos);
+ more = readXRefTable(parser, pos, followedXRefStm);
// parse an xref stream
} else if (obj.isInt()) {
@@ -396,6 +402,11 @@ GBool XRef::readXRef(Guint *pos) {
}
GBool XRef::readXRefTable(Parser *parser, Guint *pos) {
+ GooVector<Guint> followedXRefStm;
+ return readXRefTable(parser, pos, &followedXRefStm);
+}
+
+GBool XRef::readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm) {
XRefEntry entry;
GBool more;
Object obj, obj2;
@@ -509,7 +520,15 @@ GBool XRef::readXRefTable(Parser *parser
// check for an 'XRefStm' key
if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
pos2 = (Guint)obj2.getInt();
- readXRef(&pos2);
+ for (uint i = 0; ok == gTrue && i < followedXRefStm->size(); ++i) {
+ if ((*followedXRefStm)[i] == pos2) {
+ ok = gFalse;
+ }
+ }
+ if (ok) {
+ followedXRefStm->push_back(pos2);
+ readXRef(&pos2, followedXRefStm);
+ }
if (!ok) {
obj2.free();
goto err1;
--- a/poppler/XRef.h
+++ b/poppler/XRef.h
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
-// Copyright (C) 2006, 2008 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008, 2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
//
@@ -31,6 +31,7 @@
#endif
#include "goo/gtypes.h"
+#include "goo/GooVector.h"
#include "Object.h"
class Dict;
@@ -157,7 +158,9 @@ private:
Guint getStartXref();
GBool readXRef(Guint *pos);
+ GBool readXRef(Guint *pos, GooVector<Guint> *followedXRefStm);
GBool readXRefTable(Parser *parser, Guint *pos);
+ GBool readXRefTable(Parser *parser, Guint *pos, GooVector<Guint> *followedXRefStm);
GBool readXRefStreamSection(Stream *xrefStr, int *w, int first, int n);
GBool readXRefStream(Stream *xrefStr, Guint *pos);
GBool constructXRef();
From cad66a7d25abdb6aa15f3aa94a35737b119b2659 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 2 Nov 2010 19:14:34 +0000
Subject: [PATCH] Fix crash in broken documents
mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code
that is not what you wanted
---
poppler/CharCodeToUnicode.cc | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc
index 1835ddd..3cfa402 100644
--- a/poppler/CharCodeToUnicode.cc
+++ b/poppler/CharCodeToUnicode.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Koji Otani <sho@bbr.jp>
// Copyright (C) 2008 Michael Vrable <mvrable@cs.ucsd.edu>
@@ -36,6 +36,7 @@
#include <string.h>
#include "goo/gmem.h"
#include "goo/gfile.h"
+#include "Object.h"
#include "goo/GooString.h"
#include "Error.h"
#include "GlobalParams.h"
@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n,
if (code >= mapLen) {
oldLen = mapLen;
mapLen = (code + 256) & ~255;
- map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
- for (i = oldLen; i < mapLen; ++i) {
- map[i] = 0;
- }
+ if (unlikely(code >= mapLen)) {
+ error(-1, "Illegal code value in CharCodeToUnicode::addMapping");
+ return;
+ } else {
+ map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
+ for (i = oldLen; i < mapLen; ++i) {
+ map[i] = 0;
+ }
+ }
}
if (n <= 4) {
if (sscanf(uStr, "%x", &u) != 1) {
--
1.7.10
Author: Pino Toscano <pino@debian.org>
Description: initialize PSOutputDev::fontFileNameLen and PSOutputDev::psFileNames
Avoid crashing in ~PSOutputDev when the PSOutputDev instance is not "ok".
Applied-Upstream: not-needed
Last-Update: 2013-01-31
Bug-Debian: http://bugs.debian.org/699421
--- a/poppler/PSOutputDev.cc
+++ b/poppler/PSOutputDev.cc
@@ -1012,6 +1012,7 @@ PSOutputDev::PSOutputDev(const char *fil
fontIDs = NULL;
fontFileIDs = NULL;
fontFileNames = NULL;
+ fontFileNameLen = 0;
font8Info = NULL;
font16Enc = NULL;
imgIDs = NULL;
@@ -1022,6 +1023,7 @@ PSOutputDev::PSOutputDev(const char *fil
haveTextClip = gFalse;
haveCSPattern = gFalse;
t3String = NULL;
+ psFileNames = NULL;
forceRasterize = forceRasterizeA;
@@ -1077,6 +1079,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
fontIDs = NULL;
fontFileIDs = NULL;
fontFileNames = NULL;
+ fontFileNameLen = 0;
font8Info = NULL;
font16Enc = NULL;
imgIDs = NULL;
@@ -1087,6 +1090,7 @@ PSOutputDev::PSOutputDev(PSOutputFunc ou
haveTextClip = gFalse;
haveCSPattern = gFalse;
t3String = NULL;
+ psFileNames = NULL;
forceRasterize = forceRasterizeA;
01_revert_abi_change.patch 01_revert_abi_change.patch
02_autohinting_abi_compatibility.patch 02_autohinting_abi_compatibility.patch
03_CVE-2009-3938.patch 03_CVE-2009-3938.patch
04_security.patch 04_security.patch
\ No newline at end of file 05_CVE-2010-0206.patch
06_CVE-2010-0207.patch
07_CVE-2010-4653.patch
upstream_fix-GooString-insert.diff
psoutputdev-initialize-vars.diff
Author: Pino Toscano <pino@kde.org>
Description: fix GooString::insert
Applied-Upstream: 0.21.3, commit:7ba15d11e56175601104d125d5e4a47619c224bf, commit:55940e989701eb9118015e30f4f48eb654fa34c4
Last-Update: 2012-11-27
Bug-Debian: http://bugs.debian.org/693817
--- a/goo/GooString.cc
+++ b/goo/GooString.cc
@@ -640,14 +640,12 @@ GooString *GooString::insert(int i, GooS
}
GooString *GooString::insert(int i, const char *str, int lengthA) {
- int j;
int prevLen = length;
if (CALC_STRING_LEN == lengthA)
lengthA = strlen(str);
resize(length + lengthA);
- for (j = prevLen; j >= i; --j)
- s[j+lengthA] = s[j];
+ memmove(s+i+lengthA, s+i, prevLen-i);
memcpy(s+i, str, lengthA);
return this;
}