packages/poppler
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:0948379c29f00c295c6ad75f2597816ecc26d53d
Branches Tags
packages:main
...
compare: packages:380a08b52b57be2003098c26b73a086985a9d762
Branches Tags
packages:main

10 Commits
0948379c29 ... 380a08b52b

Author SHA1 Message Date
openeuler-ci-bot
380a08b52b
!77 [sync] PR-73: Fix infinite looping in cvtGlyph with broken files 
From: @openeuler-sync-bot 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot
 2023-11-30 01:44:52 +00:00
xiongyi
9cb3641fee Fix infinite looping in cvtGlyph with broken files 
Signed-off-by: xiongyi <xiongyi@uniontech.com>
(cherry picked from commit fbd46f08e3129e5a9d900f06cdeccafda0a98e4c)
 2023-11-29 16:24:57 +08:00
openeuler-ci-bot
f248e2442c
!68 [sync] PR-65: fix CVE-2022-37050,CVE-2022-37051,CVE-2022-37052,CVE-2022-38349,CVE-2020-23804 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-08-31 08:38:02 +00:00
zhouwenpei
66ca6a7f90 fix CVE-2022-37050,CVE-2022-37051,CVE-2022-37052,CVE-2022-38349 
(cherry picked from commit e17a8adea9404ab8c90fc5bb575e8210d1a36d6e)
 2023-08-30 19:51:27 +08:00
openeuler-ci-bot
990ab80ea3
!58 [sync] PR-56: fix changelog error 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-05-29 02:54:56 +00:00
zhangpan
18192d1e69 fix changelog error 
(cherry picked from commit 14d6c9be10b9eff28c76464ce2e6ac68ab9ca886)
 2023-05-29 09:06:44 +08:00
openeuler-ci-bot
e17188bf2a
!52 [sync] PR-47: fix CVE-2022-37337 
From: @openeuler-sync-bot 
Reviewed-by: @yanan-rock 
Signed-off-by: @yanan-rock
 2023-03-15 07:22:37 +00:00
zhangpan
1813352619 fix CVE-2022-27337 
(cherry picked from commit c6fdb5586bdf99dbc885685a5daac654e29ccd24)
 2023-03-15 14:23:56 +08:00
openeuler-ci-bot
b1a91e8c31
!44 [sync] PR-42: fix CVE-2022-38784 
From: @openeuler-sync-bot 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2022-09-07 01:51:58 +00:00
zhouwenpei
dbdbcc6cc7 fix CVE-2022-38784 
(cherry picked from commit 50b19e39852bbb1373e762c39161038b8719d978)
 2022-09-07 09:25:41 +08:00
9 changed files with 671 additions and 22 deletions
Show Stats Expand all files Collapse all files

37
backport-CVE-2020-23804.patch Normal file
View File

@ -0,0 +1,37 @@
From ec8a43c8df29fdd6f1228276160898ccd9401c92 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sat, 4 Jul 2020 00:08:55 +0200
Subject: [PATCH] Fix stack overflow with specially crafted files
The file is not malformed per se, it just has a huge XRefStm chain
and we end up exhausting the stack space trying to parse them all.
Having more than 4096 XRefStm seems like won't really happen on real
life so break the flow at that point
Fixes #936
---
poppler/XRef.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 5943bdd..fe8936e 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -633,6 +633,12 @@ bool XRef::readXRefTable(Parser *parser, Goffset *pos, std::vector<Goffset> *fol
ok = false;
}
}
+ // Arbitrary limit because otherwise we exhaust the stack
+ // calling readXRef + readXRefTable
+ if (followedXRefStm->size() > 4096) {
+ error(errSyntaxError, -1, "File has more than 4096 XRefStm, aborting");
+ ok = false;
+ }
if (ok) {
followedXRefStm->push_back(pos2);
readXRef(&pos2, followedXRefStm, xrefStreamObjsNum);
--
2.33.0

110
backport-CVE-2020-36023.patch Normal file
View File

@ -0,0 +1,110 @@
From 182914fd1e41183282630675594c255e519f580a Mon Sep 17 00:00:00 2001
From: xiongyi <xiongyi@uniontech.com>
Date: Wed, 29 Nov 2023 14:29:46 +0800
Subject: [PATCH] backport-CVE-2020-36023
Signed-off-by: xiongyi <xiongyi@uniontech.com>
---
fofi/FoFiType1C.cc | 20 +++++++++++++++-----
fofi/FoFiType1C.h | 4 +++-
2 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc
index 9a39063..c8241f2 100644
--- a/fofi/FoFiType1C.cc
+++ b/fofi/FoFiType1C.cc
@@ -551,8 +551,9 @@ void FoFiType1C::convertToCIDType0(const char *psName, const int *codeMap, int n
if (!ok) {
subrIdx.pos = -1;
}
+ std::set<int> offsetBeingParsed;
cvtGlyph(val.pos, val.len, charStrings,
- &subrIdx, &privateDicts[fdSelect ? fdSelect[gid] : 0], true);
+ &subrIdx, &privateDicts[fdSelect ? fdSelect[gid] : 0], true, offsetBeingParsed);
}
}
}
@@ -1183,7 +1184,8 @@ void FoFiType1C::eexecCvtGlyph(Type1CEexecBuf *eb, const char *glyphName,
// generate the charstring
charBuf = new GooString();
- cvtGlyph(offset, nBytes, charBuf, subrIdx, pDict, true);
+ std::set<int> offsetBeingParsed;
+ cvtGlyph(offset, nBytes, charBuf, subrIdx, pDict, true, offsetBeingParsed);
buf = GooString::format("/{0:s} {1:d} RD ", glyphName, charBuf->getLength());
eexecWrite(eb, buf->c_str());
@@ -1197,7 +1199,7 @@ void FoFiType1C::eexecCvtGlyph(Type1CEexecBuf *eb, const char *glyphName,
void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
const Type1CIndex *subrIdx, const Type1CPrivateDict *pDict,
- bool top) {
+ bool top, std::set<int> &offsetBeingParsed) {
Type1CIndexVal val;
bool ok, dFP;
double d, dx, dy;
@@ -1205,6 +1207,12 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
unsigned char byte;
int pos, subrBias, start, i, k;
+ if (offsetBeingParsed.find(offset) != offsetBeingParsed.end()) {
+ return;
+ }
+
+ auto offsetEmplaceResult = offsetBeingParsed.emplace(offset);
+
start = charBuf->getLength();
if (top) {
charBuf->append('\x49'); //73;
@@ -1362,7 +1370,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
ok = true;
getIndexVal(subrIdx, k, &val, &ok);
if (likely(ok && val.pos != offset)) {
- cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false);
+ cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false, offsetBeingParsed);
}
} else {
//~ error(-1, "Too few args to Type 2 callsubr");
@@ -1597,7 +1605,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
ok = true;
getIndexVal(&gsubrIdx, k, &val, &ok);
if (likely(ok && val.pos != offset)) {
- cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false);
+ cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false, offsetBeingParsed);
}
} else {
//~ error(-1, "Too few args to Type 2 callgsubr");
@@ -1825,6 +1833,8 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
r2 = (byte + r2) * 52845 + 22719;
}
}
+
+ offsetBeingParsed.erase(offsetEmplaceResult.first);
}
void FoFiType1C::cvtGlyphWidth(bool useOp, GooString *charBuf,
diff --git a/fofi/FoFiType1C.h b/fofi/FoFiType1C.h
index 067ab99..b1b48fe 100644
--- a/fofi/FoFiType1C.h
+++ b/fofi/FoFiType1C.h
@@ -27,6 +27,8 @@
#include "FoFiBase.h"
+#include <set>
+
class GooString;
//------------------------------------------------------------------------
@@ -210,7 +212,7 @@ private:
const Type1CPrivateDict *pDict);
void cvtGlyph(int offset, int nBytes, GooString *charBuf,
const Type1CIndex *subrIdx, const Type1CPrivateDict *pDict,
- bool top);
+ bool top, std::set<int> &offsetBeingParsed);
void cvtGlyphWidth(bool useOp, GooString *charBuf,
const Type1CPrivateDict *pDict);
void cvtNum(double x, bool isFP, GooString *charBuf) const;
--
2.33.0

68
backport-CVE-2022-27337.patch Normal file
View File

@ -0,0 +1,68 @@
From 81044c64b9ed9a10ae82a28bac753060bdfdac74 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 15 Mar 2022 15:14:32 +0100
Subject: [PATCH] Hints::readTables: bail out if we run out of file when
reading
Fixes #1230
Reference:https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74
Conflict:NA
---
poppler/Hints.cc | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/poppler/Hints.cc b/poppler/Hints.cc
index 03e0f7e..90b8dee 100644
--- a/poppler/Hints.cc
+++ b/poppler/Hints.cc
@@ -5,7 +5,7 @@
// This file is licensed under the GPLv2 or later
//
// Copyright 2010, 2012 Hib Eris <hib@hiberis.nl>
-// Copyright 2010, 2011, 2013, 2014, 2016-2019 Albert Astals Cid <aacid@kde.org>
+// Copyright 2010, 2011, 2013, 2014, 2016-2019, 2021, 2022 Albert Astals Cid <aacid@kde.org>
// Copyright 2010, 2013 Pino Toscano <pino@kde.org>
// Copyright 2013 Adrian Johnson <ajohnson@redneon.com>
// Copyright 2014 Fabio D'Urso <fabiodurso@hotmail.it>
@@ -195,17 +195,31 @@ void Hints::readTables(BaseStream *str, Linearization *linearization, XRef *xref
char *p = &buf[0];
if (hintsOffset && hintsLength) {
- Stream *s = str->makeSubStream(hintsOffset, false, hintsLength, Object(objNull));
+ std::unique_ptr<Stream> s(str->makeSubStream(hintsOffset, false, hintsLength, Object(objNull)));
s->reset();
- for (unsigned int i=0; i < hintsLength; i++) { *p++ = s->getChar(); }
- delete s;
+ for (unsigned int i=0; i < hintsLength; i++) {
+ const int c = s->getChar();
+ if (unlikely(c == EOF)) {
+ error(errSyntaxWarning, -1, "Found EOF while reading hints");
+ ok = false;
+ return;
+ }
+ *p++ = c;
+ }
}
if (hintsOffset2 && hintsLength2) {
- Stream *s = str->makeSubStream(hintsOffset2, false, hintsLength2, Object(objNull));
+ std::unique_ptr<Stream> s(str->makeSubStream(hintsOffset2, false, hintsLength2, Object(objNull)));
s->reset();
- for (unsigned int i=0; i < hintsLength2; i++) { *p++ = s->getChar(); }
- delete s;
+ for (unsigned int i=0; i < hintsLength2; i++) {
+ const int c = s->getChar();
+ if (unlikely(c == EOF)) {
+ error(errSyntaxWarning, -1, "Found EOF while reading hints2");
+ ok = false;
+ return;
+ }
+ *p++ = c;
+ }
}
MemStream *memStream = new MemStream (&buf[0], 0, bufLength, Object(objNull));
--
2.27.0

26
backport-CVE-2022-37050.patch Normal file
View File

@ -0,0 +1,26 @@
From dcd5bd8238ea448addd102ff045badd0aca1b990 Mon Sep 17 00:00:00 2001
From: crt <chluo@cse.cuhk.edu.hk>
Date: Wed, 27 Jul 2022 08:40:02 +0000
Subject: [PATCH] pdfseparate: Check XRef's Catalog for being a Dict
---
poppler/PDFDoc.cc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
index 6e4b0f4..43de80e 100644
--- a/poppler/PDFDoc.cc
+++ b/poppler/PDFDoc.cc
@@ -948,6 +948,10 @@ int PDFDoc::savePageAs(const GooString *name, int pageNo)
// get and mark output intents etc.
Object catObj = getXRef()->getCatalog();
+ if (!catObj.isDict()) {
+ error(errSyntaxError, -1, "XRef's Catelog is not a dictionary");
+ return errOpenFile;
+ }
Dict *catDict = catObj.getDict();
Object pagesObj = catDict->lookup("Pages");
Object afObj = catDict->lookupNF("AcroForm").copy();
--
2.33.0

46
backport-CVE-2022-37051.patch Normal file
View File

@ -0,0 +1,46 @@
From 4631115647c1e4f0482ffe0491c2f38d2231337b Mon Sep 17 00:00:00 2001
From: crt <chluo@cse.cuhk.edu.hk>
Date: Fri, 29 Jul 2022 20:51:11 +0000
Subject: [PATCH] Check isDict before calling getDict
Issue #1276
---
utils/pdfunite.cc | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc
index a8116e3..9735096 100644
--- a/utils/pdfunite.cc
+++ b/utils/pdfunite.cc
@@ -210,6 +210,14 @@ int main (int argc, char *argv[])
Object ocObj;
if (docs.size() >= 1) {
Object catObj = docs[0]->getXRef()->getCatalog();
+ if(!catObj.isDict()){
+ fclose(f);
+ delete yRef;
+ delete countRef;
+ delete outStr;
+ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary.");
+ return -1;
+ }
Dict *catDict = catObj.getDict();
intents = catDict->lookup("OutputIntents");
afObj = catDict->lookupNF("AcroForm").copy();
@@ -310,6 +318,14 @@ int main (int argc, char *argv[])
}
}
Object pageCatObj = docs[i]->getXRef()->getCatalog();
+ if(!pageCatObj.isDict()){
+ fclose(f);
+ delete yRef;
+ delete countRef;
+ delete outStr;
+ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary.");
+ return -1;
+ }
Dict *pageCatDict = pageCatObj.getDict();
Object pageNames = pageCatDict->lookup("Names");
if (!pageNames.isNull() && pageNames.isDict()) {
--
2.33.0

245
backport-CVE-2022-37052.patch Normal file
View File

@ -0,0 +1,245 @@
From 8677500399fc2548fa816b619580c2c07915a98c Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Fri, 29 Jul 2022 23:28:35 +0200
Subject: [PATCH] pdfseparate: Account for XRef::add failing because we run out
of memory
Fixes #1278
---
poppler/PDFDoc.cc | 63 ++++++++++++++++++++++++++++++++++++-----------
poppler/PDFDoc.h | 6 ++---
poppler/XRef.cc | 11 +++++++--
poppler/XRef.h | 4 +--
4 files changed, 62 insertions(+), 22 deletions(-)
diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
index 43de80e..fcc17a4 100644
--- a/poppler/PDFDoc.cc
+++ b/poppler/PDFDoc.cc
@@ -962,7 +962,14 @@ int PDFDoc::savePageAs(const GooString *name, int pageNo)
Object resourcesObj = pagesDict->lookup("Resources");
if (resourcesObj.isDict())
markPageObjects(resourcesObj.getDict(), yRef, countRef, 0, refPage->num, rootNum + 2);
- markPageObjects(catDict, yRef, countRef, 0, refPage->num, rootNum + 2);
+ if (!markPageObjects(catDict, yRef, countRef, 0, refPage->num, rootNum + 2)) {
+ fclose(f);
+ delete yRef;
+ delete countRef;
+ delete outStr;
+ error(errSyntaxError, -1, "markPageObjects failed");
+ return errDamaged;
+ }
Dict *pageDict = page.getDict();
if (resourcesObj.isNull() && !pageDict->hasKey("Resources")) {
@@ -1681,7 +1688,7 @@ void PDFDoc::writeHeader(OutStream *outStr, int major, int minor)
outStr->printf("%%%c%c%c%c\n", 0xE2, 0xE3, 0xCF, 0xD3);
}
-void PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
+bool PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
{
bool deleteSet = false;
if (!alreadyMarkedDicts) {
@@ -1692,7 +1699,7 @@ void PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, unsigned
if (alreadyMarkedDicts->find(dict) != alreadyMarkedDicts->end()) {
error(errSyntaxWarning, -1, "PDFDoc::markDictionnary: Found recursive dicts");
if (deleteSet) delete alreadyMarkedDicts;
- return;
+ return true;
} else {
alreadyMarkedDicts->insert(dict);
}
@@ -1701,7 +1708,10 @@ void PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, unsigned
const char *key = dict->getKey(i);
if (strcmp(key, "Annots") != 0) {
Object obj1 = dict->getValNF(i).copy();
- markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ const bool success = markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ if (unlikely(!success)) {
+ return false;
+ }
} else {
Object annotsObj = dict->getValNF(i).copy();
if (!annotsObj.isNull()) {
@@ -1713,9 +1723,11 @@ void PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, unsigned
if (deleteSet) {
delete alreadyMarkedDicts;
}
+
+ return true;
}
-void PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
+bool PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
{
Array *array;
@@ -1724,25 +1736,37 @@ void PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int n
array = obj->getArray();
for (int i=0; i<array->getLength(); i++) {
Object obj1 = array->getNF(i).copy();
- markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ const bool success = markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ if (unlikely(!success)) {
+ return false;
+ }
}
break;
- case objDict:
- markDictionnary (obj->getDict(), xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
- break;
+ case objDict: {
+ const bool success = markDictionnary(obj->getDict(), xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ if (unlikely(!success)) {
+ return false;
+ }
+ } break;
case objStream:
{
Stream *stream = obj->getStream();
- markDictionnary (stream->getDict(), xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ const bool success = markDictionnary(stream->getDict(), xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ if (unlikely(!success)) {
+ return false;
+ }
}
break;
case objRef:
{
if (obj->getRef().num + (int) numOffset >= xRef->getNumObjects() || xRef->getEntry(obj->getRef().num + numOffset)->type == xrefEntryFree) {
if (getXRef()->getEntry(obj->getRef().num)->type == xrefEntryFree) {
- return; // already marked as free => should be replaced
+ return true; // already marked as free => should be replaced
+ }
+ const bool success = xRef->add(obj->getRef().num + numOffset, obj->getRef().gen, 0, true);
+ if (unlikely(!success)) {
+ return false;
}
- xRef->add(obj->getRef().num + numOffset, obj->getRef().gen, 0, true);
if (getXRef()->getEntry(obj->getRef().num)->type == xrefEntryCompressed) {
xRef->getEntry(obj->getRef().num + numOffset)->type = xrefEntryCompressed;
}
@@ -1758,12 +1782,17 @@ void PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int n
break;
}
Object obj1 = getXRef()->fetch(obj->getRef());
- markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum);
+ const bool success = markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum);
+ if (unlikely(!success)) {
+ return false;
+ }
}
break;
default:
break;
}
+
+ return true;
}
void PDFDoc::replacePageDict(int pageNo, int rotate,
@@ -1803,7 +1832,7 @@ void PDFDoc::replacePageDict(int pageNo, int rotate,
getXRef()->setModifiedObject(&page, *refPage);
}
-void PDFDoc::markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
+bool PDFDoc::markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
{
pageDict->remove("OpenAction");
pageDict->remove("Outlines");
@@ -1818,9 +1847,13 @@ void PDFDoc::markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigne
strcmp(key, "Annots") != 0 &&
strcmp(key, "P") != 0 &&
strcmp(key, "Root") != 0) {
- markObject(&value, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ const bool success = markObject(&value, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
+ if (unlikely(!success)) {
+ return false;
+ }
}
}
+ return true;
}
bool PDFDoc::markAnnotations(Object *annotsObj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldPageNum, int newPageNum, std::set<Dict*> *alreadyMarkedDicts) {
diff --git a/poppler/PDFDoc.h b/poppler/PDFDoc.h
index 80b6d60..b504004 100644
--- a/poppler/PDFDoc.h
+++ b/poppler/PDFDoc.h
@@ -333,7 +333,7 @@ public:
// rewrite pageDict with MediaBox, CropBox and new page CTM
void replacePageDict(int pageNo, int rotate, const PDFRectangle *mediaBox, const PDFRectangle *cropBox);
- void markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
+ bool markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
bool markAnnotations(Object *annots, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldPageNum, int newPageNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
void markAcroForm(Object *afObj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum);
// write all objects used by pageDict to outStr
@@ -355,8 +355,8 @@ public:
private:
// insert referenced objects in XRef
- void markDictionnary (Dict* dict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts);
- void markObject (Object *obj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
+ bool markDictionnary (Dict* dict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts);
+ bool markObject (Object *obj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
static void writeDictionnary (Dict* dict, OutStream* outStr, XRef *xRef, unsigned int numOffset, unsigned char *fileKey,
CryptAlgorithm encAlgorithm, int keyLength, Ref ref, std::set<Dict*> *alreadyWrittenDicts);
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 9d6b80f..5943bdd 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -1298,11 +1298,17 @@ void XRef::add(Ref ref, Goffset offs, bool used)
add(ref.num, ref.gen, offs, used);
}
-void XRef::add(int num, int gen, Goffset offs, bool used) {
+bool XRef::add(int num, int gen, Goffset offs, bool used) {
xrefLocker();
if (num >= size) {
if (num >= capacity) {
- entries = (XRefEntry *)greallocn(entries, num + 1, sizeof(XRefEntry));
+ entries = (XRefEntry *)greallocn_checkoverflow(entries, num + 1, sizeof(XRefEntry));
+ if (unlikely(entries == nullptr)) {
+ size = 0;
+ capacity = 0;
+ return false;
+ }
+
capacity = num + 1;
}
for (int i = size; i < num + 1; ++i) {
@@ -1325,6 +1331,7 @@ void XRef::add(int num, int gen, Goffset offs, bool used) {
e->type = xrefEntryFree;
e->offset = 0;
}
+ return true;
}
void XRef::setModifiedObject (const Object* o, Ref r) {
diff --git a/poppler/XRef.h b/poppler/XRef.h
index 5c0238b..207f02a 100644
--- a/poppler/XRef.h
+++ b/poppler/XRef.h
@@ -14,7 +14,7 @@
// under GPL version 2 or later
//
// Copyright (C) 2005 Brad Hards <bradh@frogmouth.net>
-// Copyright (C) 2006, 2008, 2010-2013, 2017-2020 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008, 2010-2013, 2017-2022 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007-2008 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Carlos Garcia Campos <carlosgc@gnome.org>
// Copyright (C) 2010 Ilya Gorenbein <igorenbein@finjan.com>
@@ -196,7 +196,7 @@ public:
void setModifiedObject(const Object* o, Ref r);
Ref addIndirectObject (const Object* o);
void removeIndirectObject(Ref r);
- void add(int num, int gen, Goffset offs, bool used);
+ bool add(int num, int gen, Goffset offs, bool used);
void add(Ref ref, Goffset offs, bool used);
// Output XRef table to stream
--
2.33.0

77
backport-CVE-2022-38349.patch Normal file
View File

@ -0,0 +1,77 @@
From 4564a002bcb6094cc460bc0d5ddff9423fe6dd28 Mon Sep 17 00:00:00 2001
From: crt <chluo@cse.cuhk.edu.hk>
Date: Sat, 13 Aug 2022 16:53:11 +0000
Subject: [PATCH] pdfunite: Fix crash on broken files
---
poppler/PDFDoc.cc | 6 +++++-
poppler/PDFDoc.h | 2 +-
utils/pdfunite.cc | 11 ++++++++---
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
index fcc17a4..7beabe1 100644
--- a/poppler/PDFDoc.cc
+++ b/poppler/PDFDoc.cc
@@ -1795,12 +1795,15 @@ bool PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int n
return true;
}
-void PDFDoc::replacePageDict(int pageNo, int rotate,
+bool PDFDoc::replacePageDict(int pageNo, int rotate,
const PDFRectangle *mediaBox,
const PDFRectangle *cropBox)
{
Ref *refPage = getCatalog()->getPageRef(pageNo);
Object page = getXRef()->fetch(*refPage);
+ if (!page.isDict()) {
+ return false;
+ }
Dict *pageDict = page.getDict();
pageDict->remove("MediaBoxssdf");
pageDict->remove("MediaBox");
@@ -1830,6 +1833,7 @@ void PDFDoc::replacePageDict(int pageNo, int rotate,
pageDict->add("TrimBox", std::move(trimBoxObject));
pageDict->add("Rotate", Object(rotate));
getXRef()->setModifiedObject(&page, *refPage);
+ return true;
}
bool PDFDoc::markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts)
diff --git a/poppler/PDFDoc.h b/poppler/PDFDoc.h
index b504004..1295d8a 100644
--- a/poppler/PDFDoc.h
+++ b/poppler/PDFDoc.h
@@ -332,7 +332,7 @@ public:
void *getGUIData() { return guiData; }
// rewrite pageDict with MediaBox, CropBox and new page CTM
- void replacePageDict(int pageNo, int rotate, const PDFRectangle *mediaBox, const PDFRectangle *cropBox);
+ bool replacePageDict(int pageNo, int rotate, const PDFRectangle *mediaBox, const PDFRectangle *cropBox);
bool markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
bool markAnnotations(Object *annots, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldPageNum, int newPageNum, std::set<Dict*> *alreadyMarkedDicts = nullptr);
void markAcroForm(Object *afObj, XRef *xRef, XRef *countRef, unsigned int numOffset, int oldRefNum, int newRefNum);
diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc
index 9735096..60cd227 100644
--- a/utils/pdfunite.cc
+++ b/utils/pdfunite.cc
@@ -299,9 +299,14 @@ int main (int argc, char *argv[])
const PDFRectangle *cropBox = nullptr;
if (docs[i]->getCatalog()->getPage(j)->isCropped())
cropBox = docs[i]->getCatalog()->getPage(j)->getCropBox();
- docs[i]->replacePageDict(j,
- docs[i]->getCatalog()->getPage(j)->getRotate(),
- docs[i]->getCatalog()->getPage(j)->getMediaBox(), cropBox);
+ if (!docs[i]->replacePageDict(j, docs[i]->getCatalog()->getPage(j)->getRotate(), docs[i]->getCatalog()->getPage(j)->getMediaBox(), cropBox)) {
+ fclose(f);
+ delete yRef;
+ delete countRef;
+ delete outStr;
+ error(errSyntaxError, -1, "PDFDoc::replacePageDict failed.");
+ return -1;
+ }
Ref *refPage = docs[i]->getCatalog()->getPageRef(j);
Object page = docs[i]->getXRef()->fetch(*refPage);
Dict *pageDict = page.getDict();
--
2.33.0

32
backport-CVE-2022-38784.patch Normal file
View File

@ -0,0 +1,32 @@
From 27354e9d9696ee2bc063910a6c9a6b27c5184a52 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Thu, 25 Aug 2022 00:14:22 +0200
Subject: [PATCH] JBIG2Stream: Fix crash on broken file
https://github.com/jeffssh/CVE-2021-30860
Thanks to David Warren for the heads up
---
poppler/JBIG2Stream.cc | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index a861da2..0bd8305 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -2099,7 +2099,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm,
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
- numSyms += ((JBIG2SymbolDict *)seg)->getSize();
+ const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
+ if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
+ error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
+ return;
+ }
} else if (seg->getType() == jbig2SegCodeTable) {
codeTables->push_back(seg);
}
--
1.8.3.1

52
poppler.spec
View File

@ -4,7 +4,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.90.0
Release: 2
Release: 7
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
URL: http://poppler.freedesktop.org/
Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -15,6 +15,15 @@ Patch5: poppler-0.84.0-MacroPushRequiredVars.patch
Patch7: poppler-0.90.0-position-independent-code.patch
Patch8: %{name}-gcc11.patch
Patch6001: backport-CVE-2022-38784.patch
Patch6002: backport-CVE-2022-27337.patch
Patch6003: backport-CVE-2020-23804.patch
Patch6004: backport-CVE-2022-37050.patch
Patch6005: backport-CVE-2022-37051.patch
Patch6006: backport-CVE-2022-37052.patch
Patch6007: backport-CVE-2022-38349.patch
Patch6008: backport-CVE-2020-36023.patch
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: gettext-devel
@ -83,29 +92,9 @@ BuildArch: noarch
%description glib-doc
This package provides documentation files for glib wrapper
%package qt
Summary: Provides Qt4 wrapper for poppler
Requires: %{name} = %{version}-%{release}
%{?_qt4:Requires: qt4 >= %{_qt4_version}}
Obsoletes: poppler-qt4 < 0.16.0-3
Provides: poppler-qt4 = %{version}-%{release}
%description qt
This package provides Qt4 wrapper for poppler.
%package qt-devel
Summary: Provides development files for Qt4 wrapper
Requires: %{name}-qt = %{version}-%{release}
Requires: %{name}-devel = %{version}-%{release}
Obsoletes: poppler-qt4-devel < 0.16.0-3
Provides: poppler-qt4-devel = %{version}-%{release}
Requires: qt4-devel
%description qt-devel
This package provides development files for Qt4 wrapper.
%package qt5
Summary: Provides Qt5 wrapper for poppler
Obsoletes: %{name}-qt <= 0.67.0-8
Requires: %{name} = %{version}-%{release}
%description qt5
@ -113,6 +102,7 @@ This package provides Qt5 wrapper for poppler.
%package qt5-devel
Summary: Provides development files for Qt5 wrapper
Obsoletes: %{name}-qt-devel <= 0.67.0-8
Requires: %{name}-qt5 = %{version}-%{release}
Requires: %{name}-devel = %{version}-%{release}
Requires: qt5-qtbase-devel
@ -232,6 +222,24 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
%{_mandir}/man1/*
%changelog
* Wed Nov 29 2023 xiongyi <xiongyi@uniontech.com> - 0.90.0-7
- fix CVE-2020-36023
- fix infinite looping in cvtGlyph with broken files
- patch source:https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013
* Wed Aug 30 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 0.90.0-6
- fix CVE-2022-37050,CVE-2022-37051,CVE-2022-37052,CVE-2022-38349,CVE-2020-23804
- fix install error
* Thu May 25 2023 zhangpan <zhangpan103@h-partners.com> - 0.90.0-5
- fix changelog error
* Tue Mar 14 2023 zhangpan <zhangpan103@h-partners.com> - 0.90.0-4
- fix CVE-2022-27337
* Tue Sep 06 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 0.90.0-3
- fix CVE-2022-38784
* Tue Jan 18 2022 xu_ping <xuping33@huawei.com> - 0.90.0-2
- Add BuildRequires openjpeg2-tools to fix "/usr/bin/opj2_decompress" not found