From 6c932f5d20ef760754a0fb8a5504eafcb970f6b5 Mon Sep 17 00:00:00 2001 From: kili Date: Thu, 15 Oct 2009 20:43:40 +0000 Subject: [PATCH] Merge security fixes from xpdf. ok jasper@ --- print/poppler/Makefile | 4 +- print/poppler/patches/patch-poppler_Stream_cc | 14 ++++ print/poppler/patches/patch-poppler_XRef_cc | 71 +++++++++++++++++-- .../patches/patch-splash_SplashBitmap_cc | 62 ++++++++++++++++ .../patches/patch-splash_SplashErrorCodes_h | 10 +++ print/poppler/patches/patch-splash_Splash_cc | 31 ++++++++ 6 files changed, 186 insertions(+), 6 deletions(-) create mode 100644 print/poppler/patches/patch-poppler_Stream_cc create mode 100644 print/poppler/patches/patch-splash_SplashBitmap_cc create mode 100644 print/poppler/patches/patch-splash_SplashErrorCodes_h create mode 100644 print/poppler/patches/patch-splash_Splash_cc diff --git a/print/poppler/Makefile b/print/poppler/Makefile index 0851e6e2906..9ccd8105931 100644 --- a/print/poppler/Makefile +++ b/print/poppler/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.27 2009/10/13 16:20:34 kili Exp $ +# $OpenBSD: Makefile,v 1.28 2009/10/15 20:43:40 kili Exp $ COMMENT-main= PDF rendering library COMMENT-qt= qt interface to PDF rendering library @@ -7,7 +7,7 @@ COMMENT-qt4= qt4 interface to PDF rendering library V= 0.12.0 DISTNAME= poppler-$V CATEGORIES= print -PKGNAME-main= poppler-$V +PKGNAME-main= poppler-$Vp0 FULLPKGNAME-qt= poppler-qt-$V FULLPKGNAME-qt4=poppler-qt4-$V diff --git a/print/poppler/patches/patch-poppler_Stream_cc b/print/poppler/patches/patch-poppler_Stream_cc new file mode 100644 index 00000000000..5fcd7a47b2f --- /dev/null +++ b/print/poppler/patches/patch-poppler_Stream_cc @@ -0,0 +1,14 @@ +$OpenBSD: patch-poppler_Stream_cc,v 1.3 2009/10/15 20:43:40 kili Exp $ +--- poppler/Stream.cc.orig Wed Sep 2 20:48:16 2009 ++++ poppler/Stream.cc Thu Oct 15 20:18:53 2009 +@@ -404,6 +404,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int + } else { + imgLineSize = nVals; + } ++ if (width > INT_MAX / nComps) { ++ // force a call to gmallocn(-1,...), which will throw an exception ++ imgLineSize = -1; ++ } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } diff --git a/print/poppler/patches/patch-poppler_XRef_cc b/print/poppler/patches/patch-poppler_XRef_cc index 30dd5adf269..2e11744c633 100644 --- a/print/poppler/patches/patch-poppler_XRef_cc +++ b/print/poppler/patches/patch-poppler_XRef_cc @@ -1,7 +1,58 @@ -$OpenBSD: patch-poppler_XRef_cc,v 1.2 2008/10/28 12:59:55 kili Exp $ ---- poppler/XRef.cc.orig Sun Sep 14 22:35:48 2008 -+++ poppler/XRef.cc Sun Oct 26 12:45:54 2008 -@@ -850,45 +850,38 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa +$OpenBSD: patch-poppler_XRef_cc,v 1.3 2009/10/15 20:43:40 kili Exp $ +--- poppler/XRef.cc.orig Wed Sep 2 20:48:16 2009 ++++ poppler/XRef.cc Thu Oct 15 20:32:12 2009 +@@ -76,6 +76,8 @@ class ObjectStream { (public) + // generation 0. + ObjectStream(XRef *xref, int objStrNumA); + ++ GBool isOk() { return ok; } ++ + ~ObjectStream(); + + // Return the object number of this object stream. +@@ -91,6 +93,7 @@ class ObjectStream { (public) + int nObjects; // number of objects in the stream + Object *objs; // the objects (length = nObjects) + int *objNums; // the object numbers (length = nObjects) ++ GBool ok; + }; + + ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { +@@ -104,6 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) + nObjects = 0; + objs = NULL; + objNums = NULL; ++ ok = gFalse; + + if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { + goto err1; +@@ -134,6 +138,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) + goto err1; + } + ++ // this is an arbitrary limit to avoid integer overflow problems ++ // in the 'new Object[nObjects]' call (Acrobat apparently limits ++ // object streams to 100-200 objects) ++ if (nObjects > 1000000) { ++ error(-1, "Too many objects in an object stream"); ++ goto err1; ++ } + objs = new Object[nObjects]; + objNums = (int *)gmallocn(nObjects, sizeof(int)); + offsets = (int *)gmallocn(nObjects, sizeof(int)); +@@ -190,10 +201,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) + } + + gfree(offsets); ++ ok = gTrue; + + err1: + objStr.free(); +- return; + } + + ObjectStream::~ObjectStream() { +@@ -850,45 +861,38 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa } GBool XRef::okToPrint(GBool ignoreOwnerPW) { @@ -55,3 +106,15 @@ $OpenBSD: patch-poppler_XRef_cc,v 1.2 2008/10/28 12:59:55 kili Exp $ } Object *XRef::fetch(int num, int gen, Object *obj) { +@@ -970,6 +974,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) { + delete objStr; + } + objStr = new ObjectStream(this, e->offset); ++ if (!objStr->isOk()) { ++ delete objStr; ++ objStr = NULL; ++ goto err; ++ } + } + objStr->getObject(e->gen, num, obj); + break; diff --git a/print/poppler/patches/patch-splash_SplashBitmap_cc b/print/poppler/patches/patch-splash_SplashBitmap_cc new file mode 100644 index 00000000000..18974b99407 --- /dev/null +++ b/print/poppler/patches/patch-splash_SplashBitmap_cc @@ -0,0 +1,62 @@ +$OpenBSD: patch-splash_SplashBitmap_cc,v 1.1 2009/10/15 20:43:40 kili Exp $ +--- splash/SplashBitmap.cc.orig Wed Sep 2 20:48:16 2009 ++++ splash/SplashBitmap.cc Thu Oct 15 20:29:09 2009 +@@ -28,6 +28,7 @@ + + #include + #include ++#include + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashBitmap.h" +@@ -46,26 +47,44 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, in + mode = modeA; + switch (mode) { + case splashModeMono1: +- rowSize = (width + 7) >> 3; ++ if (width > 0) { ++ rowSize = (width + 7) >> 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeMono8: +- rowSize = width; ++ if (width > 0) { ++ rowSize = width; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeRGB8: + case splashModeBGR8: +- rowSize = width * 3; ++ if (width > 0 && width <= INT_MAX / 3) { ++ rowSize = width * 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeXBGR8: + rowSize = width * 4; + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #endif + } +- rowSize += rowPad - 1; +- rowSize -= rowSize % rowPad; ++ if (rowSize > 0) { ++ rowSize += rowPad - 1; ++ rowSize -= rowSize % rowPad; ++ } + data = (SplashColorPtr)gmallocn(rowSize, height); + if (!topDown) { + data += (height - 1) * rowSize; diff --git a/print/poppler/patches/patch-splash_SplashErrorCodes_h b/print/poppler/patches/patch-splash_SplashErrorCodes_h new file mode 100644 index 00000000000..5ac56f45e85 --- /dev/null +++ b/print/poppler/patches/patch-splash_SplashErrorCodes_h @@ -0,0 +1,10 @@ +$OpenBSD: patch-splash_SplashErrorCodes_h,v 1.1 2009/10/15 20:43:40 kili Exp $ +--- splash/SplashErrorCodes.h.orig Wed Sep 2 20:48:16 2009 ++++ splash/SplashErrorCodes.h Thu Oct 15 20:24:43 2009 +@@ -45,4 +45,6 @@ + + #define splashErrGeneric 255 + ++#define splashErrBadArg 9 // bad argument ++ + #endif diff --git a/print/poppler/patches/patch-splash_Splash_cc b/print/poppler/patches/patch-splash_Splash_cc new file mode 100644 index 00000000000..734181c7cdd --- /dev/null +++ b/print/poppler/patches/patch-splash_Splash_cc @@ -0,0 +1,31 @@ +$OpenBSD: patch-splash_Splash_cc,v 1.3 2009/10/15 20:43:40 kili Exp $ +--- splash/Splash.cc.orig Wed Sep 2 20:48:16 2009 ++++ splash/Splash.cc Thu Oct 15 20:24:10 2009 +@@ -27,6 +27,7 @@ + + #include + #include ++#include + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashMath.h" +@@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(SplashImageMaskSourc + xq = w % scaledWidth; + + // allocate pixel buffer ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } + pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); + + // initialize the pixel pipe +@@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImageSource src, v + xq = w % scaledWidth; + + // allocate pixel buffers ++ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) { ++ return splashErrBadArg; ++ } + colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); + if (srcAlpha) { + alphaBuf = (Guchar *)gmallocn((yp + 1), w);