diff --git a/SOURCES/poppler-0.26.5-parser-integer-overflow.patch b/SOURCES/poppler-0.26.5-parser-integer-overflow.patch new file mode 100644 index 0000000..059a467 --- /dev/null +++ b/SOURCES/poppler-0.26.5-parser-integer-overflow.patch @@ -0,0 +1,23 @@ +--- poppler-0.26.5/poppler/Parser.cc ++++ poppler-0.26.5/poppler/Parser.cc +@@ -19,6 +19,7 @@ + // Copyright (C) 2012 Hib Eris + // Copyright (C) 2013 Adrian Johnson + // Copyright (C) 2013 Thomas Freitag ++// Copyright (C) 2018 Albert Astals Cid + // + // To see a description of the changes please see the Changelog file that + // came with your tarball or type make ChangeLog if you are building from git +@@ -257,6 +258,12 @@ Stream *Parser::makeStream(Object *dict, + pos = pos - 1; + lexer->lookCharLastValueCached = Lexer::LOOK_VALUE_NOT_CACHED; + } ++ if (unlikely(length < 0)) { ++ return NULL; ++ } ++ if (unlikely(pos > LONG_LONG_MAX - length)) { ++ return NULL; ++ } + lexer->setPos(pos + length); + + // refill token buffers and check for 'endstream' diff --git a/SOURCES/poppler-0.26.5-tilingpatternfill-crash.patch b/SOURCES/poppler-0.26.5-tilingpatternfill-crash.patch new file mode 100644 index 0000000..b85bcfe --- /dev/null +++ b/SOURCES/poppler-0.26.5-tilingpatternfill-crash.patch @@ -0,0 +1,28 @@ +From b224e2f5739fe61de9fa69955d016725b2a4b78d Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 15 Jul 2019 22:11:09 +0200 +Subject: [PATCH] SplashOutputDev::tilingPatternFill: Fix crash on broken file + +Issue #802 +--- + poppler/SplashOutputDev.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/poppler/SplashOutputDev.cc b/poppler/SplashOutputDev.cc +index 544f132d..3d2befc2 100644 +--- a/poppler/SplashOutputDev.cc ++++ b/poppler/SplashOutputDev.cc +@@ -4581,6 +4581,10 @@ bool SplashOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat + surface_width = (int) ceil (fabs(kx)); + surface_height = (int) ceil (fabs(ky)); + // adjust repeat values to completely fill region ++ if (unlikely(surface_width == 0 || surface_height == 0)) { ++ state->setCTM(savedCTM[0], savedCTM[1], savedCTM[2], savedCTM[3], savedCTM[4], savedCTM[5]); ++ return gFalse; ++ } + repeatX = result_width / surface_width; + repeatY = result_height / surface_height; + if (surface_width * repeatX < result_width) +-- +2.24.1 + diff --git a/SPECS/poppler.spec b/SPECS/poppler.spec index 5027042..52700b7 100644 --- a/SPECS/poppler.spec +++ b/SPECS/poppler.spec @@ -1,7 +1,7 @@ Summary: PDF rendering library Name: poppler Version: 0.26.5 -Release: 41%{?dist} +Release: 43%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT Group: Development/Libraries URL: http://poppler.freedesktop.org/ @@ -126,6 +126,12 @@ Patch43: poppler-0.26.5-jpeg2000-component-size.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1732340 Patch44: poppler-0.26.5-JPXStream-length.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1753850 +Patch45: poppler-0.26.5-parser-integer-overflow.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1797453 +Patch46: poppler-0.26.5-tilingpatternfill-crash.patch + Requires: poppler-data >= 0.4.0 BuildRequires: automake libtool BuildRequires: gettext-devel @@ -286,6 +292,8 @@ Requires: %{name}%{?_isa} = %{version}-%{release} %patch42 -p1 -b .psoutputdev-rgb %patch43 -p1 -b .jpeg2000-component-size %patch44 -p1 -b .jpxstream-length +%patch45 -p1 -b .parser-integer-overflow +%patch46 -p1 -b .divide-by-zero # hammer to nuke rpaths, recheck on new releases autoreconf -i -f @@ -407,6 +415,14 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %changelog +* Wed Apr 15 2020 Marek Kasik - 0.26.5-43 +- Fix crash on broken file in tilingPatternFill() +- Resolves: #1801340 + +* Fri Nov 15 2019 Marek Kasik - 0.26.5-42 +- Fix potential integer overflow and check length for negative values +- Resolves: #1757283 + * Tue Aug 13 2019 Marek Kasik - 0.26.5-41 - Ignore dict Length if it is broken - Resolves: #1733026