Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
poppler.31743
poppler-CVE-2022-37052.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File poppler-CVE-2022-37052.patch of Package poppler.31743
Index: poppler-0.24.4/poppler/PDFDoc.cc =================================================================== --- poppler-0.24.4.orig/poppler/PDFDoc.cc +++ poppler-0.24.4/poppler/PDFDoc.cc @@ -693,7 +693,14 @@ int PDFDoc::savePageAs(GooString *name, pagesDict->lookup("Resources", &resourcesObj); if (resourcesObj.isDict()) markPageObjects(resourcesObj.getDict(), yRef, countRef, 0); - markPageObjects(catDict, yRef, countRef, 0); + if (!markPageObjects(catDict, yRef, countRef, 0)) { + fclose(f); + delete yRef; + delete countRef; + delete outStr; + error(errSyntaxError, -1, "markPageObjects failed"); + return errDamaged; + } Dict *pageDict = page.getDict(); markPageObjects(pageDict, yRef, countRef, 0); @@ -1415,16 +1422,21 @@ void PDFDoc::writeHeader(OutStream *outS outStr->printf("%%\xE2\xE3\xCF\xD3\n"); } -void PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, Guint numOffset) +bool PDFDoc::markDictionnary (Dict* dict, XRef * xRef, XRef *countRef, Guint numOffset) { Object obj1; for (int i=0; i<dict->getLength(); i++) { - markObject(dict->getValNF(i, &obj1), xRef, countRef, numOffset); + static bool success = markObject(dict->getValNF(i, &obj1), xRef, countRef, numOffset); + if (unlikely(!success)) { + return false; + } obj1.free(); } + + return true; } -void PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, Guint numOffset) +bool PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, Guint numOffset) { Array *array; Object obj1; @@ -1433,26 +1445,40 @@ void PDFDoc::markObject (Object* obj, XR case objArray: array = obj->getArray(); for (int i=0; i<array->getLength(); i++) { - markObject(array->getNF(i, &obj1), xRef, countRef, numOffset); + const bool success = markObject(array->getNF(i, &obj1), xRef, countRef, numOffset); + if (unlikely(!success)) { + return false; + } obj1.free(); } break; case objDict: - markDictionnary (obj->getDict(), xRef, countRef, numOffset); + { + int success = markDictionnary (obj->getDict(), xRef, countRef, numOffset); + if (unlikely(!success)) { + return false; + } + } break; case objStream: { Stream *stream = obj->getStream(); - markDictionnary (stream->getDict(), xRef, countRef, numOffset); + const bool success = markDictionnary (stream->getDict(), xRef, countRef, numOffset); + if (unlikely(!success)) { + return false; + } } break; case objRef: { if (obj->getRef().num + (int) numOffset >= xRef->getNumObjects() || xRef->getEntry(obj->getRef().num + numOffset)->type == xrefEntryFree) { if (getXRef()->getEntry(obj->getRef().num)->type == xrefEntryFree) { - return; // already marked as free => should be replaced + return true; // already marked as free => should be replaced + } + const bool success = xRef->add(obj->getRef().num + numOffset, obj->getRef().gen, 0, gTrue); + if (unlikely(!success)) { + return false; } - xRef->add(obj->getRef().num + numOffset, obj->getRef().gen, 0, gTrue); if (getXRef()->getEntry(obj->getRef().num)->type == xrefEntryCompressed) { xRef->getEntry(obj->getRef().num + numOffset)->type = xrefEntryCompressed; } @@ -1469,13 +1495,18 @@ void PDFDoc::markObject (Object* obj, XR } Object obj1; getXRef()->fetch(obj->getRef().num, obj->getRef().gen, &obj1); - markObject(&obj1, xRef, countRef, numOffset); + const bool success = markObject(&obj1, xRef, countRef, numOffset); + if (unlikely(!success)) { + return false; + } obj1.free(); } break; default: break; } + + return true; } void PDFDoc::replacePageDict(int pageNo, int rotate, @@ -1559,7 +1590,7 @@ void PDFDoc::replacePageDict(int pageNo, page.free(); } -void PDFDoc::markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, Guint numOffset) +bool PDFDoc::markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, Guint numOffset) { pageDict->remove("Names"); pageDict->remove("OpenAction"); @@ -1572,10 +1603,14 @@ void PDFDoc::markPageObjects(Dict *pageD if (strcmp(key, "Parent") != 0 && strcmp(key, "Pages") != 0 && strcmp(key, "Root") != 0) { - markObject(&value, xRef, countRef, numOffset); + const bool success = markObject(&value, xRef, countRef, numOffset); + if (unlikely(!success)) { + return false; + } } value.free(); } + return true; } Guint PDFDoc::writePageObjects(OutStream *outStr, XRef *xRef, Guint numOffset, GBool combine) Index: poppler-0.24.4/poppler/PDFDoc.h =================================================================== --- poppler-0.24.4.orig/poppler/PDFDoc.h +++ poppler-0.24.4/poppler/PDFDoc.h @@ -246,7 +246,7 @@ public: // rewrite pageDict with MediaBox, CropBox and new page CTM void replacePageDict(int pageNo, int rotate, PDFRectangle *mediaBox, PDFRectangle *cropBox, Object *pageCTM); - void markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, Guint numOffset); + bool markPageObjects(Dict *pageDict, XRef *xRef, XRef *countRef, Guint numOffset); // write all objects used by pageDict to outStr Guint writePageObjects(OutStream *outStr, XRef *xRef, Guint numOffset, GBool combine = gFalse); static void writeObject (Object *obj, OutStream* outStr, XRef *xref, Guint numOffset, Guchar *fileKey, @@ -263,8 +263,8 @@ public: private: // insert referenced objects in XRef - void markDictionnary (Dict* dict, XRef *xRef, XRef *countRef, Guint numOffset); - void markObject (Object *obj, XRef *xRef, XRef *countRef, Guint numOffset); + bool markDictionnary (Dict* dict, XRef *xRef, XRef *countRef, Guint numOffset); + bool markObject (Object *obj, XRef *xRef, XRef *countRef, Guint numOffset); static void writeDictionnary (Dict* dict, OutStream* outStr, XRef *xRef, Guint numOffset, Guchar *fileKey, CryptAlgorithm encAlgorithm, int keyLength, int objNum, int objGen); Index: poppler-0.24.4/poppler/XRef.cc =================================================================== --- poppler-0.24.4.orig/poppler/XRef.cc +++ poppler-0.24.4/poppler/XRef.cc @@ -1325,11 +1325,16 @@ int XRef::getNumEntry(Goffset offset) else return -1; } -void XRef::add(int num, int gen, Goffset offs, GBool used) { +bool XRef::add(int num, int gen, Goffset offs, GBool used) { xrefLocker(); if (num >= size) { if (num >= capacity) { - entries = (XRefEntry *)greallocn(entries, num + 1, sizeof(XRefEntry)); + entries = (XRefEntry *)greallocn_checkoverflow(entries, num + 1, sizeof(XRefEntry)); + if (unlikely(entries == nullptr)) { + size = 0; + capacity = 0; + return false; + } capacity = num + 1; } for (int i = size; i < num + 1; ++i) { @@ -1352,6 +1357,7 @@ void XRef::add(int num, int gen, Goffset e->type = xrefEntryFree; e->offset = 0; } + return true; } void XRef::setModifiedObject (Object* o, Ref r) { Index: poppler-0.24.4/poppler/XRef.h =================================================================== --- poppler-0.24.4.orig/poppler/XRef.h +++ poppler-0.24.4/poppler/XRef.h @@ -180,7 +180,7 @@ public: void setModifiedObject(Object* o, Ref r); Ref addIndirectObject (Object* o); void removeIndirectObject(Ref r); - void add(int num, int gen, Goffset offs, GBool used); + bool add(int num, int gen, Goffset offs, GBool used); // Output XRef table to stream void writeTableToFile(OutStream* outStr, GBool writeAllEntries);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
