Merge security fixes from xpdf.

ok jasper@
2009-10-15 20:43:40 +00:00 · 2009-10-15 20:43:40 +00:00 · 6c932f5d20
commit 6c932f5d20
parent 9444e4badd
6 changed files with 186 additions and 6 deletions
--- a/print/poppler/Makefile
+++ b/print/poppler/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.27 2009/10/13 16:20:34 kili Exp $
+# $OpenBSD: Makefile,v 1.28 2009/10/15 20:43:40 kili Exp $
 COMMENT-main=	PDF rendering library
 COMMENT-qt=	qt interface to PDF rendering library
@ -7,7 +7,7 @@ COMMENT-qt4=	qt4 interface to PDF rendering library
 V=		0.12.0
 DISTNAME=	poppler-$V
 CATEGORIES=	print
-PKGNAME-main=	poppler-$V
+PKGNAME-main=	poppler-$Vp0
 FULLPKGNAME-qt=	poppler-qt-$V
 FULLPKGNAME-qt4=poppler-qt4-$V
--- a/print/poppler/patches/patch-poppler_Stream_cc
+++ b/print/poppler/patches/patch-poppler_Stream_cc
@ -0,0 +1,14 @@
 $OpenBSD: patch-poppler_Stream_cc,v 1.3 2009/10/15 20:43:40 kili Exp $
 --- poppler/Stream.cc.orig	Wed Sep  2 20:48:16 2009
 +++ poppler/Stream.cc	Thu Oct 15 20:18:53 2009
@@ -404,6 +404,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int
   } else {
     imgLineSize = nVals;
   }
 +  if (width > INT_MAX / nComps) {
 +    // force a call to gmallocn(-1,...), which will throw an exception
 +    imgLineSize = -1;
 +  }
   imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
   imgIdx = nVals;
 }
--- a/print/poppler/patches/patch-poppler_XRef_cc
+++ b/print/poppler/patches/patch-poppler_XRef_cc
@ -1,7 +1,58 @@
-$OpenBSD: patch-poppler_XRef_cc,v 1.2 2008/10/28 12:59:55 kili Exp $
+$OpenBSD: patch-poppler_XRef_cc,v 1.3 2009/10/15 20:43:40 kili Exp $
--- poppler/XRef.cc.orig	Sun Sep 14 22:35:48 2008
+--- poppler/XRef.cc.orig	Wed Sep  2 20:48:16 2009
-+++ poppler/XRef.cc	Sun Oct 26 12:45:54 2008
+++ poppler/XRef.cc	Thu Oct 15 20:32:12 2009
-@@ -850,45 +850,38 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa
+@@ -76,6 +76,8 @@ class ObjectStream { (public)
   // generation 0.
   ObjectStream(XRef *xref, int objStrNumA);
 +  GBool isOk() { return ok; }
 +
   ~ObjectStream();
   // Return the object number of this object stream.
@@ -91,6 +93,7 @@ class ObjectStream { (public)
   int nObjects;			// number of objects in the stream
   Object *objs;			// the objects (length = nObjects)
   int *objNums;			// the object numbers (length = nObjects)
 +  GBool ok;
 };
 ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
@@ -104,6 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
   nObjects = 0;
   objs = NULL;
   objNums = NULL;
 +  ok = gFalse;
   if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
     goto err1;
@@ -134,6 +138,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
     goto err1;
   }
 +  // this is an arbitrary limit to avoid integer overflow problems
 +  // in the 'new Object[nObjects]' call (Acrobat apparently limits
 +  // object streams to 100-200 objects)
 +  if (nObjects > 1000000) {
 +    error(-1, "Too many objects in an object stream");
 +    goto err1;
 +  }
   objs = new Object[nObjects];
   objNums = (int *)gmallocn(nObjects, sizeof(int));
   offsets = (int *)gmallocn(nObjects, sizeof(int));
@@ -190,10 +201,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA)
   }
   gfree(offsets);
 +  ok = gTrue;
  err1:
   objStr.free();
 -  return;
 }
 ObjectStream::~ObjectStream() {
@@ -850,45 +861,38 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa
 }
 GBool XRef::okToPrint(GBool ignoreOwnerPW) {
@ -55,3 +106,15 @@ $OpenBSD: patch-poppler_XRef_cc,v 1.2 2008/10/28 12:59:55 kili Exp $
 }
 Object *XRef::fetch(int num, int gen, Object *obj) {
@@ -970,6 +974,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) {
 	delete objStr;
       }
       objStr = new ObjectStream(this, e->offset);
 +      if (!objStr->isOk()) {
 +	delete objStr;
 +	objStr = NULL;
 +	goto err;
 +      }
     }
     objStr->getObject(e->gen, num, obj);
     break;
--- a/print/poppler/patches/patch-splash_SplashBitmap_cc
+++ b/print/poppler/patches/patch-splash_SplashBitmap_cc
@ -0,0 +1,62 @@
 $OpenBSD: patch-splash_SplashBitmap_cc,v 1.1 2009/10/15 20:43:40 kili Exp $
 --- splash/SplashBitmap.cc.orig	Wed Sep  2 20:48:16 2009
 +++ splash/SplashBitmap.cc	Thu Oct 15 20:29:09 2009
@@ -28,6 +28,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 +#include <limits.h>
 #include "goo/gmem.h"
 #include "SplashErrorCodes.h"
 #include "SplashBitmap.h"
@@ -46,26 +47,44 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, in
   mode = modeA;
   switch (mode) {
   case splashModeMono1:
 -    rowSize = (width + 7) >> 3;
 +    if (width > 0) {
 +      rowSize = (width + 7) >> 3;
 +    } else {
 +      rowSize = -1;
 +    }
     break;
   case splashModeMono8:
 -    rowSize = width;
 +    if (width > 0) {
 +      rowSize = width;
 +    } else {
 +      rowSize = -1;
 +    }
     break;
   case splashModeRGB8:
   case splashModeBGR8:
 -    rowSize = width * 3;
 +    if (width > 0 && width <= INT_MAX / 3) {
 +      rowSize = width * 3;
 +    } else {
 +      rowSize = -1;
 +    }
     break;
   case splashModeXBGR8:
     rowSize = width * 4;
     break;
 #if SPLASH_CMYK
   case splashModeCMYK8:
 -    rowSize = width * 4;
 +    if (width > 0 && width <= INT_MAX / 4) {
 +      rowSize = width * 4;
 +    } else {
 +      rowSize = -1;
 +    }
     break;
 #endif
   }
 -  rowSize += rowPad - 1;
 -  rowSize -= rowSize % rowPad;
 +  if (rowSize > 0) {
 +    rowSize += rowPad - 1;
 +    rowSize -= rowSize % rowPad;
 +  }
   data = (SplashColorPtr)gmallocn(rowSize, height);
   if (!topDown) {
     data += (height - 1) * rowSize;
--- a/print/poppler/patches/patch-splash_SplashErrorCodes_h
+++ b/print/poppler/patches/patch-splash_SplashErrorCodes_h
@ -0,0 +1,10 @@
 $OpenBSD: patch-splash_SplashErrorCodes_h,v 1.1 2009/10/15 20:43:40 kili Exp $
 --- splash/SplashErrorCodes.h.orig	Wed Sep  2 20:48:16 2009
 +++ splash/SplashErrorCodes.h	Thu Oct 15 20:24:43 2009
@@ -45,4 +45,6 @@
 #define splashErrGeneric       255
 +#define splashErrBadArg          9	// bad argument
 +
 #endif
--- a/print/poppler/patches/patch-splash_Splash_cc
+++ b/print/poppler/patches/patch-splash_Splash_cc
@ -0,0 +1,31 @@
 $OpenBSD: patch-splash_Splash_cc,v 1.3 2009/10/15 20:43:40 kili Exp $
 --- splash/Splash.cc.orig	Wed Sep  2 20:48:16 2009
 +++ splash/Splash.cc	Thu Oct 15 20:24:10 2009
@@ -27,6 +27,7 @@
 #include <stdlib.h>
 #include <string.h>
 +#include <limits.h>
 #include "goo/gmem.h"
 #include "SplashErrorCodes.h"
 #include "SplashMath.h"
@@ -2001,6 +2002,9 @@ SplashError Splash::fillImageMask(SplashImageMaskSourc
   xq = w % scaledWidth;
   // allocate pixel buffer
 +  if (yp < 0 || yp > INT_MAX - 1) {
 +    return splashErrBadArg;
 +  }
   pixBuf = (SplashColorPtr)gmallocn((yp + 1), w);
   // initialize the pixel pipe
@@ -2301,6 +2305,9 @@ SplashError Splash::drawImage(SplashImageSource src, v
   xq = w % scaledWidth;
   // allocate pixel buffers
 +  if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
 +    return splashErrBadArg;
 +  }
   colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps);
   if (srcAlpha) {
     alphaBuf = (Guchar *)gmallocn((yp + 1), w);