aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--main/poppler/APKBUILD20
-rw-r--r--main/poppler/CVE-2013-1788.patch103
-rw-r--r--main/poppler/CVE-2013-1790.patch250
3 files changed, 370 insertions, 3 deletions
diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD
index fe6f121999..b583161983 100644
--- a/main/poppler/APKBUILD
+++ b/main/poppler/APKBUILD
@@ -5,7 +5,7 @@
# So we build gtk support in poppler-gtk
pkgname=poppler
pkgver=0.16.4
-pkgrel=0
+pkgrel=1
pkgdesc="PDF rendering library based on xpdf 3.0"
url="http://poppler.freedesktop.org/"
arch="all"
@@ -14,7 +14,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
makedepends="jpeg-dev cairo-dev libxml2-dev fontconfig-dev pkgconfig libiconv-dev"
depends=
depends_dev="cairo-dev"
-source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz"
+source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz
+ CVE-2013-1788.patch
+ CVE-2013-1790.patch
+ "
+
+prepare() {
+ cd "$srcdir"/$pkgname-$pkgver
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+}
build() {
cd "$srcdir"/$pkgname-$pkgver
@@ -45,4 +57,6 @@ utils() {
mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
}
-md5sums="2b996ca77dad04b422f67238daab48e7 poppler-0.16.4.tar.gz"
+md5sums="2b996ca77dad04b422f67238daab48e7 poppler-0.16.4.tar.gz
+94e120cc99fd966c82242076ce3acde3 CVE-2013-1788.patch
+c323881bb51d52db9de44de3e01adcc7 CVE-2013-1790.patch"
diff --git a/main/poppler/CVE-2013-1788.patch b/main/poppler/CVE-2013-1788.patch
new file mode 100644
index 0000000000..ba0493c647
--- /dev/null
+++ b/main/poppler/CVE-2013-1788.patch
@@ -0,0 +1,103 @@
+Description: fix invalid memory access issues
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=9529e776e53e71069ba4215cdb8b84592d37b555
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e5661e1a08c38d4c8d69976a8c1c02c1102bc88c
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=d0df8e54512f584ca2b3edbae1c19e167948e5c3
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e14b6e9c13d35c9bd1e0c50906ace8e707816888
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=0388837f01bc467045164f9ddaff787000a8caaa
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071
+
+Index: poppler-0.16.7/poppler/Function.cc
+===================================================================
+--- poppler-0.16.7.orig/poppler/Function.cc 2013-03-27 10:18:19.704260518 -0400
++++ poppler-0.16.7/poppler/Function.cc 2013-03-27 10:18:19.696260518 -0400
+@@ -261,6 +261,10 @@
+ goto err3;
+ }
+ sampleSize[i] = obj2.getInt();
++ if (sampleSize[i] <= 0) {
++ error(-1, "Illegal non-positive value in function size array");
++ goto err3;
++ }
+ obj2.free();
+ }
+ obj1.free();
+@@ -953,6 +957,10 @@
+ return;
+ }
+ --sp;
++ if (sp + i + 1 >= psStackSize) {
++ error(-1, "Stack underflow in PostScript function");
++ return;
++ }
+ stack[sp] = stack[sp + 1 + i];
+ }
+ void pop()
+@@ -1001,6 +1009,10 @@
+ error(-1, "Stack underflow in PostScript function");
+ return;
+ }
++ if (unlikely(sp - n > psStackSize)) {
++ error(-1, "Stack underflow in PostScript function");
++ return;
++ }
+ if (!checkOverflow(n)) {
+ return;
+ }
+@@ -1025,7 +1037,7 @@
+ j = n - j;
+ }
+ }
+- if (n <= 0 || j == 0) {
++ if (n <= 0 || j == 0 || n > psStackSize || sp + n > psStackSize) {
+ return;
+ }
+ if (j <= n / 2) {
+Index: poppler-0.16.7/poppler/Stream.cc
+===================================================================
+--- poppler-0.16.7.orig/poppler/Stream.cc 2013-03-27 10:18:19.704260518 -0400
++++ poppler-0.16.7/poppler/Stream.cc 2013-03-27 10:18:19.696260518 -0400
+@@ -2131,7 +2131,8 @@
+
+ // clip [-256,511] --> [0,255]
+ #define dctClipOffset 256
+-static Guchar dctClip[768];
++#define dctClipLength 768
++static Guchar dctClip[dctClipLength];
+ static int dctClipInit = 0;
+
+ // zig zag decode map
+@@ -3077,7 +3078,12 @@
+
+ // convert to 8-bit integers
+ for (i = 0; i < 64; ++i) {
+- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
++ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
++ if (unlikely(ix < 0 || ix >= dctClipLength)) {
++ dataOut[i] = 0;
++ } else {
++ dataOut[i] = dctClip[ix];
++ }
+ }
+ }
+
+Index: poppler-0.16.7/splash/Splash.cc
+===================================================================
+--- poppler-0.16.7.orig/splash/Splash.cc 2013-03-27 10:18:19.704260518 -0400
++++ poppler-0.16.7/splash/Splash.cc 2013-03-27 10:18:19.700260518 -0400
+@@ -1497,11 +1497,14 @@
+ lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
+ lineDashStartOn = gTrue;
+ lineDashStartIdx = 0;
+- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
++ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+ lineDashStartOn = !lineDashStartOn;
+ lineDashStartPhase -= state->lineDash[lineDashStartIdx];
+ ++lineDashStartIdx;
+ }
++ if (unlikely(lineDashStartIdx == state->lineDashLength)) {
++ return new SplashPath();
++ }
+
+ dPath = new SplashPath();
+
diff --git a/main/poppler/CVE-2013-1790.patch b/main/poppler/CVE-2013-1790.patch
new file mode 100644
index 0000000000..f1fd1bc0b6
--- /dev/null
+++ b/main/poppler/CVE-2013-1790.patch
@@ -0,0 +1,250 @@
+Description: fix uninitialized memory read
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=931051fe0bb445545355027d999515bc3d4b32ef
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=50c0b294d08114920a5db711876e20d991f474a6
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=31874f2e065b0d68f726ef404de98f42489c80c7
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e8822c0f3a46195ec7c6e55c556dd0c5716be742
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=2017dbebd9afd4f172242ff8462fce739d911e64
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=b1026b5978c385328f2a15a2185c599a563edf91
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071
+
+Index: poppler-0.16.7/poppler/Stream.cc
+===================================================================
+--- poppler-0.16.7.orig/poppler/Stream.cc 2013-03-27 10:18:27.904260440 -0400
++++ poppler-0.16.7/poppler/Stream.cc 2013-03-28 08:18:51.403504905 -0400
+@@ -423,7 +423,7 @@
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
+- imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
++ imgLine = (Guchar *)gmallocn_checkoverflow(imgLineSize, sizeof(Guchar));
+ imgIdx = nVals;
+ }
+
+@@ -1591,11 +1591,12 @@
+
+ // 2-D encoding
+ if (nextLine2D) {
+- for (i = 0; codingLine[i] < columns; ++i) {
++ for (i = 0; i < columns && codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i++] = columns;
+- refLine[i] = columns;
++ for (; i < columns + 2; ++i) {
++ refLine[i] = columns;
++ }
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
+@@ -1607,13 +1608,15 @@
+ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
+ // exception at right edge:
+ // refLine[b1i] = refLine[b1i+1] = columns is possible
+- while (codingLine[a0i] < columns) {
++ while (codingLine[a0i] < columns && !err) {
+ code1 = getTwoDimCode();
+ switch (code1) {
+ case twoDimPass:
+- addPixels(refLine[b1i + 1], blackPixels);
+- if (refLine[b1i + 1] < columns) {
+- b1i += 2;
++ if (likely(b1i + 1 < columns + 2)) {
++ addPixels(refLine[b1i + 1], blackPixels);
++ if (refLine[b1i + 1] < columns) {
++ b1i += 2;
++ }
+ }
+ break;
+ case twoDimHoriz:
+@@ -1639,49 +1642,109 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ break;
+ case twoDimVertR3:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i] + 3, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertR2:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i] + 2, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertR1:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i] + 1, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVert0:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i], blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertL3:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixelsNeg(refLine[b1i] - 3, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+@@ -1692,10 +1755,22 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertL2:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixelsNeg(refLine[b1i] - 2, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+@@ -1706,10 +1781,22 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertL1:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixelsNeg(refLine[b1i] - 1, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+@@ -1720,6 +1807,12 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+@@ -1870,6 +1963,12 @@
+ outputBits = 0;
+ if (codingLine[a0i] < columns) {
+ ++a0i;
++ if (unlikely(a0i > columns)) {
++ error(getPos(),
++ "Bad bits %04x in CCITTFax stream", bits);
++ err = gTrue;
++ break;
++ }
+ outputBits = codingLine[a0i] - codingLine[a0i - 1];
+ } else if (bits > 0) {
+ buf <<= bits;
+@@ -2418,6 +2517,9 @@
+ vSub = vert / 8;
+ for (y2 = 0; y2 < mcuHeight; y2 += vert) {
+ for (x2 = 0; x2 < mcuWidth; x2 += horiz) {
++ if (unlikely(scanInfo.dcHuffTable[cc] >= 4) || unlikely(scanInfo.acHuffTable[cc] >= 4)) {
++ return gFalse;
++ }
+ if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]],
+ &acHuffTables[scanInfo.acHuffTable[cc]],
+ &compInfo[cc].prevDC,