From f3537c5c4ed62c425068d9a3d3f226fe53cbf9ba Mon Sep 17 00:00:00 2001 From: Andreas Sturmlechner Date: Fri, 24 Nov 2017 22:29:00 +0100 Subject: app-text/poppler: Fix CVE-2017-145{18,19,20} Bug: https://bugs.gentoo.org/631292 Package-Manager: Portage-2.3.16, Repoman-2.3.6 --- .../files/poppler-0.57.0-CVE-2017-14518.patch | 27 ++++++ .../files/poppler-0.57.0-CVE-2017-14519.patch | 100 +++++++++++++++++++++ .../files/poppler-0.57.0-CVE-2017-14520.patch | 24 +++++ app-text/poppler/poppler-0.57.0-r1.ebuild | 3 + 4 files changed, 154 insertions(+) create mode 100644 app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch create mode 100644 app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch create mode 100644 app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch (limited to 'app-text') diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch new file mode 100644 index 000000000000..9e8f4bfe6246 --- /dev/null +++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14518.patch @@ -0,0 +1,27 @@ +From 6ba3bba6447897260bf4117e191e09d89d91ff62 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 13 Sep 2017 23:09:45 +0200 +Subject: [PATCH 2/4] isImageInterpolationRequired: Fix divide by 0 on broken + documents + +Bug #102688 +--- + splash/Splash.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/splash/Splash.cc b/splash/Splash.cc +index 46b8ce29..39fc7d64 100644 +--- a/splash/Splash.cc ++++ b/splash/Splash.cc +@@ -4134,7 +4134,7 @@ SplashError Splash::arbitraryTransformImage(SplashImageSource src, SplashICCTran + static GBool isImageInterpolationRequired(int srcWidth, int srcHeight, + int scaledWidth, int scaledHeight, + GBool interpolate) { +- if (interpolate) ++ if (interpolate || srcWidth == 0 || srcHeight == 0) + return gTrue; + + /* When scale factor is >= 400% we don't interpolate. See bugs #25268, #9860 */ +-- +2.14.1 + diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch new file mode 100644 index 000000000000..bd84e96fba3b --- /dev/null +++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch @@ -0,0 +1,100 @@ +From 778180c0c09002f6adfc272eba6b0d0e4401c4cc Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 13 Sep 2017 23:01:03 +0200 +Subject: [PATCH 3/4] Gfx::doShowText: Fix infinite recursion on broken files + +Bug #102701 +--- + poppler/Gfx.cc | 25 +++++++++++++++++++++++-- + poppler/Gfx.h | 1 + + poppler/GfxFont.cc | 9 +++++++++ + poppler/GfxFont.h | 1 + + 4 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc +index 37220280..9feac54c 100644 +--- a/poppler/Gfx.cc ++++ b/poppler/Gfx.cc +@@ -4031,12 +4031,33 @@ void Gfx::doShowText(GooString *s) { + state->transformDelta(dx, dy, &ddx, &ddy); + if (!out->beginType3Char(state, curX + riseX, curY + riseY, ddx, ddy, + code, u, uLen)) { +- ((Gfx8BitFont *)font)->getCharProc(code, &charProc); ++ ((Gfx8BitFont *)font)->getCharProcNF(code, &charProc); ++ int refNum = -1; ++ if (charProc.isRef()) { ++ refNum = charProc.getRef().num; ++ charProc.fetch(((Gfx8BitFont *)font)->getCharProcs()->getXRef(), &charProc); ++ } + if ((resDict = ((Gfx8BitFont *)font)->getResources())) { + pushResources(resDict); + } + if (charProc.isStream()) { +- display(&charProc, gFalse); ++ std::set::iterator charProcDrawingIt; ++ bool displayCharProc = true; ++ if (refNum != -1) { ++ if (charProcDrawing.find(refNum) == charProcDrawing.end()) { ++ charProcDrawingIt = charProcDrawing.insert(refNum).first; ++ } else { ++ displayCharProc = false; ++ error(errSyntaxError, -1, "CharProc wants to draw a CharProc that is already beign drawn"); ++ } ++ } ++ if (displayCharProc) { ++ display(&charProc, gFalse); ++ ++ if (refNum != -1) { ++ charProcDrawing.erase(charProcDrawingIt); ++ } ++ } + } else { + error(errSyntaxError, getPos(), "Missing or bad Type3 CharProc entry"); + } +diff --git a/poppler/Gfx.h b/poppler/Gfx.h +index a82f9f4a..44adaed5 100644 +--- a/poppler/Gfx.h ++++ b/poppler/Gfx.h +@@ -228,6 +228,7 @@ private: + Parser *parser; // parser for page content stream(s) + + std::set formsDrawing; // the forms that are being drawn ++ std::set charProcDrawing; // the charProc that are being drawn + + GBool // callback to check for an abort + (*abortCheckCbk)(void *data); +diff --git a/poppler/GfxFont.cc b/poppler/GfxFont.cc +index b59ec06c..bb87c5a0 100644 +--- a/poppler/GfxFont.cc ++++ b/poppler/GfxFont.cc +@@ -1818,6 +1818,15 @@ Object *Gfx8BitFont::getCharProc(int code, Object *proc) { + return proc; + } + ++Object *Gfx8BitFont::getCharProcNF(int code, Object *proc) { ++ if (enc[code] && charProcs.isDict()) { ++ charProcs.dictLookupNF(enc[code], proc); ++ } else { ++ proc->initNull(); ++ } ++ return proc; ++} ++ + Dict *Gfx8BitFont::getResources() { + return resources.isDict() ? resources.getDict() : (Dict *)NULL; + } +diff --git a/poppler/GfxFont.h b/poppler/GfxFont.h +index de7a7464..89a0ca0d 100644 +--- a/poppler/GfxFont.h ++++ b/poppler/GfxFont.h +@@ -353,6 +353,7 @@ public: + + // Return the Type 3 CharProc for the character associated with . + Object *getCharProc(int code, Object *proc); ++ Object *getCharProcNF(int code, Object *proc); + + // Return the Type 3 Resources dictionary, or NULL if none. + Dict *getResources(); +-- +2.14.1 + diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch new file mode 100644 index 000000000000..f71ff53f61ac --- /dev/null +++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14520.patch @@ -0,0 +1,24 @@ +From 504b3590182175390f474657a372e78fb1508262 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Thu, 14 Sep 2017 19:14:23 +0200 +Subject: Splash::scaleImage: Do not try to scale if srcHeight or srcWidth are + < 1 + +Bug #102719 + +diff --git a/splash/Splash.cc b/splash/Splash.cc +index 39fc7d6..aba7814 100644 +--- a/splash/Splash.cc ++++ b/splash/Splash.cc +@@ -4152,7 +4152,7 @@ SplashBitmap *Splash::scaleImage(SplashImageSource src, void *srcData, + SplashBitmap *dest; + + dest = new SplashBitmap(scaledWidth, scaledHeight, 1, srcMode, srcAlpha, gTrue, bitmap->getSeparationList()); +- if (dest->getDataPtr() != NULL) { ++ if (dest->getDataPtr() != NULL && srcHeight > 0 && srcWidth > 0) { + if (scaledHeight < srcHeight) { + if (scaledWidth < srcWidth) { + scaleImageYdXd(src, srcData, srcMode, nComps, srcAlpha, +-- +cgit v0.10.2 + diff --git a/app-text/poppler/poppler-0.57.0-r1.ebuild b/app-text/poppler/poppler-0.57.0-r1.ebuild index fe3bf2027de9..a19b815e5955 100644 --- a/app-text/poppler/poppler-0.57.0-r1.ebuild +++ b/app-text/poppler/poppler-0.57.0-r1.ebuild @@ -67,6 +67,9 @@ PATCHES=( "${FILESDIR}/${PN}-0.40-FindQt4.patch" # Fedora backports from upstream "${FILESDIR}/${P}-CVE-2017-14517.patch" + "${FILESDIR}/${P}-CVE-2017-14518.patch" + "${FILESDIR}/${P}-CVE-2017-14519.patch" + "${FILESDIR}/${P}-CVE-2017-14520.patch" "${FILESDIR}/${P}-CVE-2017-14926.patch" "${FILESDIR}/${P}-CVE-2017-14927.patch" "${FILESDIR}/${P}-CVE-2017-14928.patch" -- cgit v1.2.3-65-gdbad