rpms/poppler/F-11 poppler-0.10.7-CVE-2009-3607.patch, NONE, 1.1 poppler-0.10.7-CVE-2009-360x.patch, NONE, 1.1 poppler-0.10.7-gmallocn.patch, NONE, 1.1 poppler.spec, 1.86, 1.87
Rex Dieter
rdieter at fedoraproject.org
Sun Oct 25 22:37:39 UTC 2009
Author: rdieter
Update of /cvs/pkgs/rpms/poppler/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv6946
Modified Files:
poppler.spec
Added Files:
poppler-0.10.7-CVE-2009-3607.patch
poppler-0.10.7-CVE-2009-360x.patch
poppler-0.10.7-gmallocn.patch
Log Message:
* Sun Oct 25 2009 Rex Dieter <rdieter at fedoraproject.org> - 0.10.7-3
- CVE-2009-3603 xpdf/popppler: SplashBitmap::SplashBitmap
integer overflow (#526915)
- CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow
and missing allocation return value check(#526911)
- CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep
integer overflow (#526877)
- CVE-2009-3607 poppler: create_surface_from_thumbnail_data
integer overflow (#526924)
- CVE-2009-3608 xpdf/poppler: integer overflow in
ObjectStream::ObjectStream (#526637)
- CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream
integer overflow (#526893)
poppler-0.10.7-CVE-2009-3607.patch:
poppler-page.cc | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
--- NEW FILE poppler-0.10.7-CVE-2009-3607.patch ---
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b70609
CVE-2009-3607
diff -pruN poppler-0.10.7.orig/glib/poppler-page.cc poppler-0.10.7/glib/poppler-page.cc
--- poppler-0.10.7.orig/glib/poppler-page.cc 2009-10-25 18:30:05.000000000 +0100
+++ poppler-0.10.7/glib/poppler-page.cc 2009-10-25 18:30:34.000000000 +0100
@@ -575,28 +575,28 @@ create_surface_from_thumbnail_data (guch
gint rowstride)
{
guchar *cairo_pixels;
+ gint cairo_stride;
cairo_surface_t *surface;
- static cairo_user_data_key_t key;
int j;
- cairo_pixels = (guchar *)g_malloc (4 * width * height);
- surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
- CAIRO_FORMAT_RGB24,
- width, height, 4 * width);
- cairo_surface_set_user_data (surface, &key,
- cairo_pixels, (cairo_destroy_func_t)g_free);
+ surface = cairo_image_surface_create (CAIRO_FORMAT_RGB24, width, height);
+ if (cairo_surface_status (surface))
+ return NULL;
+
+ cairo_pixels = cairo_image_surface_get_data (surface);
+ cairo_stride = cairo_image_surface_get_stride (surface);
for (j = height; j; j--) {
guchar *p = data;
guchar *q = cairo_pixels;
guchar *end = p + 3 * width;
-
+
while (p < end) {
#if G_BYTE_ORDER == G_LITTLE_ENDIAN
q[0] = p[2];
q[1] = p[1];
q[2] = p[0];
-#else
+#else
q[1] = p[0];
q[2] = p[1];
q[3] = p[2];
@@ -606,7 +606,7 @@ create_surface_from_thumbnail_data (guch
}
data += rowstride;
- cairo_pixels += 4 * width;
+ cairo_pixels += cairo_stride;
}
return surface;
poppler-0.10.7-CVE-2009-360x.patch:
poppler/Stream.cc | 4 ++++
poppler/XRef.cc | 15 ++++++++++++---
poppler/XRef.h | 3 +++
splash/Splash.cc | 7 +++++++
splash/SplashBitmap.cc | 37 ++++++++++++++++++++++++++++++-------
splash/SplashErrorCodes.h | 4 +++-
6 files changed, 59 insertions(+), 11 deletions(-)
--- NEW FILE poppler-0.10.7-CVE-2009-360x.patch ---
http://cgit.freedesktop.org/poppler/poppler/commit/?id=1082e1671a
CVE-2009-3603 CVE-2009-3608 CVE-2009-3609
diff -pruN poppler-0.10.7.orig/poppler/Stream.cc poppler-0.10.7/poppler/Stream.cc
--- poppler-0.10.7.orig/poppler/Stream.cc 2009-05-16 17:27:41.000000000 +0200
+++ poppler-0.10.7/poppler/Stream.cc 2009-10-24 20:14:48.000000000 +0200
@@ -403,6 +403,10 @@ ImageStream::ImageStream(Stream *strA, i
} else {
imgLineSize = nVals;
}
+ if (width > INT_MAX / nComps) {
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
imgIdx = nVals;
}
diff -pruN poppler-0.10.7.orig/poppler/XRef.cc poppler-0.10.7/poppler/XRef.cc
--- poppler-0.10.7.orig/poppler/XRef.cc 2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/poppler/XRef.cc 2009-10-24 20:26:33.000000000 +0200
@@ -80,6 +80,7 @@ ObjectStream::ObjectStream(XRef *xref, i
objs = NULL;
objNums = NULL;
offsets = NULL;
+ ok = gFalse;
if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
goto err1;
@@ -106,8 +107,11 @@ ObjectStream::ObjectStream(XRef *xref, i
goto err1;
}
- if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) {
- error(-1, "Invalid 'nObjects'");
+ // this is an arbitrary limit to avoid integer overflow problems
+ // in the 'new Object[nObjects]' call (Acrobat apparently limits
+ // object streams to 100-200 objects)
+ if (nObjects > 1000000) {
+ error(-1, "Too many objects in an object stream");
goto err1;
}
@@ -167,10 +171,10 @@ ObjectStream::ObjectStream(XRef *xref, i
}
// gfree(offsets);
+ ok = gTrue;
err1:
objStr.free();
- return;
}
ObjectStream::~ObjectStream() {
@@ -948,6 +952,11 @@ Object *XRef::fetch(int num, int gen, Ob
delete objStr;
}
objStr = new ObjectStream(this, e->offset);
+ if (!objStr->isOk()) {
+ delete objStr;
+ objStr = NULL;
+ goto err;
+ }
}
objStr->getObject(e->gen, num, obj);
break;
diff -pruN poppler-0.10.7.orig/poppler/XRef.h poppler-0.10.7/poppler/XRef.h
--- poppler-0.10.7.orig/poppler/XRef.h 2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/poppler/XRef.h 2009-10-24 20:27:32.000000000 +0200
@@ -44,6 +44,8 @@ public:
// generation 0.
ObjectStream(XRef *xref, int objStrNumA);
+ GBool isOk() { return ok; }
+
~ObjectStream();
// Return the object number of this object stream.
@@ -64,6 +66,7 @@ private:
int *objNums; // the object numbers (length = nObjects)
int *offsets; // the object offsets (length = nObjects)
Guint firstOffset;
+ GBool ok;
};
diff -pruN poppler-0.10.7.orig/splash/Splash.cc poppler-0.10.7/splash/Splash.cc
--- poppler-0.10.7.orig/splash/Splash.cc 2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/splash/Splash.cc 2009-10-24 20:14:48.000000000 +0200
@@ -27,6 +27,7 @@
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashMath.h"
@@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(Splash
xq = w % scaledWidth;
// allocate pixel buffer
+ if (yp < 0 || yp > INT_MAX - 1) {
+ return splashErrBadArg;
+ }
pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
// initialize the pixel pipe
@@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImag
xq = w % scaledWidth;
// allocate pixel buffers
+ if (yp < 0 || yp > INT_MAX - 1) {
+ return splashErrBadArg;
+ }
colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
if (srcAlpha) {
alphaBuf = (Guchar *)gmallocn((yp + 1), w);
diff -pruN poppler-0.10.7.orig/splash/SplashBitmap.cc poppler-0.10.7/splash/SplashBitmap.cc
--- poppler-0.10.7.orig/splash/SplashBitmap.cc 2009-10-24 20:11:45.000000000 +0200
+++ poppler-0.10.7/splash/SplashBitmap.cc 2009-10-24 20:15:05.000000000 +0200
@@ -26,6 +26,7 @@
#endif
#include <stdio.h>
+#include <limits.h>
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
@@ -42,26 +43,48 @@ SplashBitmap::SplashBitmap(int widthA, i
mode = modeA;
switch (mode) {
case splashModeMono1:
- rowSize = (width + 7) >> 3;
+ if (width > 0) {
+ rowSize = (width + 7) >> 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeMono8:
- rowSize = width;
+ if (width > 0) {
+ rowSize = width;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeRGB8:
case splashModeBGR8:
- rowSize = width * 3;
+ if (width > 0 && width <= INT_MAX / 3) {
+ rowSize = width * 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeXBGR8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#endif
}
- rowSize += rowPad - 1;
- rowSize -= rowSize % rowPad;
+ if (rowSize > 0) {
+ rowSize += rowPad - 1;
+ rowSize -= rowSize % rowPad;
+ }
data = (SplashColorPtr)gmallocn(rowSize, height);
if (!topDown) {
data += (height - 1) * rowSize;
diff -pruN poppler-0.10.7.orig/splash/SplashErrorCodes.h poppler-0.10.7/splash/SplashErrorCodes.h
--- poppler-0.10.7.orig/splash/SplashErrorCodes.h 2009-05-02 14:14:56.000000000 +0200
+++ poppler-0.10.7/splash/SplashErrorCodes.h 2009-10-24 20:14:48.000000000 +0200
@@ -41,6 +41,8 @@
#define splashErrSingularMatrix 8 // matrix is singular
-#define splashErrZeroImage 9 // image of 0x0
+#define splashErrBadArg 9 // bad argument
+
+#define splashErrZeroImage 254 // image of 0x0
#endif
poppler-0.10.7-gmallocn.patch:
glib/poppler-page.cc | 2 +-
goo/gmem.cc | 26 ++++++++++++++++++++++++++
goo/gmem.h | 2 ++
poppler/ArthurOutputDev.cc | 2 +-
poppler/CairoOutputDev.cc | 16 ++++++++--------
poppler/GfxState.cc | 8 ++++----
poppler/PSOutputDev.cc | 4 ++--
poppler/SplashOutputDev.cc | 18 +++++++++---------
splash/Splash.cc | 6 +++---
splash/SplashBitmap.cc | 2 +-
splash/SplashFTFont.cc | 2 +-
11 files changed, 58 insertions(+), 30 deletions(-)
--- NEW FILE poppler-0.10.7-gmallocn.patch ---
http://cgit.freedesktop.org/poppler/poppler/commit/?id=0131f0a01c
http://cgit.freedesktop.org/poppler/poppler/commit/?id=7b2d314a61
http://cgit.freedesktop.org/poppler/poppler/commit/?id=c399b2d512
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2
http://cgit.freedesktop.org/poppler/poppler/commit/?id=284a928996
http://cgit.freedesktop.org/poppler/poppler/commit/?id=5d328282da
CVE-2009-0791/CVE-2009-3605 CVE-2009-3604 CVE-2009-3606
diff -pruN poppler-0.10.7.orig/glib/poppler-page.cc poppler-0.10.7/glib/poppler-page.cc
--- poppler-0.10.7.orig/glib/poppler-page.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/glib/poppler-page.cc 2009-10-24 20:01:57.000000000 +0200
@@ -291,7 +291,7 @@ poppler_page_prepare_output_dev (Poppler
output_dev = page->document->output_dev;
cairo_rowstride = cairo_width * 4;
- cairo_data = (guchar *) gmalloc (cairo_height * cairo_rowstride);
+ cairo_data = (guchar *) gmallocn (cairo_height, cairo_rowstride);
if (transparent)
memset (cairo_data, 0x00, cairo_height * cairo_rowstride);
else
diff -pruN poppler-0.10.7.orig/goo/gmem.cc poppler-0.10.7/goo/gmem.cc
--- poppler-0.10.7.orig/goo/gmem.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/goo/gmem.cc 2009-10-24 20:01:57.000000000 +0200
@@ -206,6 +206,32 @@ void *gmallocn_checkoverflow(int nObjs,
return gmalloc(n);
}
+void *gmallocn3(int a, int b, int c) GMEM_EXCEP {
+ int n = a * b;
+ if (b <= 0 || a < 0 || a >= INT_MAX / b) {
+#if USE_EXCEPTIONS
+ throw GMemException();
+#else
+ fprintf(stderr, "Bogus memory allocation size\n");
+ exit(1);
+#endif
+ }
+ return gmallocn(n, c);
+}
+
+void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP {
+ int n = a * b;
+ if (b <= 0 || a < 0 || a >= INT_MAX / b) {
+#if USE_EXCEPTIONS
+ throw GMemException();
+#else
+ fprintf(stderr, "Bogus memory allocation size\n");
+ return NULL;
+#endif
+ }
+ return gmallocn_checkoverflow(n, c);
+}
+
void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP {
int n;
diff -pruN poppler-0.10.7.orig/goo/gmem.h poppler-0.10.7/goo/gmem.h
--- poppler-0.10.7.orig/goo/gmem.h 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/goo/gmem.h 2009-10-24 20:01:57.000000000 +0200
@@ -70,6 +70,8 @@ extern void *grealloc(void *p, size_t si
*/
extern void *gmallocn(int nObjs, int objSize) GMEM_EXCEP;
extern void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP;
+extern void *gmallocn3(int a, int b, int c) GMEM_EXCEP;
+extern void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP;
extern void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP;
extern void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP;
diff -pruN poppler-0.10.7.orig/poppler/ArthurOutputDev.cc poppler-0.10.7/poppler/ArthurOutputDev.cc
--- poppler-0.10.7.orig/poppler/ArthurOutputDev.cc 2009-05-16 17:27:41.000000000 +0200
+++ poppler-0.10.7/poppler/ArthurOutputDev.cc 2009-10-24 20:01:57.000000000 +0200
@@ -752,7 +752,7 @@ void ArthurOutputDev::drawImage(GfxState
QMatrix matrix;
int is_identity_transform;
- buffer = (unsigned char *)gmalloc (width * height * 4);
+ buffer = (unsigned char *)gmallocn3(width, height, 4);
/* TODO: Do we want to cache these? */
imgStr = new ImageStream(str, width,
diff -pruN poppler-0.10.7.orig/poppler/CairoOutputDev.cc poppler-0.10.7/poppler/CairoOutputDev.cc
--- poppler-0.10.7.orig/poppler/CairoOutputDev.cc 2009-05-16 17:27:41.000000000 +0200
+++ poppler-0.10.7/poppler/CairoOutputDev.cc 2009-10-24 20:01:57.000000000 +0200
@@ -550,7 +550,7 @@ void CairoOutputDev::beginString(GfxStat
if (!currentFont)
return;
- glyphs = (cairo_glyph_t *) gmalloc (len * sizeof (cairo_glyph_t));
+ glyphs = (cairo_glyph_t *) gmallocn (len, sizeof (cairo_glyph_t));
glyphCount = 0;
}
@@ -1007,7 +1007,7 @@ void CairoOutputDev::drawImageMaskRegula
int row_stride;
row_stride = (width + 3) & ~3;
- buffer = (unsigned char *) malloc (height * row_stride);
+ buffer = (unsigned char *) gmallocn (height, row_stride);
if (buffer == NULL) {
error(-1, "Unable to allocate memory for image.");
return;
@@ -1174,7 +1174,7 @@ void CairoOutputDev::drawImageMaskPresca
invert_bit = invert ? 1 : 0;
row_stride = (scaledWidth + 3) & ~3;
- buffer = (unsigned char *) malloc (scaledHeight * row_stride);
+ buffer = (unsigned char *) gmallocn (scaledHeight, row_stride);
if (buffer == NULL) {
error(-1, "Unable to allocate memory for image.");
return;
@@ -1367,7 +1367,7 @@ void CairoOutputDev::drawMaskedImage(Gfx
int row_stride = (maskWidth + 3) & ~3;
unsigned char *maskBuffer;
- maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight);
+ maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight);
unsigned char *maskDest;
cairo_surface_t *maskImage;
cairo_pattern_t *maskPattern;
@@ -1402,7 +1402,7 @@ void CairoOutputDev::drawMaskedImage(Gfx
cairo_matrix_t matrix;
int is_identity_transform;
- buffer = (unsigned char *)gmalloc (width * height * 4);
+ buffer = (unsigned char *)gmallocn3 (width, height, 4);
/* TODO: Do we want to cache these? */
imgStr = new ImageStream(str, width,
@@ -1494,7 +1494,7 @@ void CairoOutputDev::drawSoftMaskedImage
int row_stride = (maskWidth + 3) & ~3;
unsigned char *maskBuffer;
- maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight);
+ maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight);
unsigned char *maskDest;
cairo_surface_t *maskImage;
cairo_pattern_t *maskPattern;
@@ -1521,7 +1521,7 @@ void CairoOutputDev::drawSoftMaskedImage
cairo_matrix_t maskMatrix;
int is_identity_transform;
- buffer = (unsigned char *)gmalloc (width * height * 4);
+ buffer = (unsigned char *)gmallocn3 (width, height, 4);
/* TODO: Do we want to cache these? */
imgStr = new ImageStream(str, width,
@@ -1616,7 +1616,7 @@ void CairoOutputDev::drawImage(GfxState
cairo_matrix_t matrix;
int is_identity_transform;
- buffer = (unsigned char *)gmallocn (width, height * 4);
+ buffer = (unsigned char *)gmallocn3 (width, height, 4);
/* TODO: Do we want to cache these? */
imgStr = new ImageStream(str, width,
diff -pruN poppler-0.10.7.orig/poppler/GfxState.cc poppler-0.10.7/poppler/GfxState.cc
--- poppler-0.10.7.orig/poppler/GfxState.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/poppler/GfxState.cc 2009-10-24 20:01:57.000000000 +0200
@@ -1201,7 +1201,7 @@ void GfxIndexedColorSpace::getRGBLine(Gu
int i, j, n;
n = base->getNComps();
- line = (Guchar *) gmalloc (length * n);
+ line = (Guchar *) gmallocn (length, n);
for (i = 0; i < length; i++)
for (j = 0; j < n; j++)
line[i * n + j] = lookup[in[i] * n + j];
@@ -3424,7 +3424,7 @@ GfxImageColorMap::GfxImageColorMap(int b
nComps2 = colorSpace2->getNComps();
lookup2 = indexedCS->getLookup();
colorSpace2->getDefaultRanges(x, y, indexHigh);
- byte_lookup = (Guchar *)gmalloc ((maxPixel + 1) * nComps2);
+ byte_lookup = (Guchar *)gmallocn ((maxPixel + 1), nComps2);
for (k = 0; k < nComps2; ++k) {
lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1,
sizeof(GfxColorComp));
@@ -3572,7 +3572,7 @@ void GfxImageColorMap::getGrayLine(Gucha
switch (colorSpace->getMode()) {
case csIndexed:
case csSeparation:
- tmp_line = (Guchar *) gmalloc (length * nComps2);
+ tmp_line = (Guchar *) gmallocn (length, nComps2);
for (i = 0; i < length; i++) {
for (j = 0; j < nComps2; j++) {
tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j];
@@ -3602,7 +3602,7 @@ void GfxImageColorMap::getRGBLine(Guchar
switch (colorSpace->getMode()) {
case csIndexed:
case csSeparation:
- tmp_line = (Guchar *) gmalloc (length * nComps2);
+ tmp_line = (Guchar *) gmallocn (length, nComps2);
for (i = 0; i < length; i++) {
for (j = 0; j < nComps2; j++) {
tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j];
diff -pruN poppler-0.10.7.orig/poppler/PSOutputDev.cc poppler-0.10.7/poppler/PSOutputDev.cc
--- poppler-0.10.7.orig/poppler/PSOutputDev.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/poppler/PSOutputDev.cc 2009-10-24 20:01:57.000000000 +0200
@@ -2323,7 +2323,7 @@ GooString *PSOutputDev::setupExternalCID
if ((ffTT = FoFiTrueType::load(fileName->getCString(), faceIndex))) {
int n = ((GfxCIDFont *)font)->getCIDToGIDLen();
if (n) {
- codeToGID = (Gushort *)gmalloc(n * sizeof(Gushort));
+ codeToGID = (Gushort *)gmallocn(n, sizeof(Gushort));
memcpy(codeToGID, ((GfxCIDFont *)font)->getCIDToGID(), n * sizeof(Gushort));
} else {
codeToGID = ((GfxCIDFont *)font)->getCodeToGIDMap(ffTT, &n);
@@ -4502,7 +4502,7 @@ void PSOutputDev::doImageL1Sep(GfxImageC
width, -height, height);
// allocate a line buffer
- lineBuf = (Guchar *)gmalloc(4 * width);
+ lineBuf = (Guchar *)gmallocn(width, 4);
// set up to process the data stream
imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
diff -pruN poppler-0.10.7.orig/poppler/SplashOutputDev.cc poppler-0.10.7/poppler/SplashOutputDev.cc
--- poppler-0.10.7.orig/poppler/SplashOutputDev.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/poppler/SplashOutputDev.cc 2009-10-24 20:01:57.000000000 +0200
@@ -2013,7 +2013,7 @@ void SplashOutputDev::drawImage(GfxState
break;
case splashModeRGB8:
case splashModeBGR8:
- imgData.lookup = (SplashColorPtr)gmalloc(3 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getRGB(&pix, &rgb);
@@ -2023,7 +2023,7 @@ void SplashOutputDev::drawImage(GfxState
}
break;
case splashModeXBGR8:
- imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getRGB(&pix, &rgb);
@@ -2035,7 +2035,7 @@ void SplashOutputDev::drawImage(GfxState
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getCMYK(&pix, &cmyk);
@@ -2278,7 +2278,7 @@ void SplashOutputDev::drawMaskedImage(Gf
break;
case splashModeRGB8:
case splashModeBGR8:
- imgData.lookup = (SplashColorPtr)gmalloc(3 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getRGB(&pix, &rgb);
@@ -2288,7 +2288,7 @@ void SplashOutputDev::drawMaskedImage(Gf
}
break;
case splashModeXBGR8:
- imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getRGB(&pix, &rgb);
@@ -2300,7 +2300,7 @@ void SplashOutputDev::drawMaskedImage(Gf
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getCMYK(&pix, &cmyk);
@@ -2421,7 +2421,7 @@ void SplashOutputDev::drawSoftMaskedImag
break;
case splashModeRGB8:
case splashModeBGR8:
- imgData.lookup = (SplashColorPtr)gmalloc(3 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 3);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getRGB(&pix, &rgb);
@@ -2431,7 +2431,7 @@ void SplashOutputDev::drawSoftMaskedImag
}
break;
case splashModeXBGR8:
- imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getRGB(&pix, &rgb);
@@ -2443,7 +2443,7 @@ void SplashOutputDev::drawSoftMaskedImag
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- imgData.lookup = (SplashColorPtr)gmalloc(4 * n);
+ imgData.lookup = (SplashColorPtr)gmallocn(n, 4);
for (i = 0; i < n; ++i) {
pix = (Guchar)i;
colorMap->getCMYK(&pix, &cmyk);
diff -pruN poppler-0.10.7.orig/splash/Splash.cc poppler-0.10.7/splash/Splash.cc
--- poppler-0.10.7.orig/splash/Splash.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/splash/Splash.cc 2009-10-24 20:01:57.000000000 +0200
@@ -2001,7 +2001,7 @@ SplashError Splash::fillImageMask(Splash
xq = w % scaledWidth;
// allocate pixel buffer
- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
+ pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
// initialize the pixel pipe
pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
@@ -2301,9 +2301,9 @@ SplashError Splash::drawImage(SplashImag
xq = w % scaledWidth;
// allocate pixel buffers
- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
+ colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
if (srcAlpha) {
- alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
+ alphaBuf = (Guchar *)gmallocn((yp + 1), w);
} else {
alphaBuf = NULL;
}
diff -pruN poppler-0.10.7.orig/splash/SplashBitmap.cc poppler-0.10.7/splash/SplashBitmap.cc
--- poppler-0.10.7.orig/splash/SplashBitmap.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/splash/SplashBitmap.cc 2009-10-24 20:01:57.000000000 +0200
@@ -68,7 +68,7 @@ SplashBitmap::SplashBitmap(int widthA, i
rowSize = -rowSize;
}
if (alphaA) {
- alpha = (Guchar *)gmalloc(width * height);
+ alpha = (Guchar *)gmallocn(width, height);
} else {
alpha = NULL;
}
diff -pruN poppler-0.10.7.orig/splash/SplashFTFont.cc poppler-0.10.7/splash/SplashFTFont.cc
--- poppler-0.10.7.orig/splash/SplashFTFont.cc 2009-05-02 14:14:57.000000000 +0200
+++ poppler-0.10.7/splash/SplashFTFont.cc 2009-10-24 20:01:57.000000000 +0200
@@ -243,7 +243,7 @@ GBool SplashFTFont::makeGlyph(int c, int
} else {
rowSize = (bitmap->w + 7) >> 3;
}
- bitmap->data = (Guchar *)gmalloc(rowSize * bitmap->h);
+ bitmap->data = (Guchar *)gmallocn_checkoverflow(rowSize, bitmap->h);
bitmap->freeData = gTrue;
for (i = 0, p = bitmap->data, q = slot->bitmap.buffer;
i < bitmap->h;
Index: poppler.spec
===================================================================
RCS file: /cvs/pkgs/rpms/poppler/F-11/poppler.spec,v
retrieving revision 1.86
retrieving revision 1.87
diff -u -p -r1.86 -r1.87
--- poppler.spec 23 Jun 2009 17:28:33 -0000 1.86
+++ poppler.spec 25 Oct 2009 22:37:39 -0000 1.87
@@ -3,7 +3,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.10.7
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2 and Redistributable, no modification permitted
# the code is GPLv2
# the charmap data in /usr/share/poppler is redistributable
@@ -18,6 +18,13 @@ BuildRoot: %{_tmppath}/%{name}-%{version
# reduce lib deps in -qt/-qt4 pkg-config support
Patch50: poppler-0.11.0-pkg_config.patch
+# gmalloc hardening fixes
+Patch60: poppler-0.10.7-gmallocn.patch
+# security fixes from xpdf 3.02pl4 / 1082e1671a
+Patch61: poppler-0.10.7-CVE-2009-360x.patch
+# CVE-2009-3607 / c839b70609
+Patch62: poppler-0.10.7-CVE-2009-3607.patch
+
BuildRequires: automake libtool
BuildRequires: gtk2-devel
BuildRequires: cairo-devel
@@ -112,6 +119,9 @@ converting PDF files to a number of othe
pushd %{name}-%{version}
%patch0 -p0 -b .objstream
%patch50 -p1 -b .pkg_config
+%patch60 -p1 -b .gmallocn
+%patch61 -p1 -b .CVE-2009-360x
+%patch62 -p1 -b .CVE-2009-3607
# hammer to nuke rpaths, recheck on new releases
autoreconf -i -f
popd
@@ -223,6 +233,20 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Sun Oct 25 2009 Rex Dieter <rdieter at fedoraproject.org> - 0.10.7-3
+- CVE-2009-3603 xpdf/popppler: SplashBitmap::SplashBitmap
+ integer overflow (#526915)
+- CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow
+ and missing allocation return value check(#526911)
+- CVE-2009-3606 xpdf/poppler: PSOutputDev::doImageL1Sep
+ integer overflow (#526877)
+- CVE-2009-3607 poppler: create_surface_from_thumbnail_data
+ integer overflow (#526924)
+- CVE-2009-3608 xpdf/poppler: integer overflow in
+ ObjectStream::ObjectStream (#526637)
+- CVE-2009-3609 xpdf/poppler: ImageStream::ImageStream
+ integer overflow (#526893)
+
* Mon Jun 22 2009 Rex Dieter <rdieter at fedoraproject.org> - 0.10.7-2
- reduce lib deps in qt/qt4 pkg-config support
More information about the fedora-extras-commits
mailing list