|
1 Patch taken from the Desktop consolidation. |
|
2 See BugDB CR #16768440 |
|
3 Forward port 16680850 to 12.0 - CVE-2013-1788 CVE-2013-1790 Multiple poppler vul |
|
4 for more details. |
|
5 |
|
6 This problem has already been fixed upstream. |
|
7 |
|
8 --- poppler-0.14.4/splash/Splash.cc.orig 2013-05-06 17:28:39.078218632 +0530 |
|
9 +++ poppler-0.14.4/splash/Splash.cc 2013-05-06 17:29:42.140592523 +0530 |
|
10 @@ -1467,11 +1467,14 @@ SplashPath *Splash::makeDashedPath(Splas |
|
11 lineDashStartPhase -= (SplashCoord)i * lineDashTotal; |
|
12 lineDashStartOn = gTrue; |
|
13 lineDashStartIdx = 0; |
|
14 - while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) { |
|
15 + while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) { |
|
16 lineDashStartOn = !lineDashStartOn; |
|
17 lineDashStartPhase -= state->lineDash[lineDashStartIdx]; |
|
18 ++lineDashStartIdx; |
|
19 } |
|
20 + if (unlikely(lineDashStartIdx == state->lineDashLength)) { |
|
21 + return new SplashPath(); |
|
22 + } |
|
23 |
|
24 dPath = new SplashPath(); |
|
25 |
|
26 --- poppler-0.14.4/poppler/Function.cc.orig 2013-05-06 17:30:41.028643270 +0530 |
|
27 +++ poppler-0.14.4/poppler/Function.cc 2013-05-06 17:31:58.136702341 +0530 |
|
28 @@ -13,7 +13,7 @@ |
|
29 // All changes made under the Poppler project to this file are licensed |
|
30 // under GPL version 2 or later |
|
31 // |
|
32 -// Copyright (C) 2006, 2008-2010 Albert Astals Cid <[email protected]> |
|
33 +// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <[email protected]> |
|
34 // Copyright (C) 2006 Jeff Muizelaar <[email protected]> |
|
35 // |
|
36 // To see a description of the changes please see the Changelog file that |
|
37 @@ -982,6 +982,10 @@ void PSStack::copy(int n) { |
|
38 error(-1, "Stack underflow in PostScript function"); |
|
39 return; |
|
40 } |
|
41 + if (unlikely(sp - n > psStackSize)) { |
|
42 + error(-1, "Stack underflow in PostScript function"); |
|
43 + return; |
|
44 + } |
|
45 if (!checkOverflow(n)) { |
|
46 return; |
|
47 } |
|
48 --- poppler-0.14.4/poppler/Stream.cc.orig 2013-05-06 17:32:19.852360960 +0530 |
|
49 +++ poppler-0.14.4/poppler/Stream.cc 2013-05-06 17:40:27.582769658 +0530 |
|
50 @@ -14,7 +14,7 @@ |
|
51 // under GPL version 2 or later |
|
52 // |
|
53 // Copyright (C) 2005 Jeff Muizelaar <[email protected]> |
|
54 -// Copyright (C) 2006-2009 Albert Astals Cid <[email protected]> |
|
55 +// Copyright (C) 2006-2010, 2012, 2013 Albert Astals Cid <[email protected]> |
|
56 // Copyright (C) 2007 Krzysztof Kowalczyk <[email protected]> |
|
57 // Copyright (C) 2008 Julien Rebetez <[email protected]> |
|
58 // Copyright (C) 2009 Carlos Garcia Campos <[email protected]> |
|
59 @@ -1579,8 +1579,9 @@ int CCITTFaxStream::lookChar() { |
|
60 for (i = 0; codingLine[i] < columns; ++i) { |
|
61 refLine[i] = codingLine[i]; |
|
62 } |
|
63 - refLine[i++] = columns; |
|
64 - refLine[i] = columns; |
|
65 + for (; i < columns + 2; ++i) { |
|
66 + refLine[i] = columns; |
|
67 + } |
|
68 codingLine[0] = 0; |
|
69 a0i = 0; |
|
70 b1i = 0; |
|
71 @@ -2116,7 +2117,8 @@ GBool CCITTFaxStream::isBinary(GBool las |
|
72 |
|
73 // clip [-256,511] --> [0,255] |
|
74 #define dctClipOffset 256 |
|
75 -static Guchar dctClip[768]; |
|
76 +#define dctClipLength 768 |
|
77 +static Guchar dctClip[dctClipLength]; |
|
78 static int dctClipInit = 0; |
|
79 |
|
80 // zig zag decode map |
|
81 @@ -3062,7 +3064,12 @@ void DCTStream::transformDataUnit(Gushor |
|
82 |
|
83 // convert to 8-bit integers |
|
84 for (i = 0; i < 64; ++i) { |
|
85 - dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)]; |
|
86 + const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4); |
|
87 + if (unlikely(ix < 0 || ix >= dctClipLength)) { |
|
88 + dataOut[i] = 0; |
|
89 + } else { |
|
90 + dataOut[i] = dctClip[ix]; |
|
91 + } |
|
92 } |
|
93 } |
|
94 |