aboutsummaryrefslogblamecommitdiffstats
path: root/main/poppler/CVE-2013-1790.patch
blob: f1fd1bc0b62456932aad59dd214c749c0f917f6a (plain) (tree)

























































































































































































































































                                                                                                                 
Description: fix uninitialized memory read
Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=931051fe0bb445545355027d999515bc3d4b32ef
Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=50c0b294d08114920a5db711876e20d991f474a6
Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=31874f2e065b0d68f726ef404de98f42489c80c7
Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e8822c0f3a46195ec7c6e55c556dd0c5716be742
Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=2017dbebd9afd4f172242ff8462fce739d911e64
Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=b1026b5978c385328f2a15a2185c599a563edf91
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071

Index: poppler-0.16.7/poppler/Stream.cc
===================================================================
--- poppler-0.16.7.orig/poppler/Stream.cc	2013-03-27 10:18:27.904260440 -0400
+++ poppler-0.16.7/poppler/Stream.cc	2013-03-28 08:18:51.403504905 -0400
@@ -423,7 +423,7 @@
     // force a call to gmallocn(-1,...), which will throw an exception
     imgLineSize = -1;
   }
-  imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
+  imgLine = (Guchar *)gmallocn_checkoverflow(imgLineSize, sizeof(Guchar));
   imgIdx = nVals;
 }
 
@@ -1591,11 +1591,12 @@
 
     // 2-D encoding
     if (nextLine2D) {
-      for (i = 0; codingLine[i] < columns; ++i) {
+      for (i = 0; i < columns && codingLine[i] < columns; ++i) {
 	refLine[i] = codingLine[i];
       }
-      refLine[i++] = columns;
-      refLine[i] = columns;
+      for (; i < columns + 2; ++i) {
+	refLine[i] = columns;
+      }
       codingLine[0] = 0;
       a0i = 0;
       b1i = 0;
@@ -1607,13 +1608,15 @@
       //   codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
       // exception at right edge:
       //   refLine[b1i] = refLine[b1i+1] = columns is possible
-      while (codingLine[a0i] < columns) {
+      while (codingLine[a0i] < columns && !err) {
 	code1 = getTwoDimCode();
 	switch (code1) {
 	case twoDimPass:
-	  addPixels(refLine[b1i + 1], blackPixels);
-	  if (refLine[b1i + 1] < columns) {
-	    b1i += 2;
+	  if (likely(b1i + 1 < columns + 2)) {
+	    addPixels(refLine[b1i + 1], blackPixels);
+	    if (refLine[b1i + 1] < columns) {
+	      b1i += 2;
+	    }
 	  }
 	  break;
 	case twoDimHoriz:
@@ -1639,49 +1642,109 @@
 	  }
 	  while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	    b1i += 2;
+	    if (unlikely(b1i > columns + 1)) {
+	      error(getPos(),
+		"Bad 2D code %04x in CCITTFax stream", code1);
+	      err = gTrue;
+	      break;
+	    }
 	  }
 	  break;
 	case twoDimVertR3:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixels(refLine[b1i] + 3, blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
 	    ++b1i;
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+		error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+		err = gTrue;
+		break;
+	      }
 	    }
 	  }
 	  break;
 	case twoDimVertR2:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixels(refLine[b1i] + 2, blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
 	    ++b1i;
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+		error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+		err = gTrue;
+		break;
+	      }
 	    }
 	  }
 	  break;
 	case twoDimVertR1:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixels(refLine[b1i] + 1, blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
 	    ++b1i;
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+		error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+		err = gTrue;
+		break;
+	      }
 	    }
 	  }
 	  break;
 	case twoDimVert0:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixels(refLine[b1i], blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
 	    ++b1i;
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+		error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+		err = gTrue;
+		break;
+	      }
 	    }
 	  }
 	  break;
 	case twoDimVertL3:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixelsNeg(refLine[b1i] - 3, blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
@@ -1692,10 +1755,22 @@
 	    }
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+		error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+		err = gTrue;
+		break;
+	      }
 	    }
 	  }
 	  break;
 	case twoDimVertL2:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixelsNeg(refLine[b1i] - 2, blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
@@ -1706,10 +1781,22 @@
 	    }
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+	        error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+	        err = gTrue;
+	        break;
+	      }
 	    }
 	  }
 	  break;
 	case twoDimVertL1:
+	  if (unlikely(b1i > columns + 1)) {
+	    error(getPos(),
+	      "Bad 2D code %04x in CCITTFax stream", code1);
+	    err = gTrue;
+	    break;
+	  }
 	  addPixelsNeg(refLine[b1i] - 1, blackPixels);
 	  blackPixels ^= 1;
 	  if (codingLine[a0i] < columns) {
@@ -1720,6 +1807,12 @@
 	    }
 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
 	      b1i += 2;
+	      if (unlikely(b1i > columns + 1)) {
+		error(getPos(),
+		  "Bad 2D code %04x in CCITTFax stream", code1);
+		err = gTrue;
+		break;
+	      }
 	    }
 	  }
 	  break;
@@ -1870,6 +1963,12 @@
 	outputBits = 0;
 	if (codingLine[a0i] < columns) {
 	  ++a0i;
+	  if (unlikely(a0i > columns)) {
+	    error(getPos(),
+	      "Bad bits %04x in CCITTFax stream", bits);
+	      err = gTrue;
+	      break;
+	  }
 	  outputBits = codingLine[a0i] - codingLine[a0i - 1];
 	} else if (bits > 0) {
 	  buf <<= bits;
@@ -2418,6 +2517,9 @@
       vSub = vert / 8;
       for (y2 = 0; y2 < mcuHeight; y2 += vert) {
 	for (x2 = 0; x2 < mcuWidth; x2 += horiz) {
+	  if (unlikely(scanInfo.dcHuffTable[cc] >= 4) || unlikely(scanInfo.acHuffTable[cc] >= 4)) {
+	    return gFalse;
+	  }
 	  if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]],
 			    &acHuffTables[scanInfo.acHuffTable[cc]],
 			    &compInfo[cc].prevDC,