aboutsummaryrefslogtreecommitdiffstats
path: root/main/poppler/CVE-2013-1790.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/poppler/CVE-2013-1790.patch')
-rw-r--r--main/poppler/CVE-2013-1790.patch250
1 files changed, 250 insertions, 0 deletions
diff --git a/main/poppler/CVE-2013-1790.patch b/main/poppler/CVE-2013-1790.patch
new file mode 100644
index 0000000000..f1fd1bc0b6
--- /dev/null
+++ b/main/poppler/CVE-2013-1790.patch
@@ -0,0 +1,250 @@
+Description: fix uninitialized memory read
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=931051fe0bb445545355027d999515bc3d4b32ef
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=50c0b294d08114920a5db711876e20d991f474a6
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=31874f2e065b0d68f726ef404de98f42489c80c7
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e8822c0f3a46195ec7c6e55c556dd0c5716be742
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=2017dbebd9afd4f172242ff8462fce739d911e64
+Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=b1026b5978c385328f2a15a2185c599a563edf91
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071
+
+Index: poppler-0.16.7/poppler/Stream.cc
+===================================================================
+--- poppler-0.16.7.orig/poppler/Stream.cc 2013-03-27 10:18:27.904260440 -0400
++++ poppler-0.16.7/poppler/Stream.cc 2013-03-28 08:18:51.403504905 -0400
+@@ -423,7 +423,7 @@
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
+- imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
++ imgLine = (Guchar *)gmallocn_checkoverflow(imgLineSize, sizeof(Guchar));
+ imgIdx = nVals;
+ }
+
+@@ -1591,11 +1591,12 @@
+
+ // 2-D encoding
+ if (nextLine2D) {
+- for (i = 0; codingLine[i] < columns; ++i) {
++ for (i = 0; i < columns && codingLine[i] < columns; ++i) {
+ refLine[i] = codingLine[i];
+ }
+- refLine[i++] = columns;
+- refLine[i] = columns;
++ for (; i < columns + 2; ++i) {
++ refLine[i] = columns;
++ }
+ codingLine[0] = 0;
+ a0i = 0;
+ b1i = 0;
+@@ -1607,13 +1608,15 @@
+ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
+ // exception at right edge:
+ // refLine[b1i] = refLine[b1i+1] = columns is possible
+- while (codingLine[a0i] < columns) {
++ while (codingLine[a0i] < columns && !err) {
+ code1 = getTwoDimCode();
+ switch (code1) {
+ case twoDimPass:
+- addPixels(refLine[b1i + 1], blackPixels);
+- if (refLine[b1i + 1] < columns) {
+- b1i += 2;
++ if (likely(b1i + 1 < columns + 2)) {
++ addPixels(refLine[b1i + 1], blackPixels);
++ if (refLine[b1i + 1] < columns) {
++ b1i += 2;
++ }
+ }
+ break;
+ case twoDimHoriz:
+@@ -1639,49 +1642,109 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ break;
+ case twoDimVertR3:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i] + 3, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertR2:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i] + 2, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertR1:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i] + 1, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVert0:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixels(refLine[b1i], blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+ ++b1i;
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertL3:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixelsNeg(refLine[b1i] - 3, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+@@ -1692,10 +1755,22 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertL2:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixelsNeg(refLine[b1i] - 2, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+@@ -1706,10 +1781,22 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+ case twoDimVertL1:
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ addPixelsNeg(refLine[b1i] - 1, blackPixels);
+ blackPixels ^= 1;
+ if (codingLine[a0i] < columns) {
+@@ -1720,6 +1807,12 @@
+ }
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
+ b1i += 2;
++ if (unlikely(b1i > columns + 1)) {
++ error(getPos(),
++ "Bad 2D code %04x in CCITTFax stream", code1);
++ err = gTrue;
++ break;
++ }
+ }
+ }
+ break;
+@@ -1870,6 +1963,12 @@
+ outputBits = 0;
+ if (codingLine[a0i] < columns) {
+ ++a0i;
++ if (unlikely(a0i > columns)) {
++ error(getPos(),
++ "Bad bits %04x in CCITTFax stream", bits);
++ err = gTrue;
++ break;
++ }
+ outputBits = codingLine[a0i] - codingLine[a0i - 1];
+ } else if (bits > 0) {
+ buf <<= bits;
+@@ -2418,6 +2517,9 @@
+ vSub = vert / 8;
+ for (y2 = 0; y2 < mcuHeight; y2 += vert) {
+ for (x2 = 0; x2 < mcuWidth; x2 += horiz) {
++ if (unlikely(scanInfo.dcHuffTable[cc] >= 4) || unlikely(scanInfo.acHuffTable[cc] >= 4)) {
++ return gFalse;
++ }
+ if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]],
+ &acHuffTables[scanInfo.acHuffTable[cc]],
+ &compInfo[cc].prevDC,