From 8d87ec68389b741072a10feef59462edc468349b Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 17 Apr 2013 09:22:37 +0000 Subject: main/poppler: security fix (CVE-2013-1788,CVE-2013-1790) fixes #1786 patches are from https://launchpad.net/ubuntu/+source/poppler/0.16.7-2ubuntu2.1 --- main/poppler/APKBUILD | 20 +++- main/poppler/CVE-2013-1788.patch | 103 ++++++++++++++++ main/poppler/CVE-2013-1790.patch | 250 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 370 insertions(+), 3 deletions(-) create mode 100644 main/poppler/CVE-2013-1788.patch create mode 100644 main/poppler/CVE-2013-1790.patch diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD index fe6f121999e..b5831619835 100644 --- a/main/poppler/APKBUILD +++ b/main/poppler/APKBUILD @@ -5,7 +5,7 @@ # So we build gtk support in poppler-gtk pkgname=poppler pkgver=0.16.4 -pkgrel=0 +pkgrel=1 pkgdesc="PDF rendering library based on xpdf 3.0" url="http://poppler.freedesktop.org/" arch="all" @@ -14,7 +14,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-utils" makedepends="jpeg-dev cairo-dev libxml2-dev fontconfig-dev pkgconfig libiconv-dev" depends= depends_dev="cairo-dev" -source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz" +source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz + CVE-2013-1788.patch + CVE-2013-1790.patch + " + +prepare() { + cd "$srcdir"/$pkgname-$pkgver + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done +} build() { cd "$srcdir"/$pkgname-$pkgver @@ -45,4 +57,6 @@ utils() { mv "$pkgdir"/usr/bin "$subpkgdir"/usr/ } -md5sums="2b996ca77dad04b422f67238daab48e7 poppler-0.16.4.tar.gz" +md5sums="2b996ca77dad04b422f67238daab48e7 poppler-0.16.4.tar.gz +94e120cc99fd966c82242076ce3acde3 CVE-2013-1788.patch +c323881bb51d52db9de44de3e01adcc7 CVE-2013-1790.patch" diff --git a/main/poppler/CVE-2013-1788.patch b/main/poppler/CVE-2013-1788.patch new file mode 100644 index 00000000000..ba0493c6472 --- /dev/null +++ b/main/poppler/CVE-2013-1788.patch @@ -0,0 +1,103 @@ +Description: fix invalid memory access issues +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=9529e776e53e71069ba4215cdb8b84592d37b555 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e5661e1a08c38d4c8d69976a8c1c02c1102bc88c +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=d0df8e54512f584ca2b3edbae1c19e167948e5c3 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=8b6dc55e530b2f5ede6b9dfb64aafdd1d5836492 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e14b6e9c13d35c9bd1e0c50906ace8e707816888 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=0388837f01bc467045164f9ddaff787000a8caaa +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071 + +Index: poppler-0.16.7/poppler/Function.cc +=================================================================== +--- poppler-0.16.7.orig/poppler/Function.cc 2013-03-27 10:18:19.704260518 -0400 ++++ poppler-0.16.7/poppler/Function.cc 2013-03-27 10:18:19.696260518 -0400 +@@ -261,6 +261,10 @@ + goto err3; + } + sampleSize[i] = obj2.getInt(); ++ if (sampleSize[i] <= 0) { ++ error(-1, "Illegal non-positive value in function size array"); ++ goto err3; ++ } + obj2.free(); + } + obj1.free(); +@@ -953,6 +957,10 @@ + return; + } + --sp; ++ if (sp + i + 1 >= psStackSize) { ++ error(-1, "Stack underflow in PostScript function"); ++ return; ++ } + stack[sp] = stack[sp + 1 + i]; + } + void pop() +@@ -1001,6 +1009,10 @@ + error(-1, "Stack underflow in PostScript function"); + return; + } ++ if (unlikely(sp - n > psStackSize)) { ++ error(-1, "Stack underflow in PostScript function"); ++ return; ++ } + if (!checkOverflow(n)) { + return; + } +@@ -1025,7 +1037,7 @@ + j = n - j; + } + } +- if (n <= 0 || j == 0) { ++ if (n <= 0 || j == 0 || n > psStackSize || sp + n > psStackSize) { + return; + } + if (j <= n / 2) { +Index: poppler-0.16.7/poppler/Stream.cc +=================================================================== +--- poppler-0.16.7.orig/poppler/Stream.cc 2013-03-27 10:18:19.704260518 -0400 ++++ poppler-0.16.7/poppler/Stream.cc 2013-03-27 10:18:19.696260518 -0400 +@@ -2131,7 +2131,8 @@ + + // clip [-256,511] --> [0,255] + #define dctClipOffset 256 +-static Guchar dctClip[768]; ++#define dctClipLength 768 ++static Guchar dctClip[dctClipLength]; + static int dctClipInit = 0; + + // zig zag decode map +@@ -3077,7 +3078,12 @@ + + // convert to 8-bit integers + for (i = 0; i < 64; ++i) { +- dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)]; ++ const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4); ++ if (unlikely(ix < 0 || ix >= dctClipLength)) { ++ dataOut[i] = 0; ++ } else { ++ dataOut[i] = dctClip[ix]; ++ } + } + } + +Index: poppler-0.16.7/splash/Splash.cc +=================================================================== +--- poppler-0.16.7.orig/splash/Splash.cc 2013-03-27 10:18:19.704260518 -0400 ++++ poppler-0.16.7/splash/Splash.cc 2013-03-27 10:18:19.700260518 -0400 +@@ -1497,11 +1497,14 @@ + lineDashStartPhase -= (SplashCoord)i * lineDashTotal; + lineDashStartOn = gTrue; + lineDashStartIdx = 0; +- while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) { ++ while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) { + lineDashStartOn = !lineDashStartOn; + lineDashStartPhase -= state->lineDash[lineDashStartIdx]; + ++lineDashStartIdx; + } ++ if (unlikely(lineDashStartIdx == state->lineDashLength)) { ++ return new SplashPath(); ++ } + + dPath = new SplashPath(); + diff --git a/main/poppler/CVE-2013-1790.patch b/main/poppler/CVE-2013-1790.patch new file mode 100644 index 00000000000..f1fd1bc0b62 --- /dev/null +++ b/main/poppler/CVE-2013-1790.patch @@ -0,0 +1,250 @@ +Description: fix uninitialized memory read +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=931051fe0bb445545355027d999515bc3d4b32ef +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=50c0b294d08114920a5db711876e20d991f474a6 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=31874f2e065b0d68f726ef404de98f42489c80c7 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e8822c0f3a46195ec7c6e55c556dd0c5716be742 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=2017dbebd9afd4f172242ff8462fce739d911e64 +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=b1026b5978c385328f2a15a2185c599a563edf91 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702071 + +Index: poppler-0.16.7/poppler/Stream.cc +=================================================================== +--- poppler-0.16.7.orig/poppler/Stream.cc 2013-03-27 10:18:27.904260440 -0400 ++++ poppler-0.16.7/poppler/Stream.cc 2013-03-28 08:18:51.403504905 -0400 +@@ -423,7 +423,7 @@ + // force a call to gmallocn(-1,...), which will throw an exception + imgLineSize = -1; + } +- imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); ++ imgLine = (Guchar *)gmallocn_checkoverflow(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } + +@@ -1591,11 +1591,12 @@ + + // 2-D encoding + if (nextLine2D) { +- for (i = 0; codingLine[i] < columns; ++i) { ++ for (i = 0; i < columns && codingLine[i] < columns; ++i) { + refLine[i] = codingLine[i]; + } +- refLine[i++] = columns; +- refLine[i] = columns; ++ for (; i < columns + 2; ++i) { ++ refLine[i] = columns; ++ } + codingLine[0] = 0; + a0i = 0; + b1i = 0; +@@ -1607,13 +1608,15 @@ + // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible + // exception at right edge: + // refLine[b1i] = refLine[b1i+1] = columns is possible +- while (codingLine[a0i] < columns) { ++ while (codingLine[a0i] < columns && !err) { + code1 = getTwoDimCode(); + switch (code1) { + case twoDimPass: +- addPixels(refLine[b1i + 1], blackPixels); +- if (refLine[b1i + 1] < columns) { +- b1i += 2; ++ if (likely(b1i + 1 < columns + 2)) { ++ addPixels(refLine[b1i + 1], blackPixels); ++ if (refLine[b1i + 1] < columns) { ++ b1i += 2; ++ } + } + break; + case twoDimHoriz: +@@ -1639,49 +1642,109 @@ + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + break; + case twoDimVertR3: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixels(refLine[b1i] + 3, blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; + case twoDimVertR2: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixels(refLine[b1i] + 2, blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; + case twoDimVertR1: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixels(refLine[b1i] + 1, blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; + case twoDimVert0: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixels(refLine[b1i], blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { + ++b1i; + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; + case twoDimVertL3: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixelsNeg(refLine[b1i] - 3, blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { +@@ -1692,10 +1755,22 @@ + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; + case twoDimVertL2: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixelsNeg(refLine[b1i] - 2, blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { +@@ -1706,10 +1781,22 @@ + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; + case twoDimVertL1: ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + addPixelsNeg(refLine[b1i] - 1, blackPixels); + blackPixels ^= 1; + if (codingLine[a0i] < columns) { +@@ -1720,6 +1807,12 @@ + } + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { + b1i += 2; ++ if (unlikely(b1i > columns + 1)) { ++ error(getPos(), ++ "Bad 2D code %04x in CCITTFax stream", code1); ++ err = gTrue; ++ break; ++ } + } + } + break; +@@ -1870,6 +1963,12 @@ + outputBits = 0; + if (codingLine[a0i] < columns) { + ++a0i; ++ if (unlikely(a0i > columns)) { ++ error(getPos(), ++ "Bad bits %04x in CCITTFax stream", bits); ++ err = gTrue; ++ break; ++ } + outputBits = codingLine[a0i] - codingLine[a0i - 1]; + } else if (bits > 0) { + buf <<= bits; +@@ -2418,6 +2517,9 @@ + vSub = vert / 8; + for (y2 = 0; y2 < mcuHeight; y2 += vert) { + for (x2 = 0; x2 < mcuWidth; x2 += horiz) { ++ if (unlikely(scanInfo.dcHuffTable[cc] >= 4) || unlikely(scanInfo.acHuffTable[cc] >= 4)) { ++ return gFalse; ++ } + if (!readDataUnit(&dcHuffTables[scanInfo.dcHuffTable[cc]], + &acHuffTables[scanInfo.acHuffTable[cc]], + &compInfo[cc].prevDC, -- cgit v1.2.3