Merge security fixes from xpdf.

ok jasper@
2009-10-15 20:43:40 +00:00 · 2009-10-15 20:43:40 +00:00 · 6c932f5d20
commit 6c932f5d20
parent 9444e4badd
6 changed files with 186 additions and 6 deletions
--- a/print/poppler/Makefile
+++ b/print/poppler/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.27 2009/10/13 16:20:34 kili Exp $
+# $OpenBSD: Makefile,v 1.28 2009/10/15 20:43:40 kili Exp $

 COMMENT-main=	PDF rendering library
 COMMENT-qt=	qt interface to PDF rendering library
@ -7,7 +7,7 @@ COMMENT-qt4=	qt4 interface to PDF rendering library
 V=		0.12.0
 DISTNAME=	poppler-$V
 CATEGORIES=	print
-PKGNAME-main=	poppler-$V
+PKGNAME-main=	poppler-$Vp0
 FULLPKGNAME-qt=	poppler-qt-$V
 FULLPKGNAME-qt4=poppler-qt4-$V

--- a/print/poppler/patches/patch-poppler_Stream_cc
+++ b/print/poppler/patches/patch-poppler_Stream_cc
@ -0,0 +1,14 @@
+$OpenBSD: patch-poppler_Stream_cc,v 1.3 2009/10/15 20:43:40 kili Exp $
+--- poppler/Stream.cc.orig	Wed Sep  2 20:48:16 2009
+++ poppler/Stream.cc	Thu Oct 15 20:18:53 2009
+@@ -404,6 +404,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int
+   } else {
+     imgLineSize = nVals;
+   }
+  if (width > INT_MAX / nComps) {
+    // force a call to gmallocn(-1,...), which will throw an exception
+    imgLineSize = -1;
+  }
+   imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
+   imgIdx = nVals;
+ }
--- a/print/poppler/patches/patch-poppler_XRef_cc
+++ b/print/poppler/patches/patch-poppler_XRef_cc
@ -1,7 +1,58 @@
-$OpenBSD: patch-poppler_XRef_cc,v 1.2 2008/10/28 12:59:55 kili Exp $
--- poppler/XRef.cc.orig	Sun Sep 14 22:35:48 2008
-+++ poppler/XRef.cc	Sun Oct 26 12:45:54 2008
-@@ -850,45 +850,38 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa
+$OpenBSD: patch-poppler_XRef_cc,v 1.3 2009/10/15 20:43:40 kili Exp $
+--- poppler/XRef.cc.orig	Wed Sep  2 20:48:16 2009
+++ poppler/XRef.cc	Thu Oct 15 20:32:12 2009
+@@ -76,6 +76,8 @@ class ObjectStream { (public)
+   // generation 0.
+   ObjectStream(XRef *xref, int objStrNumA);
+ 
+  GBool isOk() { return ok; }
+
+   ~ObjectStream();
+ 
+   // Return the object number of this object stream.
+@@ -91,6 +93,7 @@ class ObjectStream { (public)
+   int nObjects;			// number of objects in the stream
+   Object *objs;			// the objects (length = nObjects)
+   int *objNums;			// the object numbers (length = nObjects)
+  GBool ok;
+ };
+ 
+ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
+@@ -104,6 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
+   nObjects = 0;
+   objs = NULL;
+   objNums = NULL;
+  ok = gFalse;
+ 
+   if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
+     goto err1;
+@@ -134,6 +138,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
+     goto err1;
+   }
+  
+  // this is an arbitrary limit to avoid integer overflow problems
+  // in the 'new Object[nObjects]' call (Acrobat apparently limits
+  // object streams to 100-200 objects)
+  if (nObjects > 1000000) {
+    error(-1, "Too many objects in an object stream");
+    goto err1;
+  }
+   objs = new Object[nObjects];
+   objNums = (int *)gmallocn(nObjects, sizeof(int));
+   offsets = (int *)gmallocn(nObjects, sizeof(int));
+@@ -190,10 +201,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
+   }
+ 
+   gfree(offsets);
+  ok = gTrue;
+ 
+  err1:
+   objStr.free();
+-  return;
+ }
+ 
+ ObjectStream::~ObjectStream() {
+@@ -850,45 +861,38 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa
 }
 
 GBool XRef::okToPrint(GBool ignoreOwnerPW) {
@ -55,3 +106,15 @@ $OpenBSD: patch-poppler_XRef_cc,v 1.2 2008/10/28 12:59:55 kili Exp $
 }
 
 Object *XRef::fetch(int num, int gen, Object *obj) {
+@@ -970,6 +974,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) {
+ 	delete objStr;
+       }
+       objStr = new ObjectStream(this, e->offset);
+      if (!objStr->isOk()) {
+	delete objStr;
+	objStr = NULL;
+	goto err;
+      }
+     }
+     objStr->getObject(e->gen, num, obj);
+     break;
--- a/print/poppler/patches/patch-splash_SplashBitmap_cc
+++ b/print/poppler/patches/patch-splash_SplashBitmap_cc
@ -0,0 +1,62 @@
+$OpenBSD: patch-splash_SplashBitmap_cc,v 1.1 2009/10/15 20:43:40 kili Exp $
+--- splash/SplashBitmap.cc.orig	Wed Sep  2 20:48:16 2009
+++ splash/SplashBitmap.cc	Thu Oct 15 20:29:09 2009
+@@ -28,6 +28,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
+#include <limits.h>
+ #include "goo/gmem.h"
+ #include "SplashErrorCodes.h"
+ #include "SplashBitmap.h"
+@@ -46,26 +47,44 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, in
+   mode = modeA;
+   switch (mode) {
+   case splashModeMono1:
+-    rowSize = (width + 7) >> 3;
+    if (width > 0) {
+      rowSize = (width + 7) >> 3;
+    } else {
+      rowSize = -1;
+    }
+     break;
+   case splashModeMono8:
+-    rowSize = width;
+    if (width > 0) {
+      rowSize = width;
+    } else {
+      rowSize = -1;
+    }
+     break;
+   case splashModeRGB8:
+   case splashModeBGR8:
+-    rowSize = width * 3;
+    if (width > 0 && width <= INT_MAX / 3) {
+      rowSize = width * 3;
+    } else {
+      rowSize = -1;
+    }
+     break;
+   case splashModeXBGR8:
+     rowSize = width * 4;
+     break;
+ #if SPLASH_CMYK
+   case splashModeCMYK8:
+-    rowSize = width * 4;
+    if (width > 0 && width <= INT_MAX / 4) {
+      rowSize = width * 4;
+    } else {
+      rowSize = -1;
+    }
+     break;
+ #endif
+   }
+-  rowSize += rowPad - 1;
+-  rowSize -= rowSize % rowPad;
+  if (rowSize > 0) {
+    rowSize += rowPad - 1;
+    rowSize -= rowSize % rowPad;
+  }
+   data = (SplashColorPtr)gmallocn(rowSize, height);
+   if (!topDown) {
+     data += (height - 1) * rowSize;
--- a/print/poppler/patches/patch-splash_SplashErrorCodes_h
+++ b/print/poppler/patches/patch-splash_SplashErrorCodes_h
@ -0,0 +1,10 @@
+$OpenBSD: patch-splash_SplashErrorCodes_h,v 1.1 2009/10/15 20:43:40 kili Exp $
+--- splash/SplashErrorCodes.h.orig	Wed Sep  2 20:48:16 2009
+++ splash/SplashErrorCodes.h	Thu Oct 15 20:24:43 2009
+@@ -45,4 +45,6 @@
+ 
+ #define splashErrGeneric       255
+ 
+#define splashErrBadArg          9	// bad argument
+
+ #endif
--- a/print/poppler/patches/patch-splash_Splash_cc
+++ b/print/poppler/patches/patch-splash_Splash_cc
@ -0,0 +1,31 @@
+$OpenBSD: patch-splash_Splash_cc,v 1.3 2009/10/15 20:43:40 kili Exp $
+--- splash/Splash.cc.orig	Wed Sep  2 20:48:16 2009
+++ splash/Splash.cc	Thu Oct 15 20:24:10 2009
+@@ -27,6 +27,7 @@
+ 
+ #include <stdlib.h>
+ #include <string.h>
+#include <limits.h>
+ #include "goo/gmem.h"
+ #include "SplashErrorCodes.h"
+ #include "SplashMath.h"
+@@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(SplashImageMaskSourc
+   xq = w % scaledWidth;
+ 
+   // allocate pixel buffer
+  if (yp < 0 || yp > INT_MAX - 1) {
+    return splashErrBadArg;
+  }
+   pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
+ 
+   // initialize the pixel pipe
+@@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImageSource src, v
+   xq = w % scaledWidth;
+ 
+   // allocate pixel buffers
+  if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
+    return splashErrBadArg;
+  }
+   colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
+   if (srcAlpha) {
+     alphaBuf = (Guchar *)gmallocn((yp + 1), w);