fix CVE-2022-27337

(cherry picked from commit c6fdb5586bdf99dbc885685a5daac654e29ccd24)
2023-03-14 11:06:58 +00:00 · 2023-03-14 11:06:58 +00:00 · 1813352619
commit 1813352619
parent b1a91e8c31
2 changed files with 73 additions and 1 deletions
--- a/backport-CVE-2022-27337.patch
+++ b/backport-CVE-2022-27337.patch
@ -0,0 +1,68 @@
+From 81044c64b9ed9a10ae82a28bac753060bdfdac74 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 15 Mar 2022 15:14:32 +0100
+Subject: [PATCH] Hints::readTables: bail out if we run out of file when
+ reading
+
+Fixes #1230
+
+Reference:https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74
+Conflict:NA
+
+---
+ poppler/Hints.cc | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+diff --git a/poppler/Hints.cc b/poppler/Hints.cc
+index 03e0f7e..90b8dee 100644
+--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
+@@ -5,7 +5,7 @@
+ // This file is licensed under the GPLv2 or later
+ //
+ // Copyright 2010, 2012 Hib Eris <hib@hiberis.nl>
+-// Copyright 2010, 2011, 2013, 2014, 2016-2019 Albert Astals Cid <aacid@kde.org>
+// Copyright 2010, 2011, 2013, 2014, 2016-2019, 2021, 2022 Albert Astals Cid <aacid@kde.org>
+ // Copyright 2010, 2013 Pino Toscano <pino@kde.org>
+ // Copyright 2013 Adrian Johnson <ajohnson@redneon.com>
+ // Copyright 2014 Fabio D'Urso <fabiodurso@hotmail.it>
+@@ -195,17 +195,31 @@ void Hints::readTables(BaseStream *str, Linearization *linearization, XRef *xref
+   char *p = &buf[0];
+ 
+   if (hintsOffset && hintsLength) {
+-    Stream *s = str->makeSubStream(hintsOffset, false, hintsLength, Object(objNull));
+    std::unique_ptr<Stream> s(str->makeSubStream(hintsOffset, false, hintsLength, Object(objNull)));
+     s->reset();
+-    for (unsigned int i=0; i < hintsLength; i++) { *p++ = s->getChar(); }
+-    delete s;
+    for (unsigned int i=0; i < hintsLength; i++) {
+            const int c = s->getChar();
+            if (unlikely(c == EOF)) {
+                error(errSyntaxWarning, -1, "Found EOF while reading hints");
+                ok = false;
+                return;
+            }
+            *p++ = c;
+        }
+   }
+ 
+   if (hintsOffset2 && hintsLength2) {
+-    Stream *s = str->makeSubStream(hintsOffset2, false, hintsLength2, Object(objNull));
+    std::unique_ptr<Stream> s(str->makeSubStream(hintsOffset2, false, hintsLength2, Object(objNull)));
+     s->reset();
+-    for (unsigned int i=0; i < hintsLength2; i++) { *p++ = s->getChar(); }
+-    delete s;
+    for (unsigned int i=0; i < hintsLength2; i++) {
+            const int c = s->getChar();
+            if (unlikely(c == EOF)) {
+                error(errSyntaxWarning, -1, "Found EOF while reading hints2");
+                ok = false;
+                return;
+            }
+            *p++ = c;
+        }
+   }
+ 
+   MemStream *memStream = new MemStream (&buf[0], 0, bufLength, Object(objNull));
+-- 
+2.27.0
--- a/poppler.spec
+++ b/poppler.spec
@ -4,7 +4,7 @@
 Summary:        PDF rendering library
 Name:           poppler
 Version:        0.90.0
-Release:        3
+Release:        4
 License:        (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:            http://poppler.freedesktop.org/
 Source0:        http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -16,6 +16,7 @@ Patch7:         poppler-0.90.0-position-independent-code.patch
 Patch8:         %{name}-gcc11.patch

 Patch6001:	backport-CVE-2022-38784.patch
+Patch6002:	backport-CVE-2022-27337.patch

 BuildRequires:  cmake
 BuildRequires:  gcc-c++
@ -234,6 +235,9 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*

 %changelog
+* Tue Mar 14 2023 zhangpan <zhangpan103@h-partners.com> - 0.90.0-4
+- fix CVE-2022-37337
+
 * Tue Sep 06 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 0.90.0-3
 - fix CVE-2022-38784