Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-text
diff options
context:
space:
mode:
authorAndreas Sturmlechner <asturm@gentoo.org>2017-11-24 22:29:00 +0100
committerAndreas Sturmlechner <asturm@gentoo.org>2017-11-25 00:06:22 +0100
commitf3537c5c4ed62c425068d9a3d3f226fe53cbf9ba (patch)
tree7ae78f4dd28237b6de94d70b4ebabda97b994b7e /app-text
parentapp-text/poppler: Fix CVE-2017-1792{6,7,8,9}, CVE-2017-15565 (diff)
downloadgentoo-f3537c5c4ed62c425068d9a3d3f226fe53cbf9ba.tar.gz
gentoo-f3537c5c4ed62c425068d9a3d3f226fe53cbf9ba.tar.bz2
gentoo-f3537c5c4ed62c425068d9a3d3f226fe53cbf9ba.zip
app-text/poppler: Fix CVE-2017-145{18,19,20}
Bug: https://bugs.gentoo.org/631292 Package-Manager: Portage-2.3.16, Repoman-2.3.6
Diffstat (limited to 'app-text')
-rw-r--r--app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch27
-rw-r--r--app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch100
-rw-r--r--app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch24
-rw-r--r--app-text/poppler/poppler-0.57.0-r1.ebuild3
4 files changed, 154 insertions, 0 deletions
diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch
new file mode 100644
index 000000000000..9e8f4bfe6246
--- /dev/null
+++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch
@@ -0,0 +1,27 @@
+From 6ba3bba6447897260bf4117e191e09d89d91ff62 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 13 Sep 2017 23:09:45 +0200
+Subject: [PATCH 2/4] isImageInterpolationRequired: Fix divide by 0 on broken
+ documents
+
+Bug #102688
+---
+ splash/Splash.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/splash/Splash.cc b/splash/Splash.cc
+index 46b8ce29..39fc7d64 100644
+--- a/splash/Splash.cc
++++ b/splash/Splash.cc
+@@ -4134,7 +4134,7 @@ SplashError Splash::arbitraryTransformImage(SplashImageSource src, SplashICCTran
+ static GBool isImageInterpolationRequired(int srcWidth, int srcHeight,
+ int scaledWidth, int scaledHeight,
+ GBool interpolate) {
+- if (interpolate)
++ if (interpolate || srcWidth == 0 || srcHeight == 0)
+ return gTrue;
+
+ /* When scale factor is >= 400% we don't interpolate. See bugs #25268, #9860 */
+--
+2.14.1
+
diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch
new file mode 100644
index 000000000000..bd84e96fba3b
--- /dev/null
+++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch
@@ -0,0 +1,100 @@
+From 778180c0c09002f6adfc272eba6b0d0e4401c4cc Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 13 Sep 2017 23:01:03 +0200
+Subject: [PATCH 3/4] Gfx::doShowText: Fix infinite recursion on broken files
+
+Bug #102701
+---
+ poppler/Gfx.cc | 25 +++++++++++++++++++++++--
+ poppler/Gfx.h | 1 +
+ poppler/GfxFont.cc | 9 +++++++++
+ poppler/GfxFont.h | 1 +
+ 4 files changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
+index 37220280..9feac54c 100644
+--- a/poppler/Gfx.cc
++++ b/poppler/Gfx.cc
+@@ -4031,12 +4031,33 @@ void Gfx::doShowText(GooString *s) {
+ state->transformDelta(dx, dy, &ddx, &ddy);
+ if (!out->beginType3Char(state, curX + riseX, curY + riseY, ddx, ddy,
+ code, u, uLen)) {
+- ((Gfx8BitFont *)font)->getCharProc(code, &charProc);
++ ((Gfx8BitFont *)font)->getCharProcNF(code, &charProc);
++ int refNum = -1;
++ if (charProc.isRef()) {
++ refNum = charProc.getRef().num;
++ charProc.fetch(((Gfx8BitFont *)font)->getCharProcs()->getXRef(), &charProc);
++ }
+ if ((resDict = ((Gfx8BitFont *)font)->getResources())) {
+ pushResources(resDict);
+ }
+ if (charProc.isStream()) {
+- display(&charProc, gFalse);
++ std::set<int>::iterator charProcDrawingIt;
++ bool displayCharProc = true;
++ if (refNum != -1) {
++ if (charProcDrawing.find(refNum) == charProcDrawing.end()) {
++ charProcDrawingIt = charProcDrawing.insert(refNum).first;
++ } else {
++ displayCharProc = false;
++ error(errSyntaxError, -1, "CharProc wants to draw a CharProc that is already beign drawn");
++ }
++ }
++ if (displayCharProc) {
++ display(&charProc, gFalse);
++
++ if (refNum != -1) {
++ charProcDrawing.erase(charProcDrawingIt);
++ }
++ }
+ } else {
+ error(errSyntaxError, getPos(), "Missing or bad Type3 CharProc entry");
+ }
+diff --git a/poppler/Gfx.h b/poppler/Gfx.h
+index a82f9f4a..44adaed5 100644
+--- a/poppler/Gfx.h
++++ b/poppler/Gfx.h
+@@ -228,6 +228,7 @@ private:
+ Parser *parser; // parser for page content stream(s)
+
+ std::set<int> formsDrawing; // the forms that are being drawn
++ std::set<int> charProcDrawing; // the charProc that are being drawn
+
+ GBool // callback to check for an abort
+ (*abortCheckCbk)(void *data);
+diff --git a/poppler/GfxFont.cc b/poppler/GfxFont.cc
+index b59ec06c..bb87c5a0 100644
+--- a/poppler/GfxFont.cc
++++ b/poppler/GfxFont.cc
+@@ -1818,6 +1818,15 @@ Object *Gfx8BitFont::getCharProc(int code, Object *proc) {
+ return proc;
+ }
+
++Object *Gfx8BitFont::getCharProcNF(int code, Object *proc) {
++ if (enc[code] && charProcs.isDict()) {
++ charProcs.dictLookupNF(enc[code], proc);
++ } else {
++ proc->initNull();
++ }
++ return proc;
++}
++
+ Dict *Gfx8BitFont::getResources() {
+ return resources.isDict() ? resources.getDict() : (Dict *)NULL;
+ }
+diff --git a/poppler/GfxFont.h b/poppler/GfxFont.h
+index de7a7464..89a0ca0d 100644
+--- a/poppler/GfxFont.h
++++ b/poppler/GfxFont.h
+@@ -353,6 +353,7 @@ public:
+
+ // Return the Type 3 CharProc for the character associated with <code>.
+ Object *getCharProc(int code, Object *proc);
++ Object *getCharProcNF(int code, Object *proc);
+
+ // Return the Type 3 Resources dictionary, or NULL if none.
+ Dict *getResources();
+--
+2.14.1
+
diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch
new file mode 100644
index 000000000000..f71ff53f61ac
--- /dev/null
+++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch
@@ -0,0 +1,24 @@
+From 504b3590182175390f474657a372e78fb1508262 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Thu, 14 Sep 2017 19:14:23 +0200
+Subject: Splash::scaleImage: Do not try to scale if srcHeight or srcWidth are
+ < 1
+
+Bug #102719
+
+diff --git a/splash/Splash.cc b/splash/Splash.cc
+index 39fc7d6..aba7814 100644
+--- a/splash/Splash.cc
++++ b/splash/Splash.cc
+@@ -4152,7 +4152,7 @@ SplashBitmap *Splash::scaleImage(SplashImageSource src, void *srcData,
+ SplashBitmap *dest;
+
+ dest = new SplashBitmap(scaledWidth, scaledHeight, 1, srcMode, srcAlpha, gTrue, bitmap->getSeparationList());
+- if (dest->getDataPtr() != NULL) {
++ if (dest->getDataPtr() != NULL && srcHeight > 0 && srcWidth > 0) {
+ if (scaledHeight < srcHeight) {
+ if (scaledWidth < srcWidth) {
+ scaleImageYdXd(src, srcData, srcMode, nComps, srcAlpha,
+--
+cgit v0.10.2
+
diff --git a/app-text/poppler/poppler-0.57.0-r1.ebuild b/app-text/poppler/poppler-0.57.0-r1.ebuild
index fe3bf2027de9..a19b815e5955 100644
--- a/app-text/poppler/poppler-0.57.0-r1.ebuild
+++ b/app-text/poppler/poppler-0.57.0-r1.ebuild
@@ -67,6 +67,9 @@ PATCHES=(
"${FILESDIR}/${PN}-0.40-FindQt4.patch"
# Fedora backports from upstream
"${FILESDIR}/${P}-CVE-2017-14517.patch"
+ "${FILESDIR}/${P}-CVE-2017-14518.patch"
+ "${FILESDIR}/${P}-CVE-2017-14519.patch"
+ "${FILESDIR}/${P}-CVE-2017-14520.patch"
"${FILESDIR}/${P}-CVE-2017-14926.patch"
"${FILESDIR}/${P}-CVE-2017-14927.patch"
"${FILESDIR}/${P}-CVE-2017-14928.patch"