23090948 problem in LIBRARY/POPPLER
authorRich Burridge <rich.burridge@oracle.com>
Tue, 12 Apr 2016 16:11:03 -0700
changeset 5754 6ededfcf5619
parent 5753 dbbcee61d77f
child 5755 041717cfc591
23090948 problem in LIBRARY/POPPLER
components/desktop/poppler/patches/poppler-09-heap-overflow.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/desktop/poppler/patches/poppler-09-heap-overflow.patch	Tue Apr 12 16:11:03 2016 -0700
@@ -0,0 +1,24 @@
+Fix for heap overflow problem reported on the oss-security mailing list
+on 11th April 2016. The poppler library is used in evince and okular and
+for preview in nautilus. Versions pre 0.40.0 are vulnerable.
+
+Fix is commited upstream. See:
+
+https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433
+
+This patch intentionally adjusted (i.e. "errSyntaxError," removed) to compile
+with the prehistoric version of poppler that we currently have.
+
+--- poppler-0.14.4/poppler/Function.cc.orig	2016-04-12 06:57:55.110746573 -0700
++++ poppler-0.14.4/poppler/Function.cc	2016-04-12 07:19:00.683035273 -0700
[email protected]@ -472,6 +472,10 @@
+       goto err2;
+     }
+     n = obj1.arrayGetLength();
++    if (unlikely(n > funcMaxOutputs)) {
++      error(-1, "Function's C0 array is wrong length");
++      n = funcMaxOutputs;
++    }
+     for (i = 0; i < n; ++i) {
+       obj1.arrayGet(i, &obj2);
+       if (!obj2.isNum()) {