File CVE-2018-20481.patch of Package poppler-qt.30207

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-20481.patch of Package poppler-qt.30207

From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Mon, 24 Dec 2018 15:40:38 +0100
Subject: [PATCH] Do not try to parse into unallocated XRef entry and return
 pointer to dummy entry instead. Closes #692 and oss-fuzz/12330

---
 poppler/XRef.cc | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

Index: poppler-0.24.4/poppler/XRef.cc
===================================================================
--- poppler-0.24.4.orig/poppler/XRef.cc
+++ poppler-0.24.4/poppler/XRef.cc
@@ -1608,11 +1608,31 @@ void XRef::readXRefUntil(int untilEntryN
   }
 }
 
+namespace {
+
+struct DummyXRefEntry : XRefEntry {
+  DummyXRefEntry() {
+    offset = 0;
+    gen = -1;
+    type = xrefEntryNone;
+    flags = 0;
+  }
+};
+
+DummyXRefEntry dummyXRefEntry;
+
+}
+
 XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
 {
   if (entries[i].type == xrefEntryNone) {
 
     if ((!xRefStream) && mainXRefEntriesOffset) {
+      if (unlikely(i >= capacity)) {
+	error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
+	return &dummyXRefEntry;
+      }
+
       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
         error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
       }
@@ -1623,12 +1643,7 @@ XRefEntry *XRef::getEntry(int i, GBool c
       // We might have reconstructed the xref
       // Check again i is in bounds
       if (unlikely(i >= size)) {
-        static XRefEntry dummy;
-        dummy.offset = 0;
-        dummy.gen = -1;
-        dummy.type = xrefEntryNone;
-        dummy.flags = 0;
-        return &dummy;
+	return &dummyXRefEntry;
       }
 
       if (entries[i].type == xrefEntryNone) {

Places

File CVE-2018-20481.patch of Package poppler-qt.30207

Places