diff options
Diffstat (limited to 'patches/source/poppler/poppler-0.10.7.CVE-2009-3603_3604_3605_3606_3608_3609.diff')
| -rw-r--r-- | patches/source/poppler/poppler-0.10.7.CVE-2009-3603_3604_3605_3606_3608_3609.diff | 213 |
1 files changed, 213 insertions, 0 deletions
diff --git a/patches/source/poppler/poppler-0.10.7.CVE-2009-3603_3604_3605_3606_3608_3609.diff b/patches/source/poppler/poppler-0.10.7.CVE-2009-3603_3604_3605_3606_3608_3609.diff new file mode 100644 index 00000000..ac9eda9c --- /dev/null +++ b/patches/source/poppler/poppler-0.10.7.CVE-2009-3603_3604_3605_3606_3608_3609.diff @@ -0,0 +1,213 @@ +--- ./splash/SplashErrorCodes.h.orig 2009-05-02 07:14:56.000000000 -0500 ++++ ./splash/SplashErrorCodes.h 2009-10-28 16:42:00.000000000 -0500 +@@ -41,6 +41,8 @@ + + #define splashErrSingularMatrix 8 // matrix is singular + ++#define splashErrBadArg 9 // bad argument ++ + #define splashErrZeroImage 9 // image of 0x0 + + #endif +--- ./splash/SplashBitmap.cc.orig 2009-05-02 07:14:57.000000000 -0500 ++++ ./splash/SplashBitmap.cc 2009-10-28 16:44:24.000000000 -0500 +@@ -26,6 +26,7 @@ + #endif + + #include <stdio.h> ++#include <limits.h> + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashBitmap.h" +@@ -42,33 +43,55 @@ + mode = modeA; + switch (mode) { + case splashModeMono1: +- rowSize = (width + 7) >> 3; ++ if (width > 0) { ++ rowSize = (width + 7) >> 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeMono8: +- rowSize = width; ++ if (width > 0) { ++ rowSize = width; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeRGB8: + case splashModeBGR8: +- rowSize = width * 3; ++ if (width > 0 && width <= INT_MAX / 3) { ++ rowSize = width * 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeXBGR8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #endif + } +- rowSize += rowPad - 1; +- rowSize -= rowSize % rowPad; +- data = (SplashColorPtr)gmallocn(rowSize, height); ++ if (rowSize > 0) { ++ rowSize += rowPad - 1; ++ rowSize -= rowSize % rowPad; ++ } ++ data = (SplashColorPtr)gmallocn(height, rowSize); + if (!topDown) { + data += (height - 1) * rowSize; + rowSize = -rowSize; + } + if (alphaA) { +- alpha = (Guchar *)gmalloc(width * height); ++ alpha = (Guchar *)gmallocn(width, height); + } else { + alpha = NULL; + } +--- ./splash/Splash.cc.orig 2009-05-02 07:14:57.000000000 -0500 ++++ ./splash/Splash.cc 2009-10-28 16:42:00.000000000 -0500 +@@ -27,6 +27,7 @@ + + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashMath.h" +@@ -2001,7 +2002,10 @@ + xq = w % scaledWidth; + + // allocate pixel buffer +- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w); ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } ++ pixBuf = (SplashColorPtr)gmallocn(yp + 1, w); + + // initialize the pixel pipe + pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha, +@@ -2301,9 +2305,12 @@ + xq = w % scaledWidth; + + // allocate pixel buffers +- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); ++ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) { ++ return splashErrBadArg; ++ } ++ colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps); + if (srcAlpha) { +- alphaBuf = (Guchar *)gmalloc((yp + 1) * w); ++ alphaBuf = (Guchar *)gmallocn(yp + 1, w); + } else { + alphaBuf = NULL; + } +--- ./poppler/XRef.cc.orig 2009-05-02 07:14:57.000000000 -0500 ++++ ./poppler/XRef.cc 2009-10-28 16:42:00.000000000 -0500 +@@ -76,6 +76,8 @@ + // generation 0. + ObjectStream(XRef *xref, int objStrNumA); + ++ GBool isOk() { return ok; } ++ + ~ObjectStream(); + + // Return the object number of this object stream. +@@ -91,6 +93,7 @@ + int nObjects; // number of objects in the stream + Object *objs; // the objects (length = nObjects) + int *objNums; // the object numbers (length = nObjects) ++ GBool ok; + }; + + ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { +@@ -104,6 +107,7 @@ + nObjects = 0; + objs = NULL; + objNums = NULL; ++ ok = gFalse; + + if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { + goto err1; +@@ -134,6 +138,13 @@ + goto err1; + } + ++ // this is an arbitrary limit to avoid integer overflow problems ++ // in the 'new Object[nObjects]' call (Acrobat apparently limits ++ // object streams to 100-200 objects) ++ if (nObjects > 1000000) { ++ error(-1, "Too many objects in an object stream"); ++ goto err1; ++ } + objs = new Object[nObjects]; + objNums = (int *)gmallocn(nObjects, sizeof(int)); + offsets = (int *)gmallocn(nObjects, sizeof(int)); +@@ -190,10 +201,10 @@ + } + + gfree(offsets); ++ ok = gTrue; + + err1: + objStr.free(); +- return; + } + + ObjectStream::~ObjectStream() { +@@ -970,6 +981,11 @@ + delete objStr; + } + objStr = new ObjectStream(this, e->offset); ++ if (!objStr->isOk()) { ++ delete objStr; ++ objStr = NULL; ++ goto err; ++ } + } + objStr->getObject(e->gen, num, obj); + break; +--- ./poppler/PSOutputDev.cc.orig 2009-05-02 07:14:57.000000000 -0500 ++++ ./poppler/PSOutputDev.cc 2009-10-28 16:42:00.000000000 -0500 +@@ -4502,7 +4502,8 @@ + width, -height, height); + + // allocate a line buffer +- lineBuf = (Guchar *)gmalloc(4 * width); ++ lineBuf = (Guchar *)gmallocn(width, 4); ++ + + // set up to process the data stream + imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), +--- ./poppler/Stream.cc.orig 2009-05-16 10:27:41.000000000 -0500 ++++ ./poppler/Stream.cc 2009-10-28 16:42:00.000000000 -0500 +@@ -403,6 +403,10 @@ + } else { + imgLineSize = nVals; + } ++ if (width > INT_MAX / nComps) { ++ // force a call to gmallocn(-1,...), which will throw an exception ++ imgLineSize = -1; ++ } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } |