File CVE-2017-9865.patch of Package poppler-qt

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2017-9865.patch of Package poppler-qt

From 75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 12 Jul 2017 14:12:46 +0100
Subject: [PATCH] CVE-2017-9865 (fdo#100774) avoid stack buffer overflow

in GfxImageColorMap:getGray

by passing first arg to getGray of maximum possibly required size

and similar in HtmlOutputDev::drawPngImage
---
 utils/HtmlOutputDev.cc  | 6 ++++--
 utils/ImageOutputDev.cc | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

Index: poppler-0.43.0/utils/HtmlOutputDev.cc
===================================================================
--- poppler-0.43.0.orig/utils/HtmlOutputDev.cc	2017-10-09 11:51:31.704415863 +0000
+++ poppler-0.43.0/utils/HtmlOutputDev.cc	2017-10-09 11:51:57.621090649 +0000
@@ -38,6 +38,7 @@
 // Copyright (C) 2013 Julien Nabet <serval2412@yahoo.fr>
 // Copyright (C) 2013 Johannes Brandstätter <jbrandstaetter@gmail.com>
 // Copyright (C) 2014 Fabio D'Urso <fabiodurso@hotmail.it>
+// Copyright (C) 2017 Caolán McNamara <caolanm@redhat.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -1423,8 +1424,9 @@ void HtmlOutputDev::drawPngImage(GfxStat
     int invert_bits = 0xff;
     if (colorMap) {
       GfxGray gray;
-      Guchar zero = 0;
-      colorMap->getGray(&zero, &gray);
+      Guchar zero[gfxColorMaxComps];
+      memset(zero, 0, sizeof(zero));
+      colorMap->getGray(zero, &gray);
       if (colToByte(gray) == 0)
         invert_bits = 0x00;
     }
Index: poppler-0.43.0/utils/ImageOutputDev.cc
===================================================================
--- poppler-0.43.0.orig/utils/ImageOutputDev.cc	2017-10-09 11:51:31.704415863 +0000
+++ poppler-0.43.0/utils/ImageOutputDev.cc	2017-10-09 11:51:37.434344335 +0000
@@ -23,6 +23,7 @@
 // Copyright (C) 2012, 2013 Adrian Johnson <ajohnson@redneon.com>
 // Copyright (C) 2013 Thomas Fischer <fischer@unix-ag.uni-kl.de>
 // Copyright (C) 2013 Hib Eris <hib@hiberis.nl>
+// Copyright (C) 2017 Caolán McNamara <caolanm@redhat.com>
 //
 // To see a description of the changes please see the Changelog file that
 // came with your tarball or type make ChangeLog if you are building from git
@@ -324,7 +325,7 @@ void ImageOutputDev::writeImageFile(ImgW
   GfxRGB rgb;
   GfxCMYK cmyk;
   GfxGray gray;
-  Guchar zero = 0;
+  Guchar zero[gfxColorMaxComps];
   int invert_bits;
 
   setFilename(ext);
@@ -357,7 +358,8 @@ void ImageOutputDev::writeImageFile(ImgW
   // the mask we leave the data unchanged.
   invert_bits = 0xff;
   if (colorMap) {
-    colorMap->getGray(&zero, &gray);
+    memset(zero, 0, sizeof(zero));
+    colorMap->getGray(zero, &gray);
     if (colToByte(gray) == 0)
       invert_bits = 0x00;
   }

Places

File CVE-2017-9865.patch of Package poppler-qt

Places