From 3587f3dfd58a635fa1a3c20ad4e2eeee04ec5cc4 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 10 2019 10:40:26 +0000 Subject: import poppler-0.66.0-11.el8_0.12 --- diff --git a/SOURCES/poppler-0.66.0-JPXStream-length.patch b/SOURCES/poppler-0.66.0-JPXStream-length.patch new file mode 100644 index 0000000..ecd52b8 --- /dev/null +++ b/SOURCES/poppler-0.66.0-JPXStream-length.patch @@ -0,0 +1,26 @@ +From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 15 Jul 2019 23:24:22 +0200 +Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken + +Fixes issue #805 +--- + poppler/JPEG2000Stream.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc +index 0eea3a2d..8e6902f4 100644 +--- a/poppler/JPEG2000Stream.cc ++++ b/poppler/JPEG2000Stream.cc +@@ -219,7 +219,7 @@ void JPXStream::init() + } + + int bufSize = BUFFER_INITIAL_SIZE; +- if (oLen.isInt()) bufSize = oLen.getInt(); ++ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt(); + + GBool indexed = gFalse; + if (cspace.isArray() && cspace.arrayGetLength() > 0) { +-- +2.21.0 + diff --git a/SOURCES/poppler-0.66.0-PSOutputDev-rgb.patch b/SOURCES/poppler-0.66.0-PSOutputDev-rgb.patch new file mode 100644 index 0000000..70f173a --- /dev/null +++ b/SOURCES/poppler-0.66.0-PSOutputDev-rgb.patch @@ -0,0 +1,372 @@ +From 64aa150a92ccb082db6a3383fa734a6ac91cf1bf Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Tue, 30 Apr 2019 18:47:44 +0200 +Subject: [PATCH] PSOutputDev: Don't read outside of image buffer + +Check whether input image is RGB or BGR to not treat +it as CMYK in those cases in PSOutputDev::checkPageSlice(). + +Fixes #751 +--- + poppler/PSOutputDev.cc | 248 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 196 insertions(+), 52 deletions(-) + +diff --git a/poppler/PSOutputDev.cc b/poppler/PSOutputDev.cc +index 0d201835..155a8cbe 100644 +--- a/poppler/PSOutputDev.cc ++++ b/poppler/PSOutputDev.cc +@@ -3385,13 +3385,21 @@ GBool PSOutputDev::checkPageSlice(Page * + } + break; + case psLevel1Sep: ++ GfxColor inputColor; ++ GfxCMYK cmyk; ++ unsigned char cmykColor[4]; ++ GfxDeviceRGBColorSpace *rgbCS; ++ SplashColorMode colorMode; ++ ++ colorMode = bitmap->getMode(); ++ + p = bitmap->getDataPtr(); + // Check for an all gray image + if (getOptimizeColorSpace()) { + isGray = gTrue; + for (y = 0; y < h; ++y) { + for (x = 0; x < w; ++x) { +- if (p[4*x] != p[4*x + 1] || p[4*x] != p[4*x + 2]) { ++ if (p[numComps*x] != p[numComps*x + 1] || p[numComps*x] != p[numComps*x + 2]) { + isGray = gFalse; + y = h; + break; +@@ -3411,7 +3419,9 @@ GBool PSOutputDev::checkPageSlice(Page * + col[0] = col[1] = col[2] = col[3] = 0; + if (isGray) { + int g; +- if ((psProcessBlack & processColors) == 0) { ++ if ((psProcessBlack & processColors) == 0 && ++ colorMode != splashModeRGB8 && ++ colorMode != splashModeBGR8) { + // Check if the image uses black + for (y = 0; y < h; ++y) { + for (x = 0; x < w; ++x) { +@@ -3425,59 +3435,23 @@ GBool PSOutputDev::checkPageSlice(Page * + } + p = bitmap->getDataPtr() + (h - 1) * bitmap->getRowSize(); + } +- for (y = 0; y < h; ++y) { +- if (useBinary) { +- // Binary gray image +- for (x = 0; x < w; ++x) { +- g = p[4*x] + p[4*x + 3]; +- g = 255 - g; +- if (g < 0) g = 0; +- hexBuf[i++] = (Guchar) g; +- if (i >= 64) { +- writePSBuf(hexBuf, i); +- i = 0; +- } +- } +- } else { +- // Hex gray image +- for (x = 0; x < w; ++x) { +- g = p[4*x] + p[4*x + 3]; +- g = 255 - g; +- if (g < 0) g = 0; +- digit = g / 16; +- hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); +- digit = g % 16; +- hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); +- if (i >= 64) { +- hexBuf[i++] = '\n'; +- writePSBuf(hexBuf, i); +- i = 0; +- } +- } +- } +- p -= bitmap->getRowSize(); +- } +- } else if (((psProcessCyan | psProcessMagenta | psProcessYellow | psProcessBlack) & ~processColors) != 0) { +- // Color image, need to check color flags for each dot +- for (y = 0; y < h; ++y) { +- for (comp = 0; comp < 4; ++comp) { ++ if (colorMode == splashModeRGB8 || colorMode != splashModeBGR8) { ++ for (y = 0; y < h; ++y) { + if (useBinary) { +- // Binary color image ++ // Binary gray image + for (x = 0; x < w; ++x) { +- col[comp] |= p[4*x + comp]; +- hexBuf[i++] = p[4*x + comp]; ++ hexBuf[i++] = (Guchar) p[3*x]; + if (i >= 64) { + writePSBuf(hexBuf, i); + i = 0; + } + } + } else { +- // Gray color image ++ // Hex gray image + for (x = 0; x < w; ++x) { +- col[comp] |= p[4*x + comp]; +- digit = p[4*x + comp] / 16; ++ digit = p[3*x] / 16; + hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); +- digit = p[4*x + comp] % 16; ++ digit = p[3*x] % 16; + hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); + if (i >= 64) { + hexBuf[i++] = '\n'; +@@ -3485,29 +3459,31 @@ GBool PSOutputDev::checkPageSlice(Page * + i = 0; + } + } +- } ++ } + } +- p -= bitmap->getRowSize(); +- } +- } else { +- // Color image, do not need to check color flags +- for (y = 0; y < h; ++y) { +- for (comp = 0; comp < 4; ++comp) { ++ } else { ++ for (y = 0; y < h; ++y) { + if (useBinary) { +- // Binary color image ++ // Binary gray image + for (x = 0; x < w; ++x) { +- hexBuf[i++] = p[4*x + comp]; ++ g = p[4*x] + p[4*x + 3]; ++ g = 255 - g; ++ if (g < 0) g = 0; ++ hexBuf[i++] = (Guchar) g; + if (i >= 64) { + writePSBuf(hexBuf, i); + i = 0; + } + } + } else { +- // Hex color image ++ // Hex gray image + for (x = 0; x < w; ++x) { +- digit = p[4*x + comp] / 16; ++ g = p[4*x] + p[4*x + 3]; ++ g = 255 - g; ++ if (g < 0) g = 0; ++ digit = g / 16; + hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); +- digit = p[4*x + comp] % 16; ++ digit = g % 16; + hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); + if (i >= 64) { + hexBuf[i++] = '\n'; +@@ -3515,9 +3491,207 @@ GBool PSOutputDev::checkPageSlice(Page * + i = 0; + } + } +- } ++ } + } +- p -= bitmap->getRowSize(); ++ } ++ p -= bitmap->getRowSize(); ++ } else if (((psProcessCyan | psProcessMagenta | psProcessYellow | psProcessBlack) & ~processColors) != 0) { ++ // Color image, need to check color flags for each dot ++ switch (colorMode) { ++ case splashModeRGB8: ++ case splashModeBGR8: ++ rgbCS = new GfxDeviceRGBColorSpace(); ++ for (y = 0; y < h; ++y) { ++ for (comp = 0; comp < 4; ++comp) { ++ if (useBinary) { ++ // Binary color image ++ for (x = 0; x < w; ++x) { ++ if (likely(colorMode == splashModeRGB8)) { ++ inputColor.c[0] = byteToCol(p[3*x + 0]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 2]); ++ } else { ++ inputColor.c[0] = byteToCol(p[3*x + 2]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 0]); ++ } ++ rgbCS->getCMYK(&inputColor, &cmyk); ++ cmykColor[0] = colToByte(cmyk.c); ++ cmykColor[1] = colToByte(cmyk.m); ++ cmykColor[2] = colToByte(cmyk.y); ++ cmykColor[3] = colToByte(cmyk.k); ++ ++ col[comp] |= cmykColor[comp]; ++ hexBuf[i++] = cmykColor[comp]; ++ if (i >= 64) { ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } else { ++ // Gray color image ++ for (x = 0; x < w; ++x) { ++ if (likely(colorMode == splashModeRGB8)) { ++ inputColor.c[0] = byteToCol(p[3*x + 0]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 2]); ++ } else { ++ inputColor.c[0] = byteToCol(p[3*x + 2]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 0]); ++ } ++ rgbCS->getCMYK(&inputColor, &cmyk); ++ cmykColor[0] = colToByte(cmyk.c); ++ cmykColor[1] = colToByte(cmyk.m); ++ cmykColor[2] = colToByte(cmyk.y); ++ cmykColor[3] = colToByte(cmyk.k); ++ ++ col[comp] |= cmykColor[comp]; ++ digit = cmykColor[comp] / 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ digit = cmykColor[comp] % 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ if (i >= 64) { ++ hexBuf[i++] = '\n'; ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } ++ } ++ p -= bitmap->getRowSize(); ++ } ++ delete rgbCS; ++ break; ++ default: ++ for (y = 0; y < h; ++y) { ++ for (comp = 0; comp < 4; ++comp) { ++ if (useBinary) { ++ // Binary color image ++ for (x = 0; x < w; ++x) { ++ col[comp] |= p[4*x + comp]; ++ hexBuf[i++] = p[4*x + comp]; ++ if (i >= 64) { ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } else { ++ // Gray color image ++ for (x = 0; x < w; ++x) { ++ col[comp] |= p[4*x + comp]; ++ digit = p[4*x + comp] / 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ digit = p[4*x + comp] % 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ if (i >= 64) { ++ hexBuf[i++] = '\n'; ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } ++ } ++ p -= bitmap->getRowSize(); ++ } ++ break; ++ } ++ } else { ++ // Color image, do not need to check color flags ++ switch (colorMode) { ++ case splashModeRGB8: ++ case splashModeBGR8: ++ rgbCS = new GfxDeviceRGBColorSpace(); ++ for (y = 0; y < h; ++y) { ++ for (comp = 0; comp < 4; ++comp) { ++ if (useBinary) { ++ // Binary color image ++ for (x = 0; x < w; ++x) { ++ if (likely(colorMode == splashModeRGB8)) { ++ inputColor.c[0] = byteToCol(p[3*x + 0]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 2]); ++ } else { ++ inputColor.c[0] = byteToCol(p[3*x + 2]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 0]); ++ } ++ rgbCS->getCMYK(&inputColor, &cmyk); ++ cmykColor[0] = colToByte(cmyk.c); ++ cmykColor[1] = colToByte(cmyk.m); ++ cmykColor[2] = colToByte(cmyk.y); ++ cmykColor[3] = colToByte(cmyk.k); ++ ++ hexBuf[i++] = cmykColor[comp]; ++ if (i >= 64) { ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } else { ++ // Hex color image ++ for (x = 0; x < w; ++x) { ++ if (likely(colorMode == splashModeRGB8)) { ++ inputColor.c[0] = byteToCol(p[3*x + 0]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 2]); ++ } else { ++ inputColor.c[0] = byteToCol(p[3*x + 2]); ++ inputColor.c[1] = byteToCol(p[3*x + 1]); ++ inputColor.c[2] = byteToCol(p[3*x + 0]); ++ } ++ rgbCS->getCMYK(&inputColor, &cmyk); ++ cmykColor[0] = colToByte(cmyk.c); ++ cmykColor[1] = colToByte(cmyk.m); ++ cmykColor[2] = colToByte(cmyk.y); ++ cmykColor[3] = colToByte(cmyk.k); ++ ++ digit = cmykColor[comp] / 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ digit = cmykColor[comp] % 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ if (i >= 64) { ++ hexBuf[i++] = '\n'; ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } ++ } ++ p -= bitmap->getRowSize(); ++ } ++ delete rgbCS; ++ break; ++ default: ++ for (y = 0; y < h; ++y) { ++ for (comp = 0; comp < 4; ++comp) { ++ if (useBinary) { ++ // Binary color image ++ for (x = 0; x < w; ++x) { ++ hexBuf[i++] = p[4*x + comp]; ++ if (i >= 64) { ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } else { ++ // Hex color image ++ for (x = 0; x < w; ++x) { ++ digit = p[4*x + comp] / 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ digit = p[4*x + comp] % 16; ++ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0'); ++ if (i >= 64) { ++ hexBuf[i++] = '\n'; ++ writePSBuf(hexBuf, i); ++ i = 0; ++ } ++ } ++ } ++ } ++ p -= bitmap->getRowSize(); ++ } ++ break; + } + } + if (i != 0) { diff --git a/SOURCES/poppler-0.66.0-check-catalog-is-dict.patch b/SOURCES/poppler-0.66.0-check-catalog-is-dict.patch new file mode 100644 index 0000000..73fa712 --- /dev/null +++ b/SOURCES/poppler-0.66.0-check-catalog-is-dict.patch @@ -0,0 +1,29 @@ +--- a/utils/pdfunite.cc ++++ b/utils/pdfunite.cc +@@ -165,7 +165,9 @@ int main (int argc, char *argv[]) + for (i = 1; i < argc - 1; i++) { + GooString *gfileName = new GooString(argv[i]); + PDFDoc *doc = new PDFDoc(gfileName, nullptr, nullptr, nullptr); +- if (doc->isOk() && !doc->isEncrypted()) { ++ if (doc->isOk() && !doc->isEncrypted() && ++ (doc->getCatalog()->getPageRef(1) || gTrue) && ++ doc->getXRef()->getCatalog().isDict()) { + docs.push_back(doc); + if (doc->getPDFMajorVersion() > majorVersion) { + majorVersion = doc->getPDFMajorVersion(); +@@ -176,8 +177,13 @@ int main (int argc, char *argv[]) + } + } + } else if (doc->isOk()) { +- error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]); +- return -1; ++ if (doc->isEncrypted()) { ++ error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]); ++ return -1; ++ } else if (!doc->getXRef()->getCatalog().isDict()) { ++ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary ('{0:s}')", argv[i]); ++ return -1; ++ } + } else { + error(errSyntaxError, -1, "Could not merge damaged documents ('{0:s}')", argv[i]); + return -1; diff --git a/SOURCES/poppler-0.66.0-coverage-values.patch b/SOURCES/poppler-0.66.0-coverage-values.patch new file mode 100644 index 0000000..74cb731 --- /dev/null +++ b/SOURCES/poppler-0.66.0-coverage-values.patch @@ -0,0 +1,35 @@ +From d716e636231c8d636bf2139896d817b66fe6d510 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Thu, 21 Mar 2019 13:15:37 +0100 +Subject: [PATCH 1/2] cairo: Compute correct coverage values for box filter + +Use double precision for computation of coverage +of the left most pixel in the box filter. + +Issue #736 +--- + poppler/CairoRescaleBox.cc | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc +index b8371a5b..d7615010 100644 +--- a/poppler/CairoRescaleBox.cc ++++ b/poppler/CairoRescaleBox.cc +@@ -226,10 +227,10 @@ static int compute_coverage (int coverage[], int src_length, int dest_length) + /* I have a proof of this, which this margin is too narrow to contain */ + for (i=0; i +Date: Tue, 1 Jan 2019 10:54:40 +0100 +Subject: [PATCH] Avoid global display profile state becoming an uncontrolled + memory leak by enforcing single initialization. Closes #654 + +--- + poppler/GfxState.cc | 9 +++++++++ + qt5/src/poppler-qt5.h | 4 ++++ + 2 files changed, 13 insertions(+) + +diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc +index 87b7ce03..4e3ccbfd 100644 +--- a/poppler/GfxState.cc ++++ b/poppler/GfxState.cc +@@ -226,6 +226,10 @@ static unsigned int getCMSNChannels(cmsColorSpaceSignature cs); + static cmsHPROFILE loadColorProfile(const char *fileName); + + void GfxColorSpace::setDisplayProfile(void *displayProfileA) { ++ if (displayProfile != nullptr) { ++ error(errInternal, -1, "The display color profile can only be set once before any rendering is done."); ++ return; ++ } + displayProfile = displayProfileA; + if (displayProfile != nullptr) { + cmsHTRANSFORM transform; +@@ -249,6 +253,11 @@ void GfxColorSpace::setDisplayProfile(void *displayProfileA) { + } + + void GfxColorSpace::setDisplayProfileName(GooString *name) { ++ if (displayProfile != nullptr) { ++ error(errInternal, -1, "The display color profile can only be set before any rendering is done."); ++ return; ++ } ++ delete displayProfileName; + displayProfileName = name->copy(); + } + +diff --git a/qt5/src/poppler-qt5.h b/qt5/src/poppler-qt5.h +index 4f06c47e..ddac7dfb 100644 +--- a/qt5/src/poppler-qt5.h ++++ b/qt5/src/poppler-qt5.h +@@ -1102,6 +1102,8 @@ delete it; + + \param outputProfileA is a \c cmsHPROFILE of the LCMS library. + ++ \note This should be called before any rendering happens and only once during the lifetime of the current process. ++ + \since 0.12 + */ + void setColorDisplayProfile(void *outputProfileA); +@@ -1110,6 +1112,8 @@ delete it; + + \param name is the name of the display profile to set. + ++ \note This should be called before any rendering happens. ++ + \since 0.12 + */ + void setColorDisplayProfileName(const QString &name); +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-dummy-xref-entry.patch b/SOURCES/poppler-0.66.0-dummy-xref-entry.patch new file mode 100644 index 0000000..bc1f5a1 --- /dev/null +++ b/SOURCES/poppler-0.66.0-dummy-xref-entry.patch @@ -0,0 +1,63 @@ +From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Mon, 24 Dec 2018 15:40:38 +0100 +Subject: [PATCH] Do not try to parse into unallocated XRef entry and return + pointer to dummy entry instead. Closes #692 and oss-fuzz/12330 + +--- + poppler/XRef.cc | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/poppler/XRef.cc b/poppler/XRef.cc +index 0ec66944..d042d1f4 100644 +--- a/poppler/XRef.cc ++++ b/poppler/XRef.cc +@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector *xrefStreamObjsNum) + } + } + ++namespace { ++ ++struct DummyXRefEntry : XRefEntry { ++ DummyXRefEntry() { ++ offset = 0; ++ gen = -1; ++ type = xrefEntryNone; ++ flags = 0; ++ } ++}; ++ ++DummyXRefEntry dummyXRefEntry; ++ ++} ++ + XRefEntry *XRef::getEntry(int i, GBool complainIfMissing) + { + if (i >= size || entries[i].type == xrefEntryNone) { + + if ((!xRefStream) && mainXRefEntriesOffset) { ++ if (unlikely(i >= capacity)) { ++ error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i); ++ return &dummyXRefEntry; ++ } ++ + if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) { + error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i); + } +@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing) + // We might have reconstructed the xref + // Check again i is in bounds + if (unlikely(i >= size)) { +- static XRefEntry dummy; +- dummy.offset = 0; +- dummy.gen = -1; +- dummy.type = xrefEntryNone; +- dummy.flags = 0; +- return &dummy; ++ return &dummyXRefEntry; + } + + if (entries[i].type == xrefEntryNone) { +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-filespec.patch b/SOURCES/poppler-0.66.0-filespec.patch new file mode 100644 index 0000000..bfaba8f --- /dev/null +++ b/SOURCES/poppler-0.66.0-filespec.patch @@ -0,0 +1,35 @@ +From de0c0b8324e776f0b851485e0fc9622fc35695b7 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 29 Dec 2018 01:25:17 +0100 +Subject: [PATCH] FileSpec: Move the fileSpec.dictLookup call inside + fileSpec.isDict if + +Fixes #704 +--- + poppler/FileSpec.cc | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/poppler/FileSpec.cc b/poppler/FileSpec.cc +index 8a8b9e7e..7c12da63 100644 +--- a/poppler/FileSpec.cc ++++ b/poppler/FileSpec.cc +@@ -133,11 +133,12 @@ FileSpec::FileSpec(const Object *fileSpecA) + return; + } + } +- } + +- obj1 = fileSpec.dictLookup("Desc"); +- if (obj1.isString()) +- desc = obj1.getString()->copy(); ++ obj1 = fileSpec.dictLookup("Desc"); ++ if (obj1.isString()) { ++ desc = obj1.getString()->copy(); ++ } ++ } + } + + FileSpec::~FileSpec() +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-image-stream-getline.patch b/SOURCES/poppler-0.66.0-image-stream-getline.patch new file mode 100644 index 0000000..ce20c07 --- /dev/null +++ b/SOURCES/poppler-0.66.0-image-stream-getline.patch @@ -0,0 +1,27 @@ +From f4136a6353162db249f63ddb0f20611622ab61b4 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 27 Feb 2019 19:43:22 +0100 +Subject: [PATCH] ImageStream::getLine: fix crash on broken files + +Fixes #728 +--- + poppler/Stream.cc | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/poppler/Stream.cc b/poppler/Stream.cc +index 33537b0e..a41435ab 100644 +--- a/poppler/Stream.cc ++++ b/poppler/Stream.cc +@@ -496,6 +496,9 @@ unsigned char *ImageStream::getLine() { + } + + int readChars = str->doGetChars(inputLineSize, inputLine); ++ if (unlikely(readChars == -1)) { ++ readChars = 0; ++ } + for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF; + if (nBits == 1) { + p = inputLine; +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-jpeg2000-component-size.patch b/SOURCES/poppler-0.66.0-jpeg2000-component-size.patch new file mode 100644 index 0000000..2ad86a8 --- /dev/null +++ b/SOURCES/poppler-0.66.0-jpeg2000-component-size.patch @@ -0,0 +1,41 @@ +From 89a5367d49b2556a2635dbb6d48d6a6b182a2c6c Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Thu, 23 May 2019 00:54:29 +0200 +Subject: [PATCH] JPEG2000Stream: fail gracefully if not all components have + the same WxH + +I think this is just a mistake, or at least the only file we have with +this scenario is a fuzzed one +--- + poppler/JPEG2000Stream.cc | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc +index 15bbcae4..0eea3a2d 100644 +--- a/poppler/JPEG2000Stream.cc ++++ b/poppler/JPEG2000Stream.cc +@@ -4,7 +4,7 @@ + // + // A JPX stream decoder using OpenJPEG + // +-// Copyright 2008-2010, 2012, 2017, 2018 Albert Astals Cid ++// Copyright 2008-2010, 2012, 2017-2019 Albert Astals Cid + // Copyright 2011 Daniel Glöckner + // Copyright 2014, 2016 Thomas Freitag + // Copyright 2013, 2014 Adrian Johnson +@@ -253,6 +253,12 @@ void JPXStream::init() + close(); + break; + } ++ const int componentPixels = priv->image->comps[component].w * priv->image->comps[component].h; ++ if (componentPixels != priv->npixels) { ++ error(errSyntaxWarning, -1, "Component {0:d} has different WxH than component 0", component); ++ close(); ++ break; ++ } + unsigned char *cdata = (unsigned char *)priv->image->comps[component].data; + int adjust = 0; + int depth = priv->image->comps[component].prec; +-- +2.21.0 + diff --git a/SOURCES/poppler-0.66.0-negative-xref-indices.patch b/SOURCES/poppler-0.66.0-negative-xref-indices.patch new file mode 100644 index 0000000..d0cf40d --- /dev/null +++ b/SOURCES/poppler-0.66.0-negative-xref-indices.patch @@ -0,0 +1,29 @@ +From b54e1fc3e0d2600621a28d50f9f085b9e38619c2 Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Fri, 1 Feb 2019 08:42:27 +0100 +Subject: [PATCH] Also defend against requests for negative XRef indices. + oss-fuzz/12797 + +--- + poppler/XRef.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/poppler/XRef.cc b/poppler/XRef.cc +index d042d1f4..ac2cd0ce 100644 +--- a/poppler/XRef.cc ++++ b/poppler/XRef.cc +@@ -1565,6 +1565,11 @@ DummyXRefEntry dummyXRefEntry; + + XRefEntry *XRef::getEntry(int i, GBool complainIfMissing) + { ++ if (unlikely(i < 0)) { ++ error(errInternal, -1, "Request for invalid XRef entry [{0:d}]", i); ++ return &dummyXRefEntry; ++ } ++ + if (i >= size || entries[i].type == xrefEntryNone) { + + if ((!xRefStream) && mainXRefEntriesOffset) { +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-rescale-filter.patch b/SOURCES/poppler-0.66.0-rescale-filter.patch new file mode 100644 index 0000000..3dbad5c --- /dev/null +++ b/SOURCES/poppler-0.66.0-rescale-filter.patch @@ -0,0 +1,100 @@ +From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Thu, 21 Mar 2019 13:47:51 +0100 +Subject: [PATCH 2/2] cairo: Constrain number of cycles in rescale filter + +Pass address of the first byte after end of the source buffer +to downsample_row_box_filter() so that we can check +that we don't run out of it. + +Fixes issue #736 +--- + poppler/CairoRescaleBox.cc | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc +index d7615010..7fd07041 100644 +--- a/poppler/CairoRescaleBox.cc ++++ b/poppler/CairoRescaleBox.cc +@@ -62,7 +62,7 @@ + + static void downsample_row_box_filter ( + int start, int width, +- uint32_t *src, uint32_t *dest, ++ uint32_t *src, uint32_t *src_limit, uint32_t *dest, + int coverage[], int pixel_coverage) + { + /* we need an array of the pixel contribution of each destination pixel on the boundaries. +@@ -90,13 +90,13 @@ static void downsample_row_box_filter ( + /* skip to start */ + /* XXX: it might be possible to do this directly instead of iteratively, however + * the iterative solution is simple */ +- while (x < start) ++ while (x < start && src < src_limit) + { + int box = 1 << FIXED_SHIFT; + int start_coverage = coverage[x]; + box -= start_coverage; + src++; +- while (box >= pixel_coverage) ++ while (box >= pixel_coverage && src < src_limit) + { + src++; + box -= pixel_coverage; +@@ -104,7 +104,7 @@ static void downsample_row_box_filter ( + x++; + } + +- while (x < start + width) ++ while (x < start + width && src < src_limit) + { + uint32_t a = 0; + uint32_t r = 0; +@@ -121,7 +121,7 @@ static void downsample_row_box_filter ( + x++; + box -= start_coverage; + +- while (box >= pixel_coverage) ++ while (box >= pixel_coverage && src < src_limit) + { + a += ((*src >> 24) & 0xff) * pixel_coverage; + r += ((*src >> 16) & 0xff) * pixel_coverage; +@@ -135,7 +135,7 @@ static void downsample_row_box_filter ( + /* multiply by whatever is leftover + * this ensures that we don't bias down. + * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */ +- if (box > 0) ++ if (box > 0 && src < src_limit) + { + a += ((*src >> 24) & 0xff) * box; + r += ((*src >> 16) & 0xff) * box; +@@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, + int start_coverage_y = y_coverage[dest_y]; + + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + src_y++; + box -= start_coverage_y; +@@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, + while (box >= pixel_coverage_y) + { + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + src_y++; + box -= pixel_coverage_y; +@@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height, + if (box > 0) + { + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + } + +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-rich-media-annotation.patch b/SOURCES/poppler-0.66.0-rich-media-annotation.patch new file mode 100644 index 0000000..3730e3e --- /dev/null +++ b/SOURCES/poppler-0.66.0-rich-media-annotation.patch @@ -0,0 +1,51 @@ +From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Thu, 27 Dec 2018 11:54:53 +0100 +Subject: [PATCH] Do not try to construct invalid rich media annotation assets. + Closes #703 + +--- + poppler/Annot.cc | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git a/poppler/Annot.cc b/poppler/Annot.cc +index 2e4770ab..1750dc70 100644 +--- a/poppler/Annot.cc ++++ b/poppler/Annot.cc +@@ -6418,20 +6418,22 @@ AnnotRichMedia::Content::Content(Dict *dict) { + if (obj1.isDict()) { + Object obj2 = obj1.getDict()->lookup("Names"); + if (obj2.isArray()) { +- nAssets = obj2.arrayGetLength() / 2; ++ const int length = obj2.arrayGetLength() / 2; + +- assets = (Asset **)gmallocn(nAssets, sizeof(Asset *)); ++ assets = (Asset **)gmallocn(length, sizeof(Asset *)); ++ for (int i = 0; i < length; ++i) { ++ Object objKey = obj2.arrayGet(2 * i); ++ Object objVal = obj2.arrayGet(2 * i + 1); + +- int counter = 0; +- for (int i = 0; i < nAssets; ++i) { +- assets[counter] = new AnnotRichMedia::Asset; +- +- Object objKey = obj2.arrayGet(i * 2); +- assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1); +- +- assets[counter]->name = new GooString( objKey.getString() ); +- ++counter; ++ if (!objKey.isString() || objVal.isNull()) { ++ error(errSyntaxError, -1, "Bad Annot Asset"); ++ continue; ++ } + ++ assets[nAssets] = new AnnotRichMedia::Asset; ++ assets[nAssets]->name = new GooString( objKey.getString() ); ++ assets[nAssets]->fileSpec = std::move(objVal); ++ ++nAssets; + } + } + } +-- +2.20.1 + diff --git a/SOURCES/poppler-0.66.0-stack-overflow.patch b/SOURCES/poppler-0.66.0-stack-overflow.patch new file mode 100644 index 0000000..1f6d53f --- /dev/null +++ b/SOURCES/poppler-0.66.0-stack-overflow.patch @@ -0,0 +1,20 @@ +From fada09a2ccc11a3a1d308e810f1336d8df6011fd Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 18 Mar 2019 00:50:00 +0100 +Subject: pdfunite: Fix stack overflow on broken file + +Fixes issue #741 + +diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc +index 26842f84..ab4abcad 100644 +--- a/poppler/PDFDoc.cc ++++ b/poppler/PDFDoc.cc +@@ -1703,7 +1703,7 @@ void PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int n + array = obj->getArray(); + for (int i=0; igetLength(); i++) { + Object obj1 = array->getNF(i); +- markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum); ++ markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts); + } + break; + case objDict: diff --git a/SOURCES/poppler-0.66.0-tiling-patterns.patch b/SOURCES/poppler-0.66.0-tiling-patterns.patch new file mode 100644 index 0000000..ea17a49 --- /dev/null +++ b/SOURCES/poppler-0.66.0-tiling-patterns.patch @@ -0,0 +1,47 @@ +From 718d428984e3a84fda521c0f5e6d975c7390af2b Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Fri, 6 Apr 2018 15:06:46 +0200 +Subject: [PATCH] cairo: Fix tiling patterns when pattern cell is too far + +Rendering of tiling pattern which has pattern matrix moving pattern cell +far away can fail on allocation of memory. This commit solves the issue by +modifying of cairo pattern matrix so that its offset is closer to the path +filled by the pattern. + +https://bugs.freedesktop.org/show_bug.cgi?id=105905 +--- + poppler/CairoOutputDev.cc | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/poppler/CairoOutputDev.cc b/poppler/CairoOutputDev.cc +index 631ab27b..b2e730bf 100644 +--- a/poppler/CairoOutputDev.cc ++++ b/poppler/CairoOutputDev.cc +@@ -915,6 +915,8 @@ GBool CairoOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat + StrokePathClip *strokePathTmp; + GBool adjusted_stroke_width_tmp; + cairo_pattern_t *maskTmp; ++ double xoffset, yoffset; ++ double det; + + width = bbox[2] - bbox[0]; + height = bbox[3] - bbox[1]; +@@ -976,6 +978,15 @@ GBool CairoOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat + if (cairo_pattern_status (pattern)) + return gFalse; + ++ det = pmat[0] * pmat[3] - pmat[1] * pmat[2]; ++ if (fabs(det) < 0.000001) ++ return gFalse; ++ ++ xoffset = round ((pmat[3] * pmat[4] - pmat[2] * pmat[5]) / (xStep * det)); ++ yoffset = - round ((pmat[1] * pmat[4] - pmat[0] * pmat[5]) / (yStep * det)); ++ pattern_matrix.x0 -= xoffset * pattern_matrix.xx * xStep + yoffset * pattern_matrix.xy * yStep; ++ pattern_matrix.y0 -= xoffset * pattern_matrix.yx * xStep + yoffset * pattern_matrix.yy * yStep; ++ + state->getUserClipBBox(&xMin, &yMin, &xMax, &yMax); + cairo_rectangle (cairo, xMin, yMin, xMax - xMin, yMax - yMin); + +-- +2.14.3 + diff --git a/SPECS/poppler.spec b/SPECS/poppler.spec index b880b37..b34d750 100644 --- a/SPECS/poppler.spec +++ b/SPECS/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 0.66.0 -Release: 10%{?dist} +Release: 11%{?dist}.12 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -39,6 +39,46 @@ Patch8: poppler-0.66.0-valid-embedded-file.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1649450 Patch9: poppler-0.66.0-valid-embedded-file-name.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1644094 +Patch10: poppler-0.66.0-tiling-patterns.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1665259 +Patch11: poppler-0.66.0-rich-media-annotation.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1665273 +Patch12: poppler-0.66.0-check-catalog-is-dict.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1646546 +Patch13: poppler-0.66.0-display-profile.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1665266 +Patch14: poppler-0.66.0-dummy-xref-entry.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1672419 +Patch15: poppler-0.66.0-negative-xref-indices.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1665263 +Patch16: poppler-0.66.0-filespec.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1683632 +Patch17: poppler-0.66.0-image-stream-getline.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1686802 +Patch18: poppler-0.66.0-coverage-values.patch +Patch19: poppler-0.66.0-rescale-filter.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1691724 +Patch20: poppler-0.66.0-stack-overflow.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1713582 +Patch21: poppler-0.66.0-jpeg2000-component-size.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1696636 +Patch22: poppler-0.66.0-PSOutputDev-rgb.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1732340 +Patch23: poppler-0.66.0-JPXStream-length.patch + BuildRequires: cmake BuildRequires: gettext-devel BuildRequires: pkgconfig(cairo) @@ -240,6 +280,62 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Wed Aug 14 2019 Marek Kasik - 0.66.0-11.el8_0.12 +- Ignore dict Length if it is broken +- Resolves: #1741146 + +* Wed Aug 14 2019 Marek Kasik - 0.66.0-11.el8_0.11 +- Check whether input is RGB in PSOutputDev::checkPageSlice() +- (also when using "-optimizecolorspace" flag) +- Resolves: #1741145 + +* Wed Aug 14 2019 Marek Kasik - 0.66.0-11.el8_0.10 +- Fail gracefully if not all components of JPEG2000Stream +- have the same size +- Resolves: #1740612 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.9 +- Fix stack overflow on broken file +- Resolves: #1717867 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.8 +- Constrain number of cycles in rescale filter +- Compute correct coverage values for box filter +- Resolves: #1717866 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.7 +- Fix possible crash on broken files in ImageStream::getLine() +- Resolves: #1717803 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.6 +- Move the fileSpec.dictLookup call inside fileSpec.isDict if +- Resolves: #1717788 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.5 +- Defend against requests for negative XRef indices +- Resolves: #1717779 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.4 +- Do not try to parse into unallocated XRef entry +- Resolves: #1717790 + +* Wed Jul 31 2019 Marek Kasik - 0.66.0-11.el8_0.3 +- Avoid global display profile state becoming an uncontrolled +- memory leak +- Resolves: #1717776 + +* Wed May 15 2019 Marek Kasik - 0.66.0-11.el8_0.2 +- Check Catalog from XRef for being a Dict +- Resolves: #1690480 + +* Wed May 15 2019 Marek Kasik - 0.66.0-11.el8_0.1 +- Do not try to construct invalid rich media annotation assets +- Resolves: #1690478 + +* Fri Dec 14 2018 Marek Kasik - 0.66.0-11 +- Fix tiling patterns when pattern cell is too far +- Resolves: #1644094 + * Fri Nov 16 2018 Marek Kasik - 0.66.0-10 - Check for valid file name of embedded file - Resolves: #1649453