Paul Bredbury: 1 main/poppler: add Debian Buster patches, mostly security 16 files changed, 837 insertions(+), 9 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/726/mbox | git am -3Learn more about email & git
Tweak builddir, so default_prepare finds the files to patch. --- main/poppler/APKBUILD | 49 +++++-- main/poppler/CVE-2018-16646-1.patch | 61 ++++++++ main/poppler/CVE-2018-16646-2.patch | 25 ++++ main/poppler/CVE-2018-16646-3.patch | 28 ++++ main/poppler/CVE-2018-20481.patch | 63 ++++++++ main/poppler/CVE-2018-20551.patch | 51 +++++++ main/poppler/CVE-2018-20662.patch | 46 ++++++ main/poppler/CVE-2019-10872.patch | 136 ++++++++++++++++++ main/poppler/CVE-2019-10873.patch | 31 ++++ main/poppler/CVE-2019-12293.patch | 41 ++++++ main/poppler/CVE-2019-7310.patch | 29 ++++ main/poppler/CVE-2019-9200.patch | 24 ++++ main/poppler/CVE-2019-9631.patch | 100 +++++++++++++ .../bug924029-goostring-null-pointers.patch | 97 +++++++++++++ ...ate-PopplerInputStream-with-length-0.patch | 36 +++++ main/poppler/page-ustring.patch | 29 ++++ 16 files changed, 837 insertions(+), 9 deletions(-) create mode 100644 main/poppler/CVE-2018-16646-1.patch create mode 100644 main/poppler/CVE-2018-16646-2.patch create mode 100644 main/poppler/CVE-2018-16646-3.patch create mode 100644 main/poppler/CVE-2018-20481.patch create mode 100644 main/poppler/CVE-2018-20551.patch create mode 100644 main/poppler/CVE-2018-20662.patch create mode 100644 main/poppler/CVE-2019-10872.patch create mode 100644 main/poppler/CVE-2019-10873.patch create mode 100644 main/poppler/CVE-2019-12293.patch create mode 100644 main/poppler/CVE-2019-7310.patch create mode 100644 main/poppler/CVE-2019-9200.patch create mode 100644 main/poppler/CVE-2019-9631.patch create mode 100644 main/poppler/bug924029-goostring-null-pointers.patch create mode 100644 main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch create mode 100644 main/poppler/page-ustring.patch diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD index 95f69f97bd..319d64704b 100644 --- a/main/poppler/APKBUILD +++ b/main/poppler/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=poppler pkgver=0.71.0 -pkgrel=0 +pkgrel=1 pkgdesc="PDF rendering library based on xpdf 3.0" url="https://poppler.freedesktop.org/" arch="all" @@ -14,13 +14,28 @@ makedepends="$depends_dev cmake libjpeg-turbo-dev cairo-dev libxml2-dev openjpeg-dev openjpeg-tools libpng-dev tiff-dev zlib-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-utils $pkgname-glib " -source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz" -builddir="$srcdir/$pkgname-$pkgver/build" +source="https://poppler.freedesktop.org/poppler-$pkgver.tar.xz + glib-Don-t-create-PopplerInputStream-with-length-0.patch + page-ustring.patch + CVE-2018-16646-1.patch + CVE-2018-16646-2.patch + CVE-2018-16646-3.patch + CVE-2018-20481.patch + CVE-2018-20551.patch + CVE-2018-20662.patch + CVE-2019-7310.patch + CVE-2019-9200.patch + CVE-2019-9631.patch + CVE-2019-10873.patch + bug924029-goostring-null-pointers.patch + CVE-2019-10872.patch + CVE-2019-12293.patch" +builddir="$srcdir/$pkgname-$pkgver" prepare() { local _linked_pkg=poppler-qt4 local _linked_apkbuild="$startdir"/../$_linked_pkg/APKBUILD - mkdir -p "$builddir" + mkdir -p "$builddir/build" cd "$builddir" if [ -f "$_linked_apkbuild" ]; then local _linked_ver=$( . "$_linked_apkbuild"; echo "$pkgver") @@ -29,14 +44,15 @@ prepare() { return 1 fi fi + + default_prepare } build() { - cd "$builddir" - # JPEG2000Stream.cc:20:10: fatal error: openjpeg.h: No such file - sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i ../poppler/JPEG2000Stream.cc + sed -e "/^#include/s/openjpeg\.h/openjpeg-2.3\/openjpeg.h/" -i poppler/JPEG2000Stream.cc + cd build cmake .. \ -DCMAKE_INSTALL_PREFIX=/usr \ -DCMAKE_INSTALL_LIBDIR=lib \ @@ -47,7 +63,7 @@ build() { } package() { - cd "$builddir" + cd build make DESTDIR="$pkgdir" install } @@ -73,4 +89,19 @@ _cpp() { "$subpkgdir"/usr/lib/ } -sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e poppler-0.71.0.tar.xz" +sha512sums="8e0ce95e7b58c37761c36a20f1282e63373a9557bf9f746ce2936562f12648506043d9559cf816944aa238814fc1b3f3a3c0a6cb002fd214b067e399bcc6ab1e poppler-0.71.0.tar.xz +e3d4747cfc1b171ec64d7492c92ed42494c6bf8ad4f40b3fe3fcd439034efd7ca16d6ed703d85dffd3625650c70aa51cbaff7a292f6b357e19ef2dc5ef742296 glib-Don-t-create-PopplerInputStream-with-length-0.patch +4f1b9dbf9f075a09a78640a060537995b753f9287b06cdbb2a30a750e57638f677e27fa1c6dd24772cd29dd746d4f21f3ce3b51596179355f9514ea824e17a27 page-ustring.patch +b7401aa7303467bbf3551156b7ab0d5041eb528034bc1268f67da074a60e7e685a674ab4aca3235c5fe2c7cbe388d4c822c27a2f103fbb9ff85af68d5c42f0b0 CVE-2018-16646-1.patch +b9dbda18a862d234eb17d44f6a728a73b32712aac32a01637cb4472cdbad2dc6f1f06bd2fd61db1e68de37ecfca4c07191db577a841e7afbe6d0236dea473562 CVE-2018-16646-2.patch +91ebd6af4cd0645a4346e1f016333e3fcb5073df4c73942bb9f87c393fbbfcfe768170464eec6a118d56bfffc361fb06dc2988a064ab2a864f6fa430294634b7 CVE-2018-16646-3.patch +b866abf13ce3e0e87744dd99b90da1b5926875a5b3ae3b335ffd7f9736f025a3e631312ffc624f825328b3a1dd5012117a5af534436da0c072b67908316cdb88 CVE-2018-20481.patch +f9fdb49fe6ac420db1634fbee0977d867154ce2dd34f6b4c5f77591a859b1ecc2f2ea6c926a7b8fa76f3bf69dee9abd48f7a6d3653e1d4d447338d4025587fa0 CVE-2018-20551.patch +5fe4c3604f9d943a5162182c402f8e96262b94ee38702dba1d893e311434d56eb9965b58f7dce4718a399ab190f9e34d38a1bb970283d5847dbfe30d5f04a426 CVE-2018-20662.patch +599a6742cf762906cc8f0eeb8b516798214095222ff630b27470b5fbb1abca99cfe9f8196f9e55ee9cf5df1a871859f6e13ece7247573248b88d5e65946aeef4 CVE-2019-7310.patch +2487ada6cfdd4a9dceaf0b741044b7cc2a2605fed5ed99a90192e2c0c0ee6a2a9b30264821ffab39e03a85d7d47bd91066e759e16c44d4e21c89025f1b98f98f CVE-2019-9200.patch +e16a8971ea30debf9efc8abf81a0a43c7ceaa403dbb423c4f45cbb00237acf0e4ee13fb9117f258f245c204fadc32d51fa0c73259cea2913d9d2afac2cc8ad8f CVE-2019-9631.patch +47f50e99d902b1ab80e004def6b99f7e2cd01e96d6a3081aef8cc3f473ed057adbcb69b905e89e5ece080d43ea465c92c2890cf6cc88e29465a0fcf7dd89cd36 CVE-2019-10873.patch +b034f8559fce065d671e1c9c8d8d0b12fbf70f423fd8dbb0018ae12520c6b27be67f4a16a02a183c2b8c09505305b0979f9a6326c33171e19d45c4d3e53b0487 bug924029-goostring-null-pointers.patch +1aa9791c9c559b78b1dc33d6e72c941d4d8a461a90eb92f8674f13881d19aa38e20fbc9104baf9ddb21b9ec6bd4b8c3bda3a01ce6f34a932229e6327bedf1910 CVE-2019-10872.patch +5494d9056dd672b6379d82f41f0e895037631da781685f067316ffc3ae789589a83580553d0dd2e4ed29fd1fd1d4a779e87a96a914fc7a043e60e4a145b73258 CVE-2019-12293.patch" diff --git a/main/poppler/CVE-2018-16646-1.patch b/main/poppler/CVE-2018-16646-1.patch new file mode 100644 index 0000000000..fb2ac27488 --- /dev/null +++ b/main/poppler/CVE-2018-16646-1.patch @@ -0,0 +1,61 @@ +From 3d35d209c19c1d3b09b794a0c863ba5de44a9c0a Mon Sep 17 00:00:00 2001 +From: Marek Kasik <mkasik@redhat.com> +Date: Mon, 29 Oct 2018 17:44:47 +0100 +Subject: [PATCH] Avoid cycles in PDF parsing + +Mark objects being processed in Parser::makeStream() as being processed +and check the mark when entering this method to avoid processing +of the same object recursively. +--- + poppler/Parser.cc | 15 +++++++++++++++ + poppler/XRef.h | 1 + + 2 files changed, 16 insertions(+) + +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index bd4845ab..8f48efbe 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -197,6 +197,18 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, + Stream *str; + Goffset length; + Goffset pos, endPos; ++ XRefEntry *entry; ++ ++ if (xref && (entry = xref->getEntry(objNum, false))) { ++ if (!entry->getFlag(XRefEntry::Parsing) || ++ (objNum == 0 && objGen == 0)) { ++ entry->setFlag(XRefEntry::Parsing, true); ++ } else { ++ error(errSyntaxError, getPos(), ++ "Object '{0:d} {1:d} obj' is being already parsed", objNum, objGen); ++ return nullptr; ++ } ++ } + + // get stream start position + lexer->skipToNextLine(); +@@ -278,6 +290,9 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, + // get filters + str = str->addFilters(str->getDict(), recursion); + ++ if (entry) ++ entry->setFlag(XRefEntry::Parsing, false); ++ + return str; + } + +diff --git a/poppler/XRef.h b/poppler/XRef.h +index 11ee5e03..2eb2f9fd 100644 +--- a/poppler/XRef.h ++++ b/poppler/XRef.h +@@ -65,6 +65,7 @@ struct XRefEntry { + enum Flag { + // Regular flags + Updated, // Entry was modified ++ Parsing, // Entry is currently being parsed + + // Special flags -- available only after xref->scanSpecialFlags() is run + Unencrypted, // Entry is stored in unencrypted form (meaningless in unencrypted documents) +-- +2.18.1 + diff --git a/main/poppler/CVE-2018-16646-2.patch b/main/poppler/CVE-2018-16646-2.patch new file mode 100644 index 0000000000..3514b30c2b --- /dev/null +++ b/main/poppler/CVE-2018-16646-2.patch @@ -0,0 +1,25 @@ +From 89fccf45fc5bfca3756102e6bec1950ec1d436a9 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Sat, 3 Nov 2018 01:45:55 +0100 +Subject: [PATCH] initialize entry + +--- + poppler/Parser.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index 733cdbb0..87745414 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -198,7 +198,7 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, + Stream *str; + Goffset length; + Goffset pos, endPos; +- XRefEntry *entry; ++ XRefEntry *entry = nullptr; + + if (xref && (entry = xref->getEntry(objNum, false))) { + if (!entry->getFlag(XRefEntry::Parsing) || +-- +2.18.1 + diff --git a/main/poppler/CVE-2018-16646-3.patch b/main/poppler/CVE-2018-16646-3.patch new file mode 100644 index 0000000000..62d303e2b5 --- /dev/null +++ b/main/poppler/CVE-2018-16646-3.patch @@ -0,0 +1,28 @@ +From 08572e1bdca03baed694dd9828bb2b878865e669 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Sat, 3 Nov 2018 12:21:41 +0100 +Subject: [PATCH] Parser::makeStream: Fix crash on malformed files + +fixes oss-fuzz/11244 +--- + poppler/Parser.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/poppler/Parser.cc b/poppler/Parser.cc +index 87745414..2cf2bd12 100644 +--- a/poppler/Parser.cc ++++ b/poppler/Parser.cc +@@ -230,6 +230,10 @@ Stream *Parser::makeStream(Object &&dict, Guchar *fileKey, + length = 0; + } + ++ // the above dictLookup can cause a xref reconstruction if the file is damaged ++ // so we need to update the entry pointer ++ entry = xref ? xref->getEntry(objNum, false) : nullptr; ++ + // check for length in damaged file + if (xref && xref->getStreamEnd(pos, &endPos)) { + length = endPos - pos; +-- +2.18.1 + diff --git a/main/poppler/CVE-2018-20481.patch b/main/poppler/CVE-2018-20481.patch new file mode 100644 index 0000000000..4402e964ad --- /dev/null +++ b/main/poppler/CVE-2018-20481.patch @@ -0,0 +1,63 @@ +From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001 +From: Adam Reichold <adam.reichold@t-online.de> +Date: Mon, 24 Dec 2018 15:40:38 +0100 +Subject: [PATCH] Do not try to parse into unallocated XRef entry and return + pointer to dummy entry instead. Closes #692 and oss-fuzz/12330 + +--- + poppler/XRef.cc | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/poppler/XRef.cc b/poppler/XRef.cc +index 0ec66944..d042d1f4 100644 +--- a/poppler/XRef.cc ++++ b/poppler/XRef.cc +@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum) + } + } + ++namespace { ++ ++struct DummyXRefEntry : XRefEntry { ++ DummyXRefEntry() { ++ offset = 0; ++ gen = -1; ++ type = xrefEntryNone; ++ flags = 0; ++ } ++}; ++ ++DummyXRefEntry dummyXRefEntry; ++ ++} ++ + XRefEntry *XRef::getEntry(int i, bool complainIfMissing) + { + if (i >= size || entries[i].type == xrefEntryNone) { + + if ((!xRefStream) && mainXRefEntriesOffset) { ++ if (unlikely(i >= capacity)) { ++ error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i); ++ return &dummyXRefEntry; ++ } ++ + if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) { + error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i); + } +@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing) + // We might have reconstructed the xref + // Check again i is in bounds + if (unlikely(i >= size)) { +- static XRefEntry dummy; +- dummy.offset = 0; +- dummy.gen = -1; +- dummy.type = xrefEntryNone; +- dummy.flags = 0; +- return &dummy; ++ return &dummyXRefEntry; + } + + if (entries[i].type == xrefEntryNone) { +-- +2.18.1 + diff --git a/main/poppler/CVE-2018-20551.patch b/main/poppler/CVE-2018-20551.patch new file mode 100644 index 0000000000..9a391ca0dd --- /dev/null +++ b/main/poppler/CVE-2018-20551.patch @@ -0,0 +1,51 @@ +From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001 +From: Adam Reichold <adam.reichold@t-online.de> +Date: Thu, 27 Dec 2018 11:54:53 +0100 +Subject: [PATCH] Do not try to construct invalid rich media annotation assets. + Closes #703 + +--- + poppler/Annot.cc | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/poppler/Annot.cc b/poppler/Annot.cc +index 2e4770ab..1750dc70 100644 +--- a/poppler/Annot.cc ++++ b/poppler/Annot.cc +@@ -6418,20 +6418,22 @@ AnnotRichMedia::Content::Content(Dict *dict) { + if (obj1.isDict()) { + Object obj2 = obj1.getDict()->lookup("Names"); + if (obj2.isArray()) { +- nAssets = obj2.arrayGetLength() / 2; ++ const int length = obj2.arrayGetLength() / 2; + +- assets = (Asset **)gmallocn(nAssets, sizeof(Asset *)); ++ assets = (Asset **)gmallocn(length, sizeof(Asset *)); ++ for (int i = 0; i < length; ++i) { ++ Object objKey = obj2.arrayGet(2 * i); ++ Object objVal = obj2.arrayGet(2 * i + 1); + +- int counter = 0; +- for (int i = 0; i < nAssets; ++i) { +- assets[counter] = new AnnotRichMedia::Asset; +- +- Object objKey = obj2.arrayGet(i * 2); +- assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1); +- +- assets[counter]->name = std::make_unique<GooString>( objKey.getString() ); +- ++counter; ++ if (!objKey.isString() || objVal.isNull()) { ++ error(errSyntaxError, -1, "Bad Annot Asset"); ++ continue; ++ } + ++ assets[nAssets] = new AnnotRichMedia::Asset; ++ assets[nAssets]->name = std::make_unique<GooString>( objKey.getString() ); ++ assets[nAssets]->fileSpec = std::move(objVal); ++ ++nAssets; + } + } + } +-- +2.18.1 + diff --git a/main/poppler/CVE-2018-20662.patch b/main/poppler/CVE-2018-20662.patch new file mode 100644 index 0000000000..557bda34af --- /dev/null +++ b/main/poppler/CVE-2018-20662.patch @@ -0,0 +1,46 @@ +From 7b4e372deeb716eb3fe3a54b31ed41af759224f9 Mon Sep 17 00:00:00 2001 +From: Marek Kasik <mkasik@redhat.com> +Date: Mon, 4 Mar 2019 12:55:12 +0100 +Subject: [PATCH] pdfunite: Check XRef's Catalog for being a Dict + +Check whether Catalog from XRef is Dict for each document +passed to pdfunite and return error if not. + +https://gitlab.freedesktop.org/poppler/poppler/issues/706 +--- + utils/pdfunite.cc | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc +index b0142116..23888684 100644 +--- a/utils/pdfunite.cc ++++ b/utils/pdfunite.cc +@@ -165,7 +165,8 @@ int main (int argc, char *argv[]) + for (i = 1; i < argc - 1; i++) { + GooString *gfileName = new GooString(argv[i]); + PDFDoc *doc = new PDFDoc(gfileName, nullptr, nullptr, nullptr); +- if (doc->isOk() && !doc->isEncrypted()) { ++ if (doc->isOk() && !doc->isEncrypted() && ++ doc->getXRef()->getCatalog().isDict()) { + docs.push_back(doc); + if (doc->getPDFMajorVersion() > majorVersion) { + majorVersion = doc->getPDFMajorVersion(); +@@ -176,8 +177,13 @@ int main (int argc, char *argv[]) + } + } + } else if (doc->isOk()) { +- error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]); +- return -1; ++ if (doc->isEncrypted()) { ++ error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]); ++ return -1; ++ } else if (!doc->getXRef()->getCatalog().isDict()) { ++ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary ('{0:s}')", argv[i]); ++ return -1; ++ } + } else { + error(errSyntaxError, -1, "Could not merge damaged documents ('{0:s}')", argv[i]); + return -1; +-- +2.18.1 + diff --git a/main/poppler/CVE-2019-10872.patch b/main/poppler/CVE-2019-10872.patch new file mode 100644 index 0000000000..8032d7dd9a --- /dev/null +++ b/main/poppler/CVE-2019-10872.patch @@ -0,0 +1,136 @@ +From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001 +From: Marek Kasik <mkasik@redhat.com> +Date: Mon, 13 May 2019 15:08:38 +0200 +Subject: [PATCH] Splash: Restrict filling of overlapping boxes + +Check whether area to fill in Splash::blitTransparent() +does not run out of allocated memory for source and for destination +and shrink it if needed. + +Fixes #750 +--- + splash/Splash.cc | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- poppler-0.71.0.orig/splash/Splash.cc ++++ poppler-0.71.0/splash/Splash.cc +@@ -5856,7 +5856,7 @@ SplashError Splash::blitTransparent(Spla + int xDest, int yDest, int w, int h) { + SplashColorPtr p, sp; + Guchar *q; +- int x, y, mask, srcMask; ++ int x, y, mask, srcMask, width = w, height = h; + + if (src->mode != bitmap->mode) { + return splashErrModeMismatch; +@@ -5866,14 +5866,32 @@ SplashError Splash::blitTransparent(Spla + return splashErrZeroImage; + } + ++ if (src->getWidth() - xSrc < width) ++ width = src->getWidth() - xSrc; ++ ++ if (src->getHeight() - ySrc < height) ++ height = src->getHeight() - ySrc; ++ ++ if (bitmap->getWidth() - xDest < width) ++ width = bitmap->getWidth() - xDest; ++ ++ if (bitmap->getHeight() - yDest < height) ++ height = bitmap->getHeight() - yDest; ++ ++ if (width < 0) ++ width = 0; ++ ++ if (height < 0) ++ height = 0; ++ + switch (bitmap->mode) { + case splashModeMono1: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)]; + mask = 0x80 >> (xDest & 7); + sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)]; + srcMask = 0x80 >> (xSrc & 7); +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + if (*sp & srcMask) { + *p |= mask; + } else { +@@ -5891,20 +5909,20 @@ SplashError Splash::blitTransparent(Spla + } + break; + case splashModeMono8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest]; + sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + } + } + break; + case splashModeRGB8: + case splashModeBGR8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5912,10 +5930,10 @@ SplashError Splash::blitTransparent(Spla + } + break; + case splashModeXBGR8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5926,10 +5944,10 @@ SplashError Splash::blitTransparent(Spla + break; + #ifdef SPLASH_CMYK + case splashModeCMYK8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5938,10 +5956,10 @@ SplashError Splash::blitTransparent(Spla + } + break; + case splashModeDeviceN8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + for (int cp=0; cp < SPOT_NCOMPS+4; cp++) + *p++ = *sp++; + } +@@ -5951,9 +5969,9 @@ SplashError Splash::blitTransparent(Spla + } + + if (bitmap->alpha) { +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest]; +- memset(q, 0x00, w); ++ memset(q, 0x00, width); + } + } + diff --git a/main/poppler/CVE-2019-10873.patch b/main/poppler/CVE-2019-10873.patch new file mode 100644 index 0000000000..a4a80ae97d --- /dev/null +++ b/main/poppler/CVE-2019-10873.patch @@ -0,0 +1,31 @@ +From 8dbe2e6c480405dab9347075cf4be626f90f1d05 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Wed, 3 Apr 2019 18:02:42 +0200 +Subject: [PATCH] SplashXPathScanner::clipAALine: Fix crash on broken file + +Make sure the index of allIntersections we access is valid + +Fixes #748 +--- + splash/SplashXPathScanner.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/splash/SplashXPathScanner.cc b/splash/SplashXPathScanner.cc +index 8362a6a5..23b4f7c4 100644 +--- a/splash/SplashXPathScanner.cc ++++ b/splash/SplashXPathScanner.cc +@@ -452,7 +452,10 @@ void SplashXPathScanner::clipAALine(SplashBitmap *aaBuf, + for (yy = 0; yy < splashAASize; ++yy) { + xx = *x0 * splashAASize; + if (yy >= yyMin && yy <= yyMax) { +- const auto& line = allIntersections[splashAASize * y + yy - yMin]; ++ const int intersectionIndex = splashAASize * y + yy - yMin; ++ if (unlikely(intersectionIndex < 0 || (unsigned)intersectionIndex >= allIntersections.size())) ++ break; ++ const auto& line = allIntersections[intersectionIndex]; + interIdx = 0; + interCount = 0; + while (interIdx < line.size() && xx < (*x1 + 1) * splashAASize) { +-- +2.18.1 + diff --git a/main/poppler/CVE-2019-12293.patch b/main/poppler/CVE-2019-12293.patch new file mode 100644 index 0000000000..2ad86a8355 --- /dev/null +++ b/main/poppler/CVE-2019-12293.patch @@ -0,0 +1,41 @@ +From 89a5367d49b2556a2635dbb6d48d6a6b182a2c6c Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Thu, 23 May 2019 00:54:29 +0200 +Subject: [PATCH] JPEG2000Stream: fail gracefully if not all components have + the same WxH + +I think this is just a mistake, or at least the only file we have with +this scenario is a fuzzed one +--- + poppler/JPEG2000Stream.cc | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc +index 15bbcae4..0eea3a2d 100644 +--- a/poppler/JPEG2000Stream.cc ++++ b/poppler/JPEG2000Stream.cc +@@ -4,7 +4,7 @@ + // + // A JPX stream decoder using OpenJPEG + // +-// Copyright 2008-2010, 2012, 2017, 2018 Albert Astals Cid <aacid@kde.org> ++// Copyright 2008-2010, 2012, 2017-2019 Albert Astals Cid <aacid@kde.org> + // Copyright 2011 Daniel Glöckner <daniel-gl@gmx.net> + // Copyright 2014, 2016 Thomas Freitag <Thomas.Freitag@alfa.de> + // Copyright 2013, 2014 Adrian Johnson <ajohnson@redneon.com> +@@ -253,6 +253,12 @@ void JPXStream::init() + close(); + break; + } ++ const int componentPixels = priv->image->comps[component].w * priv->image->comps[component].h; ++ if (componentPixels != priv->npixels) { ++ error(errSyntaxWarning, -1, "Component {0:d} has different WxH than component 0", component); ++ close(); ++ break; ++ } + unsigned char *cdata = (unsigned char *)priv->image->comps[component].data; + int adjust = 0; + int depth = priv->image->comps[component].prec; +-- +2.21.0 + diff --git a/main/poppler/CVE-2019-7310.patch b/main/poppler/CVE-2019-7310.patch new file mode 100644 index 0000000000..cffd88f225 --- /dev/null +++ b/main/poppler/CVE-2019-7310.patch @@ -0,0 +1,29 @@ +From b54e1fc3e0d2600621a28d50f9f085b9e38619c2 Mon Sep 17 00:00:00 2001 +From: Adam Reichold <adam.reichold@t-online.de> +Date: Fri, 1 Feb 2019 08:42:27 +0100 +Subject: [PATCH] Also defend against requests for negative XRef indices. + oss-fuzz/12797 + +--- + poppler/XRef.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/poppler/XRef.cc b/poppler/XRef.cc +index d042d1f4..ac2cd0ce 100644 +--- a/poppler/XRef.cc ++++ b/poppler/XRef.cc +@@ -1565,6 +1565,11 @@ DummyXRefEntry dummyXRefEntry; + + XRefEntry *XRef::getEntry(int i, bool complainIfMissing) + { ++ if (unlikely(i < 0)) { ++ error(errInternal, -1, "Request for invalid XRef entry [{0:d}]", i); ++ return &dummyXRefEntry; ++ } ++ + if (i >= size || entries[i].type == xrefEntryNone) { + + if ((!xRefStream) && mainXRefEntriesOffset) { +-- +2.18.1 + diff --git a/main/poppler/CVE-2019-9200.patch b/main/poppler/CVE-2019-9200.patch new file mode 100644 index 0000000000..e3f8da4321 --- /dev/null +++ b/main/poppler/CVE-2019-9200.patch @@ -0,0 +1,24 @@ +From f4136a6353162db249f63ddb0f20611622ab61b4 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Wed, 27 Feb 2019 19:43:22 +0100 +Subject: [PATCH] ImageStream::getLine: fix crash on broken files + +Fixes #728 +--- + poppler/Stream.cc | 3 +++ + 1 file changed, 3 insertions(+) + +diff -aur poppler-0.71.0.orig/poppler/Stream.cc poppler-0.71.0/poppler/Stream.cc +--- poppler-0.71.0.orig/poppler/Stream.cc 2018-10-31 22:13:17.000000000 +0100 ++++ poppler-0.71.0/poppler/Stream.cc 2019-05-10 18:04:55.809263964 +0200 +@@ -476,6 +476,9 @@ + } + + int readChars = str->doGetChars(inputLineSize, inputLine); ++ if (unlikely(readChars == -1)) { ++ readChars = 0; ++ } + for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF; + if (nBits == 1) { + Guchar *p = inputLine; + diff --git a/main/poppler/CVE-2019-9631.patch b/main/poppler/CVE-2019-9631.patch new file mode 100644 index 0000000000..30111603c9 --- /dev/null +++ b/main/poppler/CVE-2019-9631.patch @@ -0,0 +1,100 @@ +From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001 +From: Marek Kasik <mkasik@redhat.com> +Date: Thu, 21 Mar 2019 13:47:51 +0100 +Subject: [PATCH] cairo: Constrain number of cycles in rescale filter + +Pass address of the first byte after end of the source buffer +to downsample_row_box_filter() so that we can check +that we don't run out of it. + +Fixes issue #736 +--- + poppler/CairoRescaleBox.cc | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc +index d7615010..7fd07041 100644 +--- a/poppler/CairoRescaleBox.cc ++++ b/poppler/CairoRescaleBox.cc +@@ -62,7 +62,7 @@ + + static void downsample_row_box_filter ( + int start, int width, +- uint32_t *src, uint32_t *dest, ++ uint32_t *src, uint32_t *src_limit, uint32_t *dest, + int coverage[], int pixel_coverage) + { + /* we need an array of the pixel contribution of each destination pixel on the boundaries. +@@ -90,13 +90,13 @@ static void downsample_row_box_filter ( + /* skip to start */ + /* XXX: it might be possible to do this directly instead of iteratively, however + * the iterative solution is simple */ +- while (x < start) ++ while (x < start && src < src_limit) + { + int box = 1 << FIXED_SHIFT; + int start_coverage = coverage[x]; + box -= start_coverage; + src++; +- while (box >= pixel_coverage) ++ while (box >= pixel_coverage && src < src_limit) + { + src++; + box -= pixel_coverage; +@@ -104,7 +104,7 @@ static void downsample_row_box_filter ( + x++; + } + +- while (x < start + width) ++ while (x < start + width && src < src_limit) + { + uint32_t a = 0; + uint32_t r = 0; +@@ -121,7 +121,7 @@ static void downsample_row_box_filter ( + x++; + box -= start_coverage; + +- while (box >= pixel_coverage) ++ while (box >= pixel_coverage && src < src_limit) + { + a += ((*src >> 24) & 0xff) * pixel_coverage; + r += ((*src >> 16) & 0xff) * pixel_coverage; +@@ -135,7 +135,7 @@ static void downsample_row_box_filter ( + /* multiply by whatever is leftover + * this ensures that we don't bias down. + * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */ +- if (box > 0) ++ if (box > 0 && src < src_limit) + { + a += ((*src >> 24) & 0xff) * box; + r += ((*src >> 16) & 0xff) * box; +@@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, + int start_coverage_y = y_coverage[dest_y]; + + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + src_y++; + box -= start_coverage_y; +@@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, + while (box >= pixel_coverage_y) + { + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + src_y++; + box -= pixel_coverage_y; +@@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, + if (box > 0) + { + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + } + +-- +2.18.1 + diff --git a/main/poppler/bug924029-goostring-null-pointers.patch b/main/poppler/bug924029-goostring-null-pointers.patch new file mode 100644 index 0000000000..c39392aba4 --- /dev/null +++ b/main/poppler/bug924029-goostring-null-pointers.patch @@ -0,0 +1,97 @@ +Subject: Make GooString constructible and assignable from null pointers again + since some of the code expects it. +Origin: https://gitlab.freedesktop.org/poppler/poppler/commit/8f158da92c53ae16a368f844965f57ba8ffed77d +Bug: https://gitlab.freedesktop.org/poppler/poppler/commit/8f158da92c53ae16a368f844965f57ba8ffed77d +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924029 +Reviewed-by: Jonathan Wiltshire <jmw@debian.org> +Applied-Upstream: yes +Last-Update: 2019-05-25 + +--- poppler-0.71.0.orig/goo/GooString.h ++++ poppler-0.71.0/goo/GooString.h +@@ -60,7 +60,7 @@ + GooString& operator=(const GooString &other) = delete; + + // Create a string from a C string. +- explicit GooString(const char *sA) : std::string(sA) {} ++ explicit GooString(const char *sA) : std::string(sA ? sA : "") {} + + // Zero-cost conversion from and to std::string + explicit GooString(const std::string& str) : std::string(str) {} +@@ -70,18 +70,18 @@ + + // Create a string from <lengthA> chars at <sA>. This string + // can contain null characters. +- GooString(const char *sA, int lengthA) : std::string(sA, lengthA) {} ++ GooString(const char *sA, int lengthA) : std::string(sA ? sA : "", sA ? lengthA : 0) {} + + // Create a string from <lengthA> chars at <idx> in <str>. + GooString(const GooString *str, int idx, int lengthA) : std::string(*str, idx, lengthA) {} + + // Set content of a string to <newStr>. +- GooString* Set(const GooString *newStr) { assign(*newStr); return this; } +- GooString* Set(const char *newStr) { assign(newStr); return this; } +- GooString* Set(const char *newStr, int newLen) { assign(newStr, newLen); return this; } ++ GooString* Set(const GooString *newStr) { assign(newStr ? static_cast<const std::string&>(*newStr) : std::string{}); return this; } ++ GooString* Set(const char *newStr) { assign(newStr ? newStr : ""); return this; } ++ GooString* Set(const char *newStr, int newLen) { assign(newStr ? newStr : "", newStr ? newLen : 0); return this; } + + // Copy a string. +- explicit GooString(const GooString *str) : std::string(*str) {} ++ explicit GooString(const GooString *str) : std::string(str ? static_cast<const std::string&>(*str) : std::string{}) {} + GooString *copy() const { return new GooString(this); } + + // Concatenate two strings. +--- poppler-0.71.0.orig/qt5/tests/check_goostring.cpp ++++ poppler-0.71.0/qt5/tests/check_goostring.cpp +@@ -11,6 +11,7 @@ + void testInsertData(); + void testInsert(); + void testFormat(); ++ void testFromNullptr(); + }; + + void TestGooString::testInsertData_data() +@@ -122,6 +123,42 @@ + } + } + ++void TestGooString::testFromNullptr() ++{ ++ { ++ GooString str{static_cast<const GooString*>(nullptr)}; ++ QCOMPARE(str.getLength(), 0); ++ } ++ ++ { ++ GooString str; ++ str.Set(static_cast<const GooString*>(nullptr)); ++ QCOMPARE(str.getLength(), 0); ++ } ++ ++ { ++ GooString str{static_cast<const char*>(nullptr)}; ++ QCOMPARE(str.getLength(), 0); ++ } ++ ++ { ++ GooString str{static_cast<const char*>(nullptr), 0}; ++ QCOMPARE(str.getLength(), 0); ++ } ++ ++ { ++ GooString str; ++ str.Set(static_cast<const char*>(nullptr)); ++ QCOMPARE(str.getLength(), 0); ++ } ++ ++ { ++ GooString str; ++ str.Set(static_cast<const char*>(nullptr), 0); ++ QCOMPARE(str.getLength(), 0); ++ } ++} ++ + QTEST_GUILESS_MAIN(TestGooString) + #include "check_goostring.moc" + diff --git a/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch b/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch new file mode 100644 index 0000000000..c59de03677 --- /dev/null +++ b/main/poppler/glib-Don-t-create-PopplerInputStream-with-length-0.patch @@ -0,0 +1,36 @@ +From: Simon McVittie <smcv@debian.org> +Date: Thu, 14 Feb 2019 09:43:32 +0000 +Subject: glib: Don't create PopplerInputStream with length 0 + +Since commit a59f6164, PopplerInputStream requires a nonzero length. + +Loosely based on an earlier patch by Kouhei Sutou. This version adds +support for length == -1, which is documented to work. + +Bug: https://gitlab.freedesktop.org/poppler/poppler/issues/414 +Bug-Debian: https://bugs.debian.org/896596 +Forwarded: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/189 +--- + glib/poppler-document.cc | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc +index ed37da4c..e04c8b42 100644 +--- a/glib/poppler-document.cc ++++ b/glib/poppler-document.cc +@@ -309,7 +309,14 @@ poppler_document_new_from_stream (GInputStream *stream, + } + + if (stream_is_memory_buffer_or_local_file(stream)) { +- str = new PopplerInputStream(stream, cancellable, 0, false, 0, Object(objNull)); ++ if (length == (goffset)-1) { ++ if (!g_seekable_seek(G_SEEKABLE(stream), 0, G_SEEK_END, cancellable, error)) { ++ g_prefix_error(error, "Unable to determine length of stream: "); ++ return nullptr; ++ } ++ length = g_seekable_tell(G_SEEKABLE(stream)); ++ } ++ str = new PopplerInputStream(stream, cancellable, 0, false, length, Object(objNull)); + } else { + CachedFile *cachedFile = new CachedFile(new PopplerCachedFileLoader(stream, cancellable, length), new GooString()); + str = new CachedFileStream(cachedFile, 0, false, cachedFile->getLength(), Object(objNull)); diff --git a/main/poppler/page-ustring.patch b/main/poppler/page-ustring.patch new file mode 100644 index 0000000000..8b0a1ba58f --- /dev/null +++ b/main/poppler/page-ustring.patch @@ -0,0 +1,29 @@ +From a4fad73c86a2eabe004e7cbaa8c9c0ff42146375 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Thu, 6 Dec 2018 18:27:04 +0100 +Subject: [PATCH] cpp: Fix page::text_list encoding issue + +Text from TextoutputDev always comes in UTF-8 + +Well it comes in GlobalParams::textEncoding but that is UTF-8 and we +don't let people change it +--- + cpp/poppler-page.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cpp/poppler-page.cpp b/cpp/poppler-page.cpp +index 9d9526cc..c4955471 100644 +--- a/cpp/poppler-page.cpp ++++ b/cpp/poppler-page.cpp +@@ -365,7 +365,7 @@ std::vector<text_box> page::text_list() const + TextWord *word = word_list->get(i); + + std::unique_ptr<GooString> gooWord{word->getText()}; +- ustring ustr = detail::unicode_GooString_to_ustring(gooWord.get()); ++ ustring ustr = ustring::from_utf8(gooWord->getCString()); + + double xMin, yMin, xMax, yMax; + word->getBBox(&xMin, &yMin, &xMax, &yMax); +-- +2.18.1 + -- 2.22.0 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---