Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
poppler-qt5.34110
poppler-CVE-2019-14292.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File poppler-CVE-2019-14292.patch of Package poppler-qt5.34110
From aa03a71c3a1127cffd19bb0f596c4b361a7f2269 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <aacid@kde.org> Date: Sun, 21 May 2017 22:37:23 +0200 Subject: [PATCH] Fix abort in files with broken Decode arrays Fixes KDE bug #379835 --- poppler/GfxState.cc | 18 ++++++++++++------ poppler/Object.h | 7 +++++++ 2 files changed, 19 insertions(+), 6 deletions(-) Index: poppler-0.43.0/poppler/GfxState.cc =================================================================== --- poppler-0.43.0.orig/poppler/GfxState.cc +++ poppler-0.43.0/poppler/GfxState.cc @@ -5316,24 +5316,30 @@ GfxPatchMeshShading *GfxPatchMeshShading obj1.free(); if (dict->lookup("Decode", &obj1)->isArray() && obj1.arrayGetLength() >= 6) { - xMin = obj1.arrayGet(0, &obj2)->getNum(); + bool decodeOk = true; + xMin = obj1.arrayGet(0, &obj2)->getNum(&decodeOk); obj2.free(); - xMax = obj1.arrayGet(1, &obj2)->getNum(); + xMax = obj1.arrayGet(1, &obj2)->getNum(&decodeOk); obj2.free(); xMul = (xMax - xMin) / (pow(2.0, coordBits) - 1); - yMin = obj1.arrayGet(2, &obj2)->getNum(); + yMin = obj1.arrayGet(2, &obj2)->getNum(&decodeOk); obj2.free(); - yMax = obj1.arrayGet(3, &obj2)->getNum(); + yMax = obj1.arrayGet(3, &obj2)->getNum(&decodeOk); obj2.free(); yMul = (yMax - yMin) / (pow(2.0, coordBits) - 1); for (i = 0; 5 + 2*i < obj1.arrayGetLength() && i < gfxColorMaxComps; ++i) { - cMin[i] = obj1.arrayGet(4 + 2*i, &obj2)->getNum(); + cMin[i] = obj1.arrayGet(4 + 2*i, &obj2)->getNum(&decodeOk); obj2.free(); - cMax[i] = obj1.arrayGet(5 + 2*i, &obj2)->getNum(); + cMax[i] = obj1.arrayGet(5 + 2*i, &obj2)->getNum(&decodeOk); obj2.free(); cMul[i] = (cMax[i] - cMin[i]) / (double)((1 << compBits) - 1); } nComps = i; + + if (!decodeOk) { + error(errSyntaxWarning, -1, "Missing or invalid Decode array in shading dictionary"); + goto err2; + } } else { error(errSyntaxWarning, -1, "Missing or invalid Decode array in shading dictionary"); goto err2; Index: poppler-0.43.0/poppler/Object.h =================================================================== --- poppler-0.43.0.orig/poppler/Object.h +++ poppler-0.43.0/poppler/Object.h @@ -207,6 +207,13 @@ public: // Where the exact value of integers up to 2^63 is required, use isInt64()/getInt64(). double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal); return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; } + double getNum(bool *ok) { + if (unlikely(type != objInt && type != objInt64 && type != objReal)) { + *ok = false; + return 0.; + } + return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; + } GooString *getString() { OBJECT_TYPE_CHECK(objString); return string; } // After takeString() the only method that should be called for the object is free() // because the object it's not expected to have a NULL string.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor