Tweak builddir, so default_prepare finds the files to patch.
---
main/poppler/APKBUILD | 49 +++++--
main/poppler/CVE-2018-16646-1.patch | 61 ++++++++
main/poppler/CVE-2018-16646-2.patch | 25 ++++
main/poppler/CVE-2018-16646-3.patch | 28 ++++
main/poppler/CVE-2018-20481.patch | 63 ++++++++
main/poppler/CVE-2018-20551.patch | 51 +++++++
main/poppler/CVE-2018-20662.patch | 46 ++++++
main/poppler/CVE-2019-10872.patch | 136 ++++++++++++++++++
main/poppler/CVE-2019-10873.patch | 31 ++++
main/poppler/CVE-2019-12293.patch | 41 ++++++
main/poppler/CVE-2019-7310.patch | 29 ++++
main/poppler/CVE-2019-9200.patch | 24 ++++
main/poppler/CVE-2019-9631.patch | 100 +++++++++++++
.../bug924029-goostring-null-pointers.patch | 97 +++++++++++++
...ate-PopplerInputStream-with-length-0.patch | 36 +++++
main/poppler/page-ustring.patch | 29 ++++
16 files changed, 837 insertions(+), 9 deletions(-)
create mode 100644 main/poppler/CVE-2018-16646-1.patch
create mode 100644 main/poppler/CVE-2018-16646-2.patch
create mode 100644 main/poppler/CVE-2018-16646-3.patch
create mode 100644 main/poppler/CVE-2018-20481.patch
create mode 100644 main/poppler/CVE-2018-20551.patch
create mode 100644 main/poppler/CVE-2018-20662.patch
create mode 100644 main/poppler/CVE-2019-10872.patch
create mode 100644 main/poppler/CVE-2019-10873.patch
create mode 100644 main/poppler/CVE-2019-12293.patch
create mode 100644 main/poppler/CVE-2019-7310.patch
create mode 100644 main/poppler/CVE-2019-9200.patch
create mode 100644 main/poppler/CVE-2019-9631.patch
create mode 100644 main/poppler/bug924029-goostring-null-pointers.patch
create mode 100644 main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch
create mode 100644 main/poppler/page-ustring.patch
diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD
index 95f69f97bd..319d64704b 100644
--- a/main/poppler/APKBUILD
+++ b/main/poppler/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=poppler
pkgver=0.71.0
-pkgrel=0
+pkgrel=1
pkgdesc="PDF rendering library based on xpdf 3.0"
url="https://poppler.freedesktop.org/"
arch="all"
@@ -14,13 +14,28 @@ makedepends="$depends_dev cmake libjpeg-turbo-dev cairo-dev libxml2-dev
openjpeg-dev openjpeg-tools libpng-dev tiff-dev zlib-dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib
"
-source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz"
-builddir="$srcdir/$pkgname-$pkgver/build"
+source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz
+ glib-Don-t-create-PopplerInputStream-with-length-0.patch
+ page-ustring.patch
+ CVE-2018-16646-1.patch
+ CVE-2018-16646-2.patch
+ CVE-2018-16646-3.patch
+ CVE-2018-20481.patch
+ CVE-2018-20551.patch
+ CVE-2018-20662.patch
+ CVE-2019-7310.patch
+ CVE-2019-9200.patch
+ CVE-2019-9631.patch
+ CVE-2019-10873.patch
+ bug924029-goostring-null-pointers.patch
+ CVE-2019-10872.patch
+ CVE-2019-12293.patch"
+builddir="$srcdir/$pkgname-$pkgver"
prepare() {
local _linked_pkg=poppler-qt4
local _linked_apkbuild="$startdir"/../$_linked_pkg/APKBUILD
- mkdir -p "$builddir"
+ mkdir -p "$builddir/build"
cd "$builddir"
if [ -f "$_linked_apkbuild" ]; then
local _linked_ver=$( . "$_linked_apkbuild"; echo "$pkgver")
@@ -29,14 +44,15 @@ prepare() {
return 1
fi
fi
+
+ default_prepare
}
build() {
- cd "$builddir"
-
# JPEG2000Stream.cc:20:10: fatal error: openjpeg.h: No such file
- sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i ../poppler/JPEG2000Stream.cc
+ sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i poppler/JPEG2000Stream.cc
+ cd build
cmake .. \
-DCMAKE_INSTALL_PREFIX=/usr \
-DCMAKE_INSTALL_LIBDIR=lib \
@@ -47,7 +63,7 @@ build() {
}
package() {
- cd "$builddir"
+ cd build
make DESTDIR="$pkgdir" install
}
@@ -73,4 +89,19 @@ _cpp() {
"$subpkgdir"/usr/lib/
}
-sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e poppler-0.71.0.tar.xz"
+sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e poppler-0.71.0.tar.xz
+e3d4747cfc1b171ec64d7492c92ed42494c6bf8ad4f40b3fe3fcd439034efd7ca16d6ed703d85dffd3625650c70aa51cbaff7a292f6b357e19ef2dc5ef742296 glib-Don-t-create-PopplerInputStream-with-length-0.patch
+4f1b9dbf9f075a09a78640a060537995b753f9287b06cdbb2a30a750e57638f677e27fa1c6dd24772cd29dd746d4f21f3ce3b51596179355f9514ea824e17a27 page-ustring.patch
+b7401aa7303467bbf3551156b7ab0d5041eb528034bc1268f67da074a60e7e685a674ab4aca3235c5fe2c7cbe388d4c822c27a2f103fbb9ff85af68d5c42f0b0 CVE-2018-16646-1.patch
+b9dbda18a862d234eb17d44f6a728a73b32712aac32a01637cb4472cdbad2dc6f1f06bd2fd61db1e68de37ecfca4c07191db577a841e7afbe6d0236dea473562 CVE-2018-16646-2.patch
+91ebd6af4cd0645a4346e1f016333e3fcb5073df4c73942bb9f87c393fbbfcfe768170464eec6a118d56bfffc361fb06dc2988a064ab2a864f6fa430294634b7 CVE-2018-16646-3.patch
+b866abf13ce3e0e87744dd99b90da1b5926875a5b3ae3b335ffd7f9736f025a3e631312ffc624f825328b3a1dd5012117a5af534436da0c072b67908316cdb88 CVE-2018-20481.patch
+f9fdb49fe6ac420db1634fbee0977d867154ce2dd34f6b4c5f77591a859b1ecc2f2ea6c926a7b8fa76f3bf69dee9abd48f7a6d3653e1d4d447338d4025587fa0 CVE-2018-20551.patch
+5fe4c3604f9d943a5162182c402f8e96262b94ee38702dba1d893e311434d56eb9965b58f7dce4718a399ab190f9e34d38a1bb970283d5847dbfe30d5f04a426 CVE-2018-20662.patch
+599a6742cf762906cc8f0eeb8b516798214095222ff630b27470b5fbb1abca99cfe9f8196f9e55ee9cf5df1a871859f6e13ece7247573248b88d5e65946aeef4 CVE-2019-7310.patch
+2487ada6cfdd4a9dceaf0b741044b7cc2a2605fed5ed99a90192e2c0c0ee6a2a9b30264821ffab39e03a85d7d47bd91066e759e16c44d4e21c89025f1b98f98f CVE-2019-9200.patch
+e16a8971ea30debf9efc8abf81a0a43c7ceaa403dbb423c4f45cbb00237acf0e4ee13fb9117f258f245c204fadc32d51fa0c73259cea2913d9d2afac2cc8ad8f CVE-2019-9631.patch
+47f50e99d902b1ab80e004def6b99f7e2cd01e96d6a3081aef8cc3f473ed057adbcb69b905e89e5ece080d43ea465c92c2890cf6cc88e29465a0fcf7dd89cd36 CVE-2019-10873.patch
+b034f8559fce065d671e1c9c8d8d0b12fbf70f423fd8dbb0018ae12520c6b27be67f4a16a02a183c2b8c09505305b0979f9a6326c33171e19d45c4d3e53b0487 bug924029-goostring-null-pointers.patch
+1aa9791c9c559b78b1dc33d6e72c941d4d8a461a90eb92f8674f13881d19aa38e20fbc9104baf9ddb21b9ec6bd4b8c3bda3a01ce6f34a932229e6327bedf1910 CVE-2019-10872.patch
+5494d9056dd672b6379d82f41f0e895037631da781685f067316ffc3ae789589a83580553d0dd2e4ed29fd1fd1d4a779e87a96a914fc7a043e60e4a145b73258 CVE-2019-12293.patch"
diff --git a/main/poppler/CVE-2018-16646-1.patch b/main/poppler/CVE-2018-16646-1.patch
new file mode 100644
index 0000000000..fb2ac27488
--- /dev/null
+++ b/main/poppler/CVE-2018-16646-1.patch
@@ -0,0 +1,61 @@
+From 3d35d209c19c1d3b09b794a0c863ba5de44a9c0a Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 29 Oct 2018 17:44:47 +0100
+Subject: [PATCH] Avoid cycles in PDF parsing
+
+Mark objects being processed in Parser::makeStream() as being processed
+and check the mark when entering this method to avoid processing
+of the same object recursively.
+---
+ poppler/Parser.cc | 15 +++++++++++++++
+ poppler/XRef.h | 1 +
+ 2 files changed, 16 insertions(+)
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index bd4845ab..8f48efbe 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -197,6 +197,18 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+ Stream *str;
+ Goffset length;
+ Goffset pos, endPos;
++ XRefEntry *entry;
++
++ if (xref && (entry = xref->getEntry(objNum, false))) {
++ if (!entry->getFlag(XRefEntry::Parsing) ||
++ (objNum == 0 && objGen == 0)) {
++ entry->setFlag(XRefEntry::Parsing, true);
++ } else {
++ error(errSyntaxError, getPos(),
++ "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen);
++ return nullptr;
++ }
++ }
+
+ // get stream start position
+ lexer->skipToNextLine();
+@@ -278,6 +290,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+ // get filters
+ str = str->addFilters(str->getDict(), recursion);
+
++ if (entry)
++ entry->setFlag(XRefEntry::Parsing, false);
++
+ return str;
+ }
+
+diff --git a/poppler/XRef.h b/poppler/XRef.h
+index 11ee5e03..2eb2f9fd 100644
+--- a/poppler/XRef.h
++++ b/poppler/XRef.h
+@@ -65,6 +65,7 @@ struct XRefEntry {
+ enum Flag {
+ // Regular flags
+ Updated, // Entry was modified
++ Parsing, // Entry is currently being parsed
+
+ // Special flags -- available only after xref->scanSpecialFlags() is run
+ Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents)
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2018-16646-2.patch b/main/poppler/CVE-2018-16646-2.patch
new file mode 100644
index 0000000000..3514b30c2b
--- /dev/null
+++ b/main/poppler/CVE-2018-16646-2.patch
@@ -0,0 +1,25 @@
+From 89fccf45fc5bfca3756102e6bec1950ec1d436a9 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 3 Nov 2018 01:45:55 +0100
+Subject: [PATCH] initialize entry
+
+---
+ poppler/Parser.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index 733cdbb0..87745414 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -198,7 +198,7 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+ Stream *str;
+ Goffset length;
+ Goffset pos, endPos;
+- XRefEntry *entry;
++ XRefEntry *entry = nullptr;
+
+ if (xref && (entry = xref->getEntry(objNum, false))) {
+ if (!entry->getFlag(XRefEntry::Parsing) ||
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2018-16646-3.patch b/main/poppler/CVE-2018-16646-3.patch
new file mode 100644
index 0000000000..62d303e2b5
--- /dev/null
+++ b/main/poppler/CVE-2018-16646-3.patch
@@ -0,0 +1,28 @@
+From 08572e1bdca03baed694dd9828bb2b878865e669 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Sat, 3 Nov 2018 12:21:41 +0100
+Subject: [PATCH] Parser::makeStream: Fix crash on malformed files
+
+fixes oss-fuzz/11244
+---
+ poppler/Parser.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index 87745414..2cf2bd12 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -230,6 +230,10 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey,
+ length = 0;
+ }
+
++ // the above dictLookup can cause a xref reconstruction if the file is damaged
++ // so we need to update the entry pointer
++ entry = xref ? xref->getEntry(objNum, false) : nullptr;
++
+ // check for length in damaged file
+ if (xref && xref->getStreamEnd(pos, &endPos)) {
+ length = endPos - pos;
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2018-20481.patch b/main/poppler/CVE-2018-20481.patch
new file mode 100644
index 0000000000..4402e964ad
--- /dev/null
+++ b/main/poppler/CVE-2018-20481.patch
@@ -0,0 +1,63 @@
+From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Mon, 24 Dec 2018 15:40:38 +0100
+Subject: [PATCH] Do not try to parse into unallocated XRef entry and return
+ pointer to dummy entry instead. Closes #692 and oss-fuzz/12330
+
+---
+ poppler/XRef.cc | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index 0ec66944..d042d1f4 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+ }
+ }
+
++namespace {
++
++struct DummyXRefEntry : XRefEntry {
++ DummyXRefEntry() {
++ offset = 0;
++ gen = -1;
++ type = xrefEntryNone;
++ flags = 0;
++ }
++};
++
++DummyXRefEntry dummyXRefEntry;
++
++}
++
+ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+ {
+ if (i >= size || entries[i].type == xrefEntryNone) {
+
+ if ((!xRefStream) && mainXRefEntriesOffset) {
++ if (unlikely(i >= capacity)) {
++ error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
++ return &dummyXRefEntry;
++ }
++
+ if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
+ error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
+ }
+@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+ // We might have reconstructed the xref
+ // Check again i is in bounds
+ if (unlikely(i >= size)) {
+- static XRefEntry dummy;
+- dummy.offset = 0;
+- dummy.gen = -1;
+- dummy.type = xrefEntryNone;
+- dummy.flags = 0;
+- return &dummy;
++ return &dummyXRefEntry;
+ }
+
+ if (entries[i].type == xrefEntryNone) {
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2018-20551.patch b/main/poppler/CVE-2018-20551.patch
new file mode 100644
index 0000000000..9a391ca0dd
--- /dev/null
+++ b/main/poppler/CVE-2018-20551.patch
@@ -0,0 +1,51 @@
+From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Thu, 27 Dec 2018 11:54:53 +0100
+Subject: [PATCH] Do not try to construct invalid rich media annotation assets.
+ Closes #703
+
+---
+ poppler/Annot.cc | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+diff --git a/poppler/Annot.cc b/poppler/Annot.cc
+index 2e4770ab..1750dc70 100644
+--- a/poppler/Annot.cc
++++ b/poppler/Annot.cc
+@@ -6418,20 +6418,22 @@ AnnotRichMedia::Content::Content(Dict *dict) {
+ if (obj1.isDict()) {
+ Object obj2 = obj1.getDict()->lookup("Names");
+ if (obj2.isArray()) {
+- nAssets = obj2.arrayGetLength() / 2;
++ const int length = obj2.arrayGetLength() / 2;
+
+- assets = (Asset **)gmallocn(nAssets, sizeof(Asset *));
++ assets = (Asset **)gmallocn(length, sizeof(Asset *));
++ for (int i = 0; i < length; ++i) {
++ Object objKey = obj2.arrayGet(2 * i);
++ Object objVal = obj2.arrayGet(2 * i + 1);
+
+- int counter = 0;
+- for (int i = 0; i < nAssets; ++i) {
+- assets[counter] = new AnnotRichMedia::Asset;
+-
+- Object objKey = obj2.arrayGet(i * 2);
+- assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1);
+-
+- assets[counter]->name = std::make_unique<GooString>( objKey.getString() );
+- ++counter;
++ if (!objKey.isString() || objVal.isNull()) {
++ error(errSyntaxError, -1, "Bad Annot Asset");
++ continue;
++ }
+
++ assets[nAssets] = new AnnotRichMedia::Asset;
++ assets[nAssets]->name = std::make_unique<GooString>( objKey.getString() );
++ assets[nAssets]->fileSpec = std::move(objVal);
++ ++nAssets;
+ }
+ }
+ }
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2018-20662.patch b/main/poppler/CVE-2018-20662.patch
new file mode 100644
index 0000000000..557bda34af
--- /dev/null
+++ b/main/poppler/CVE-2018-20662.patch
@@ -0,0 +1,46 @@
+From 7b4e372deeb716eb3fe3a54b31ed41af759224f9 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 4 Mar 2019 12:55:12 +0100
+Subject: [PATCH] pdfunite: Check XRef's Catalog for being a Dict
+
+Check whether Catalog from XRef is Dict for each document
+passed to pdfunite and return error if not.
+
+https://gitlab.freedesktop.org/poppler/poppler/issues/706
+---
+ utils/pdfunite.cc | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc
+index b0142116..23888684 100644
+--- a/utils/pdfunite.cc
++++ b/utils/pdfunite.cc
+@@ -165,7 +165,8 @@ int main (int argc, char *argv[])
+ for (i = 1; i < argc - 1; i++) {
+ GooString *gfileName = new GooString(argv[i]);
+ PDFDoc *doc = new PDFDoc(gfileName, nullptr, nullptr, nullptr);
+- if (doc->isOk() && !doc->isEncrypted()) {
++ if (doc->isOk() && !doc->isEncrypted() &&
++ doc->getXRef()->getCatalog().isDict()) {
+ docs.push_back(doc);
+ if (doc->getPDFMajorVersion() > majorVersion) {
+ majorVersion = doc->getPDFMajorVersion();
+@@ -176,8 +177,13 @@ int main (int argc, char *argv[])
+ }
+ }
+ } else if (doc->isOk()) {
+- error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]);
+- return -1;
++ if (doc->isEncrypted()) {
++ error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]);
++ return -1;
++ } else if (!doc->getXRef()->getCatalog().isDict()) {
++ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary ('{0:s}')", argv[i]);
++ return -1;
++ }
+ } else {
+ error(errSyntaxError, -1, "Could not merge damaged documents ('{0:s}')", argv[i]);
+ return -1;
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2019-10872.patch b/main/poppler/CVE-2019-10872.patch
new file mode 100644
index 0000000000..8032d7dd9a
--- /dev/null
+++ b/main/poppler/CVE-2019-10872.patch
@@ -0,0 +1,136 @@
+From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 13 May 2019 15:08:38 +0200
+Subject: [PATCH] Splash: Restrict filling of overlapping boxes
+
+Check whether area to fill in Splash::blitTransparent()
+does not run out of allocated memory for source and for destination
+and shrink it if needed.
+
+Fixes #750
+---
+ splash/Splash.cc | 48 +++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- poppler-0.71.0.orig/splash/Splash.cc
++++ poppler-0.71.0/splash/Splash.cc
+@@ -5856,7 +5856,7 @@ SplashError Splash::blitTransparent(Spla
+ int xDest, int yDest, int w, int h) {
+ SplashColorPtr p, sp;
+ Guchar *q;
+- int x, y, mask, srcMask;
++ int x, y, mask, srcMask, width = w, height = h;
+
+ if (src->mode != bitmap->mode) {
+ return splashErrModeMismatch;
+@@ -5866,14 +5866,32 @@ SplashError Splash::blitTransparent(Spla
+ return splashErrZeroImage;
+ }
+
++ if (src->getWidth() - xSrc < width)
++ width = src->getWidth() - xSrc;
++
++ if (src->getHeight() - ySrc < height)
++ height = src->getHeight() - ySrc;
++
++ if (bitmap->getWidth() - xDest < width)
++ width = bitmap->getWidth() - xDest;
++
++ if (bitmap->getHeight() - yDest < height)
++ height = bitmap->getHeight() - yDest;
++
++ if (width < 0)
++ width = 0;
++
++ if (height < 0)
++ height = 0;
++
+ switch (bitmap->mode) {
+ case splashModeMono1:
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)];
+ mask = 0x80 >> (xDest & 7);
+ sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)];
+ srcMask = 0x80 >> (xSrc & 7);
+- for (x = 0; x < w; ++x) {
++ for (x = 0; x < width; ++x) {
+ if (*sp & srcMask) {
+ *p |= mask;
+ } else {
+@@ -5891,20 +5909,20 @@ SplashError Splash::blitTransparent(Spla
+ }
+ break;
+ case splashModeMono8:
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest];
+ sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc];
+- for (x = 0; x < w; ++x) {
++ for (x = 0; x < width; ++x) {
+ *p++ = *sp++;
+ }
+ }
+ break;
+ case splashModeRGB8:
+ case splashModeBGR8:
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest];
+ sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc];
+- for (x = 0; x < w; ++x) {
++ for (x = 0; x < width; ++x) {
+ *p++ = *sp++;
+ *p++ = *sp++;
+ *p++ = *sp++;
+@@ -5912,10 +5930,10 @@ SplashError Splash::blitTransparent(Spla
+ }
+ break;
+ case splashModeXBGR8:
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
+ sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
+- for (x = 0; x < w; ++x) {
++ for (x = 0; x < width; ++x) {
+ *p++ = *sp++;
+ *p++ = *sp++;
+ *p++ = *sp++;
+@@ -5926,10 +5944,10 @@ SplashError Splash::blitTransparent(Spla
+ break;
+ #ifdef SPLASH_CMYK
+ case splashModeCMYK8:
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
+ sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
+- for (x = 0; x < w; ++x) {
++ for (x = 0; x < width; ++x) {
+ *p++ = *sp++;
+ *p++ = *sp++;
+ *p++ = *sp++;
+@@ -5938,10 +5956,10 @@ SplashError Splash::blitTransparent(Spla
+ }
+ break;
+ case splashModeDeviceN8:
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest];
+ sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc];
+- for (x = 0; x < w; ++x) {
++ for (x = 0; x < width; ++x) {
+ for (int cp=0; cp < SPOT_NCOMPS+4; cp++)
+ *p++ = *sp++;
+ }
+@@ -5951,9 +5969,9 @@ SplashError Splash::blitTransparent(Spla
+ }
+
+ if (bitmap->alpha) {
+- for (y = 0; y < h; ++y) {
++ for (y = 0; y < height; ++y) {
+ q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest];
+- memset(q, 0x00, w);
++ memset(q, 0x00, width);
+ }
+ }
+
diff --git a/main/poppler/CVE-2019-10873.patch b/main/poppler/CVE-2019-10873.patch
new file mode 100644
index 0000000000..a4a80ae97d
--- /dev/null
+++ b/main/poppler/CVE-2019-10873.patch
@@ -0,0 +1,31 @@
+From 8dbe2e6c480405dab9347075cf4be626f90f1d05 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 3 Apr 2019 18:02:42 +0200
+Subject: [PATCH] SplashXPathScanner::clipAALine: Fix crash on broken file
+
+Make sure the index of allIntersections we access is valid
+
+Fixes #748
+---
+ splash/SplashXPathScanner.cc | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc
+index 8362a6a5..23b4f7c4 100644
+--- a/splash/SplashXPathScanner.cc
++++ b/splash/SplashXPathScanner.cc
+@@ -452,7 +452,10 @@ void SplashXPathScanner::clipAALine(SplashBitmap *aaBuf,
+ for (yy = 0; yy < splashAASize; ++yy) {
+ xx = *x0 * splashAASize;
+ if (yy >= yyMin && yy <= yyMax) {
+- const auto& line = allIntersections[splashAASize * y + yy - yMin];
++ const int intersectionIndex = splashAASize * y + yy - yMin;
++ if (unlikely(intersectionIndex < 0 || (unsigned)intersectionIndex >= allIntersections.size()))
++ break;
++ const auto& line = allIntersections[intersectionIndex];
+ interIdx = 0;
+ interCount = 0;
+ while (interIdx < line.size() && xx < (*x1 + 1) * splashAASize) {
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2019-12293.patch b/main/poppler/CVE-2019-12293.patch
new file mode 100644
index 0000000000..2ad86a8355
--- /dev/null
+++ b/main/poppler/CVE-2019-12293.patch
@@ -0,0 +1,41 @@
+From 89a5367d49b2556a2635dbb6d48d6a6b182a2c6c Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 23 May 2019 00:54:29 +0200
+Subject: [PATCH] JPEG2000Stream: fail gracefully if not all components have
+ the same WxH
+
+I think this is just a mistake, or at least the only file we have with
+this scenario is a fuzzed one
+---
+ poppler/JPEG2000Stream.cc | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
+index 15bbcae4..0eea3a2d 100644
+--- a/poppler/JPEG2000Stream.cc
++++ b/poppler/JPEG2000Stream.cc
+@@ -4,7 +4,7 @@
+ //
+ // A JPX stream decoder using OpenJPEG
+ //
+-// Copyright 2008-2010, 2012, 2017, 2018 Albert Astals Cid <aacid@kde.org>
++// Copyright 2008-2010, 2012, 2017-2019 Albert Astals Cid <aacid@kde.org>
+ // Copyright 2011 Daniel Glöckner <daniel-gl@gmx.net>
+ // Copyright 2014, 2016 Thomas Freitag <Thomas.Freitag@alfa.de>
+ // Copyright 2013, 2014 Adrian Johnson <ajohnson@redneon.com>
+@@ -253,6 +253,12 @@ void JPXStream::init()
+ close();
+ break;
+ }
++ const int componentPixels = priv->image->comps[component].w * priv->image->comps[component].h;
++ if (componentPixels != priv->npixels) {
++ error(errSyntaxWarning, -1, "Component {0:d} has different WxH than component 0", component);
++ close();
++ break;
++ }
+ unsigned char *cdata = (unsigned char *)priv->image->comps[component].data;
+ int adjust = 0;
+ int depth = priv->image->comps[component].prec;
+--
+2.21.0
+
diff --git a/main/poppler/CVE-2019-7310.patch b/main/poppler/CVE-2019-7310.patch
new file mode 100644
index 0000000000..cffd88f225
--- /dev/null
+++ b/main/poppler/CVE-2019-7310.patch
@@ -0,0 +1,29 @@
+From b54e1fc3e0d2600621a28d50f9f085b9e38619c2 Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Fri, 1 Feb 2019 08:42:27 +0100
+Subject: [PATCH] Also defend against requests for negative XRef indices.
+ oss-fuzz/12797
+
+---
+ poppler/XRef.cc | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index d042d1f4..ac2cd0ce 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1565,6 +1565,11 @@ DummyXRefEntry dummyXRefEntry;
+
+ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+ {
++ if (unlikely(i < 0)) {
++ error(errInternal, -1, "Request for invalid XRef entry [{0:d}]", i);
++ return &dummyXRefEntry;
++ }
++
+ if (i >= size || entries[i].type == xrefEntryNone) {
+
+ if ((!xRefStream) && mainXRefEntriesOffset) {
+--
+2.18.1
+
diff --git a/main/poppler/CVE-2019-9200.patch b/main/poppler/CVE-2019-9200.patch
new file mode 100644
index 0000000000..e3f8da4321
--- /dev/null
+++ b/main/poppler/CVE-2019-9200.patch
@@ -0,0 +1,24 @@
+From f4136a6353162db249f63ddb0f20611622ab61b4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 27 Feb 2019 19:43:22 +0100
+Subject: [PATCH] ImageStream::getLine: fix crash on broken files
+
+Fixes #728
+---
+ poppler/Stream.cc | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff -aur poppler-0.71.0.orig/poppler/Stream.cc poppler-0.71.0/poppler/Stream.cc
+--- poppler-0.71.0.orig/poppler/Stream.cc 2018-10-31 22:13:17.000000000 +0100
++++ poppler-0.71.0/poppler/Stream.cc 2019-05-10 18:04:55.809263964 +0200
+@@ -476,6 +476,9 @@
+ }
+
+ int readChars = str->doGetChars(inputLineSize, inputLine);
++ if (unlikely(readChars == -1)) {
++ readChars = 0;
++ }
+ for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF;
+ if (nBits == 1) {
+ Guchar *p = inputLine;
+
diff --git a/main/poppler/CVE-2019-9631.patch b/main/poppler/CVE-2019-9631.patch
new file mode 100644
index 0000000000..30111603c9
--- /dev/null
+++ b/main/poppler/CVE-2019-9631.patch
@@ -0,0 +1,100 @@
+From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Thu, 21 Mar 2019 13:47:51 +0100
+Subject: [PATCH] cairo: Constrain number of cycles in rescale filter
+
+Pass address of the first byte after end of the source buffer
+to downsample_row_box_filter() so that we can check
+that we don't run out of it.
+
+Fixes issue #736
+---
+ poppler/CairoRescaleBox.cc | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc
+index d7615010..7fd07041 100644
+--- a/poppler/CairoRescaleBox.cc
++++ b/poppler/CairoRescaleBox.cc
+@@ -62,7 +62,7 @@
+
+ static void downsample_row_box_filter (
+ int start, int width,
+- uint32_t *src, uint32_t *dest,
++ uint32_t *src, uint32_t *src_limit, uint32_t *dest,
+ int coverage[], int pixel_coverage)
+ {
+ /* we need an array of the pixel contribution of each destination pixel on the boundaries.
+@@ -90,13 +90,13 @@ static void downsample_row_box_filter (
+ /* skip to start */
+ /* XXX: it might be possible to do this directly instead of iteratively, however
+ * the iterative solution is simple */
+- while (x < start)
++ while (x < start && src < src_limit)
+ {
+ int box = 1 << FIXED_SHIFT;
+ int start_coverage = coverage[x];
+ box -= start_coverage;
+ src++;
+- while (box >= pixel_coverage)
++ while (box >= pixel_coverage && src < src_limit)
+ {
+ src++;
+ box -= pixel_coverage;
+@@ -104,7 +104,7 @@ static void downsample_row_box_filter (
+ x++;
+ }
+
+- while (x < start + width)
++ while (x < start + width && src < src_limit)
+ {
+ uint32_t a = 0;
+ uint32_t r = 0;
+@@ -121,7 +121,7 @@ static void downsample_row_box_filter (
+ x++;
+ box -= start_coverage;
+
+- while (box >= pixel_coverage)
++ while (box >= pixel_coverage && src < src_limit)
+ {
+ a += ((*src >> 24) & 0xff) * pixel_coverage;
+ r += ((*src >> 16) & 0xff) * pixel_coverage;
+@@ -135,7 +135,7 @@ static void downsample_row_box_filter (
+ /* multiply by whatever is leftover
+ * this ensures that we don't bias down.
+ * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */
+- if (box > 0)
++ if (box > 0 && src < src_limit)
+ {
+ a += ((*src >> 24) & 0xff) * box;
+ r += ((*src >> 16) & 0xff) * box;
+@@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+ int start_coverage_y = y_coverage[dest_y];
+
+ getRow(src_y, scanline);
+- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+ columns++;
+ src_y++;
+ box -= start_coverage_y;
+@@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+ while (box >= pixel_coverage_y)
+ {
+ getRow(src_y, scanline);
+- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+ columns++;
+ src_y++;
+ box -= pixel_coverage_y;
+@@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+ if (box > 0)
+ {
+ getRow(src_y, scanline);
+- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+ columns++;
+ }
+
+--
+2.18.1
+
diff --git a/main/poppler/bug924029-goostring-null-pointers.patch b/main/poppler/bug924029-goostring-null-pointers.patch
new file mode 100644
index 0000000000..c39392aba4
--- /dev/null
+++ b/main/poppler/bug924029-goostring-null-pointers.patch
@@ -0,0 +1,97 @@
+Subject: Make GooString constructible and assignable from null pointers again
+ since some of the code expects it.
+Origin: https://gitlab.freedesktop.org/poppler/poppler/commit/8f158da92c53ae16a368f844965f57ba8ffed77d
+Bug: https://gitlab.freedesktop.org/poppler/poppler/commit/8f158da92c53ae16a368f844965f57ba8ffed77d
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924029
+Reviewed-by: Jonathan Wiltshire <jmw@debian.org>
+Applied-Upstream: yes
+Last-Update: 2019-05-25
+
+--- poppler-0.71.0.orig/goo/GooString.h
++++ poppler-0.71.0/goo/GooString.h
+@@ -60,7 +60,7 @@
+ GooString& operator=(const GooString &other) = delete;
+
+ // Create a string from a C string.
+- explicit GooString(const char *sA) : std::string(sA) {}
++ explicit GooString(const char *sA) : std::string(sA ? sA : "") {}
+
+ // Zero-cost conversion from and to std::string
+ explicit GooString(const std::string& str) : std::string(str) {}
+@@ -70,18 +70,18 @@
+
+ // Create a string from <lengthA> chars at <sA>. This string
+ // can contain null characters.
+- GooString(const char *sA, int lengthA) : std::string(sA, lengthA) {}
++ GooString(const char *sA, int lengthA) : std::string(sA ? sA : "", sA ? lengthA : 0) {}
+
+ // Create a string from <lengthA> chars at <idx> in <str>.
+ GooString(const GooString *str, int idx, int lengthA) : std::string(*str, idx, lengthA) {}
+
+ // Set content of a string to <newStr>.
+- GooString* Set(const GooString *newStr) { assign(*newStr); return this; }
+- GooString* Set(const char *newStr) { assign(newStr); return this; }
+- GooString* Set(const char *newStr, int newLen) { assign(newStr, newLen); return this; }
++ GooString* Set(const GooString *newStr) { assign(newStr ? static_cast<const std::string&>(*newStr) : std::string{}); return this; }
++ GooString* Set(const char *newStr) { assign(newStr ? newStr : ""); return this; }
++ GooString* Set(const char *newStr, int newLen) { assign(newStr ? newStr : "", newStr ? newLen : 0); return this; }
+
+ // Copy a string.
+- explicit GooString(const GooString *str) : std::string(*str) {}
++ explicit GooString(const GooString *str) : std::string(str ? static_cast<const std::string&>(*str) : std::string{}) {}
+ GooString *copy() const { return new GooString(this); }
+
+ // Concatenate two strings.
+--- poppler-0.71.0.orig/qt5/tests/check_goostring.cpp
++++ poppler-0.71.0/qt5/tests/check_goostring.cpp
+@@ -11,6 +11,7 @@
+ void testInsertData();
+ void testInsert();
+ void testFormat();
++ void testFromNullptr();
+ };
+
+ void TestGooString::testInsertData_data()
+@@ -122,6 +123,42 @@
+ }
+ }
+
++void TestGooString::testFromNullptr()
++{
++ {
++ GooString str{static_cast<const GooString*>(nullptr)};
++ QCOMPARE(str.getLength(), 0);
++ }
++
++ {
++ GooString str;
++ str.Set(static_cast<const GooString*>(nullptr));
++ QCOMPARE(str.getLength(), 0);
++ }
++
++ {
++ GooString str{static_cast<const char*>(nullptr)};
++ QCOMPARE(str.getLength(), 0);
++ }
++
++ {
++ GooString str{static_cast<const char*>(nullptr), 0};
++ QCOMPARE(str.getLength(), 0);
++ }
++
++ {
++ GooString str;
++ str.Set(static_cast<const char*>(nullptr));
++ QCOMPARE(str.getLength(), 0);
++ }
++
++ {
++ GooString str;
++ str.Set(static_cast<const char*>(nullptr), 0);
++ QCOMPARE(str.getLength(), 0);
++ }
++}
++
+ QTEST_GUILESS_MAIN(TestGooString)
+ #include "check_goostring.moc"
+
diff --git a/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch b/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch
new file mode 100644
index 0000000000..c59de03677
--- /dev/null
+++ b/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch
@@ -0,0 +1,36 @@
+From: Simon McVittie <smcv@debian.org>
+Date: Thu, 14 Feb 2019 09:43:32 +0000
+Subject: glib: Don't create PopplerInputStream with length 0
+
+Since commit a59f6164, PopplerInputStream requires a nonzero length.
+
+Loosely based on an earlier patch by Kouhei Sutou. This version adds
+support for length == -1, which is documented to work.
+
+Bug: https://gitlab.freedesktop.org/poppler/poppler/issues/414
+Bug-Debian: https://bugs.debian.org/896596
+Forwarded: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/189
+---
+ glib/poppler-document.cc | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc
+index ed37da4c..e04c8b42 100644
+--- a/glib/poppler-document.cc
++++ b/glib/poppler-document.cc
+@@ -309,7 +309,14 @@ poppler_document_new_from_stream (GInputStream *stream,
+ }
+
+ if (stream_is_memory_buffer_or_local_file(stream)) {
+- str = new PopplerInputStream(stream, cancellable, 0, false, 0, Object(objNull));
++ if (length == (goffset)-1) {
++ if (!g_seekable_seek(G_SEEKABLE(stream), 0, G_SEEK_END, cancellable, error)) {
++ g_prefix_error(error, "Unable to determine length of stream: ");
++ return nullptr;
++ }
++ length = g_seekable_tell(G_SEEKABLE(stream));
++ }
++ str = new PopplerInputStream(stream, cancellable, 0, false, length, Object(objNull));
+ } else {
+ CachedFile *cachedFile = new CachedFile(new PopplerCachedFileLoader(stream, cancellable, length), new GooString());
+ str = new CachedFileStream(cachedFile, 0, false, cachedFile->getLength(), Object(objNull));
diff --git a/main/poppler/page-ustring.patch b/main/poppler/page-ustring.patch
new file mode 100644
index 0000000000..8b0a1ba58f
--- /dev/null
+++ b/main/poppler/page-ustring.patch
@@ -0,0 +1,29 @@
+From a4fad73c86a2eabe004e7cbaa8c9c0ff42146375 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 6 Dec 2018 18:27:04 +0100
+Subject: [PATCH] cpp: Fix page::text_list encoding issue
+
+Text from TextoutputDev always comes in UTF-8
+
+Well it comes in GlobalParams::textEncoding but that is UTF-8 and we
+don't let people change it
+---
+ cpp/poppler-page.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cpp/poppler-page.cpp b/cpp/poppler-page.cpp
+index 9d9526cc..c4955471 100644
+--- a/cpp/poppler-page.cpp
++++ b/cpp/poppler-page.cpp
+@@ -365,7 +365,7 @@ std::vector<text_box> page::text_list() const
+ TextWord *word = word_list->get(i);
+
+ std::unique_ptr<GooString> gooWord{word->getText()};
+- ustring ustr = detail::unicode_GooString_to_ustring(gooWord.get());
++ ustring ustr = ustring::from_utf8(gooWord->getCString());
+
+ double xMin, yMin, xMax, yMax;
+ word->getBBox(&xMin, &yMin, &xMax, &yMax);
+--
+2.18.1
+
--
2.22.0
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---