SECURITY:

CVE-2006-0301 (fixed upstream in 0.4 but not merged into
0.5 before the "unstable" 0.5.9 got the xpdf 3.02 merge).

CVE-2007-0104 (fixed in CVS and in development version by merging
xpdf 3.02, but not in the "stable" version).

CVE-2007-3387 (from xpdf patch).

While here, remove quotes from COMMENT-* and fix WANTLIB-*.

ok naddy@

print/poppler/Makefile

@@ -1,15 +1,15 @@
-# $OpenBSD: Makefile,v 1.11 2007/03/26 07:36:46 kili Exp $
+# $OpenBSD: Makefile,v 1.12 2007/07/31 22:22:01 kili Exp $
 
-COMMENT-main=	"PDF rendering library"
-COMMENT-qt=	"qt interface to PDF rendering library"
-COMMENT-qt4=	"qt4 interface to PDF rendering library"
+COMMENT-main=	PDF rendering library
+COMMENT-qt=	qt interface to PDF rendering library
+COMMENT-qt4=	qt4 interface to PDF rendering library
 
 V=		0.5.4
 DISTNAME=	poppler-$V
 CATEGORIES=	print
-PKGNAME-main=	poppler-$Vp0
-FULLPKGNAME-qt=	poppler-qt-$Vp0
-FULLPKGNAME-qt4=poppler-qt4-$V
+PKGNAME-main=	poppler-$Vp1
+FULLPKGNAME-qt=	poppler-qt-$Vp1
+FULLPKGNAME-qt4=poppler-qt4-$Vp0
 
 SHARED_LIBS +=	poppler              2.0      # .1.0
 SHARED_LIBS +=	poppler-glib         2.0      # .1.0
@@ -57,7 +57,7 @@ MAKE_FLAGS+=	POPPLER_QT4_CXXFLAGS='-pthread -I${X11BASE}/include -I${MODQT4_INCD
 MODULES+=	x11/qt4
 .endif
 
-WANTLIB=	ICE SM X11 Xext Xrender cairo freetype fontconfig \
+WANTLIB=	X11 Xau Xdmcp Xrender cairo expat freetype fontconfig \
 		glitz m png z
 
 LIB_DEPENDS-qt=	${MODQT3_LIB_DEPENDS} poppler::print/poppler
@@ -67,8 +67,9 @@ MODULES+=	devel/gettext
 
 LIB_DEPENDS-main=${MODGETTEXT_LIB_DEPENDS} \
 		gdk-x11-2.0,gdk_pixbuf-2.0::x11/gtk+2 
-WANTLIB-main=	${WANTLIB} glib-2.0 gmodule-2.0 gobject-2.0 \
-		pango-1.0 pangocairo-1.0 pangoft2-1.0
+WANTLIB-main=	${WANTLIB} Xcursor Xext Xfixes Xi Xinerama Xrandr \
+		glib-2.0 gmodule-2.0 gobject-2.0 pango-1.0 pangocairo-1.0 \
+		pangoft2-1.0 
 
 CONFIGURE_STYLE=gnu
 CONFIGURE_ARGS= --enable-xpdf-headers \

print/poppler/patches/patch-poppler_Catalog_cc

@@ -0,0 +1,55 @@
+$OpenBSD: patch-poppler_Catalog_cc,v 1.1 2007/07/31 22:22:01 kili Exp $
+
+Fix CVE-2007-0104. From poppler CVS, but with a smaller value for
+MAX_CALL_DEPTH to avoid crashes.
+
+--- poppler/Catalog.cc.orig	Wed Sep 13 17:10:52 2006
++++ poppler/Catalog.cc	Wed Jul 25 21:00:04 2007
+@@ -26,6 +26,12 @@
+ #include "UGooString.h"
+ #include "Catalog.h"
+ 
++// This define is used to limit the depth of recursive readPageTree calls
++// This is needed because the page tree nodes can reference their parents
++// leaving us in an infinite loop
++// Most sane pdf documents don't have a call depth higher than 10
++#define MAX_CALL_DEPTH 250
++
+ //------------------------------------------------------------------------
+ // Catalog
+ //------------------------------------------------------------------------
+@@ -75,7 +81,7 @@ Catalog::Catalog(XRef *xrefA) {
+     pageRefs[i].num = -1;
+     pageRefs[i].gen = -1;
+   }
+-  numPages = readPageTree(pagesDict.getDict(), NULL, 0);
++  numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0);
+   if (numPages != numPages0) {
+     error(-1, "Page count in top-level pages object is incorrect");
+   }
+@@ -217,7 +223,7 @@ GooString *Catalog::readMetadata() {
+   return s;
+ }
+ 
+-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) {
++int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) {
+   Object kids;
+   Object kid;
+   Object kidRef;
+@@ -262,9 +268,13 @@ int Catalog::readPageTree(Dict *pagesDict, PageAttrs *
+     // This should really be isDict("Pages"), but I've seen at least one
+     // PDF file where the /Type entry is missing.
+     } else if (kid.isDict()) {
+-      if ((start = readPageTree(kid.getDict(), attrs1, start))
+-	  < 0)
+-	goto err2;
++      if (callDepth > MAX_CALL_DEPTH) {
++        error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH);
++      } else {
++        if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1))
++	    < 0)
++	  goto err2;
++      }
+     } else {
+       error(-1, "Kid object (page %d) is wrong type (%s)",
+ 	    start+1, kid.getTypeName());

print/poppler/patches/patch-poppler_Catalog_h

@@ -0,0 +1,15 @@
+$OpenBSD: patch-poppler_Catalog_h,v 1.1 2007/07/31 22:22:01 kili Exp $
+
+Fix CVE-2007-0104. From poppler CVS.
+
+--- poppler/Catalog.h.orig	Mon Jan 23 15:43:36 2006
++++ poppler/Catalog.h	Wed Jul 25 21:00:04 2007
+@@ -193,7 +193,7 @@ class Catalog { (private)
+   PageMode pageMode;		// page mode
+   PageLayout pageLayout;	// page layout
+ 
+-  int readPageTree(Dict *pages, PageAttrs *attrs, int start);
++  int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth);
+   Object *findDestInTree(Object *tree, GooString *name, Object *obj);
+ };
+ 

print/poppler/patches/patch-poppler_Stream_cc

@@ -0,0 +1,34 @@
+$OpenBSD: patch-poppler_Stream_cc,v 1.1 2007/07/31 22:22:01 kili Exp $
+
+Fix for CVE-2007-3387.
+
+--- poppler/Stream.cc.orig	Fri Jul 28 20:07:41 2006
++++ poppler/Stream.cc	Tue Jul 31 21:39:35 2007
+@@ -422,21 +422,13 @@ StreamPredictor::StreamPredictor(Stream *strA, int pre
+   ok = gFalse;
+ 
+   nVals = width * nComps;
+-  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX/nBits ||
+-      width >= INT_MAX/nComps/nBits ||
+-      nVals * nBits + 7 < 0) {
+-    return;
+-  }
+-  totalBits = nVals * nBits;
+-  if (totalBits == 0 ||
+-      (totalBits / nBits) / nComps != width ||
+-      totalBits + 7 < 0) {
+-    return;
+-  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+-  if (rowBytes < 0) {
++  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps > gfxColorMaxComps ||
++      nBits > 16 ||
++      width >= INT_MAX / nComps ||      // check for overflow in nVals
++      nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+     return;
+   }
+   predLine = (Guchar *)gmalloc(rowBytes);

print/poppler/patches/patch-qt4_Makefile_in

@@ -1,7 +1,7 @@
-$OpenBSD: patch-qt4_Makefile_in,v 1.1 2007/03/24 13:21:26 espie Exp $
---- qt4/Makefile.in.orig	Fri Mar 23 16:27:09 2007
-+++ qt4/Makefile.in	Fri Mar 23 16:27:22 2007
-@@ -215,7 +215,7 @@ sbindir = @sbindir@
+$OpenBSD: patch-qt4_Makefile_in,v 1.2 2007/07/31 22:22:01 kili Exp $
+--- qt4/Makefile.in.orig	Fri Sep 22 02:54:24 2006
++++ qt4/Makefile.in	Wed Jul 25 20:59:03 2007
+@@ -216,7 +216,7 @@ sbindir = @sbindir@
  sharedstatedir = @sharedstatedir@
  sysconfdir = @sysconfdir@
  target_alias = @target_alias@

print/poppler/patches/patch-splash_Splash_cc

@@ -0,0 +1,43 @@
+$OpenBSD: patch-splash_Splash_cc,v 1.1 2007/07/31 22:22:01 kili Exp $
+
+Fix CVE-2006-0301. From poppler mailinglist archives (also in the
+POPPLER_0_4_X branch, but not merged into 0.5 until the xpdf 3.02
+merge in the "unstable" 0.5.9 release).
+
+--- splash/Splash.cc.orig	Mon Jul 24 21:04:51 2006
++++ splash/Splash.cc	Wed Jul 25 22:48:11 2007
+@@ -950,6 +950,10 @@ void Splash::drawPixel(int x, int y, SplashColorPtr co
+   int alpha2, ialpha2;
+   Guchar t;
+ 
++  if ( (unsigned) x >= (unsigned) bitmap->getWidth() ||
++       (unsigned) y >= (unsigned) bitmap->getHeight())
++    return;
++
+   if (noClip || state->clip->test(x, y)) {
+     if (alpha != 1 || softMask || state->blendFunc) {
+       blendFunc = state->blendFunc ? state->blendFunc : &blendNormal;
+@@ -1243,6 +1247,11 @@ void Splash::drawSpan(int x0, int x1, int y, SplashPat
+     updateModY(y);
+   }
+ 
++  if ((unsigned) x0 >= (unsigned) bitmap->getWidth() ||
++      (unsigned) x1 >= (unsigned) bitmap->getWidth() ||
++      (unsigned) y >= (unsigned) bitmap->getHeight())
++    return;
++
+   if (alpha != 1 || softMask || state->blendFunc) {
+     blendFunc = state->blendFunc ? state->blendFunc : &blendNormal;
+     if (softMask) {
+@@ -1950,6 +1959,11 @@ void Splash::xorSpan(int x0, int x1, int y, SplashPatt
+     updateModX(x1);
+     updateModY(y);
+   }
++
++  if ((unsigned) x0 >= (unsigned) bitmap->getWidth() ||
++      (unsigned) x1 >= (unsigned) bitmap->getWidth() ||
++      (unsigned) y >= (unsigned) bitmap->getHeight())
++    return;
+ 
+   switch (bitmap->mode) {
+   case splashModeMono1: