File CVE-2019-10872.patch of Package poppler.27867

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-10872.patch of Package poppler.27867

From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Mon, 13 May 2019 15:08:38 +0200
Subject: [PATCH] Splash: Restrict filling of overlapping boxes

Check whether area to fill in Splash::blitTransparent()
does not run out of allocated memory for source and for destination
and shrink it if needed.

Fixes #750
---
 splash/Splash.cc | 48 +++++++++++++++++++++++++++++++++---------------
 1 file changed, 33 insertions(+), 15 deletions(-)

Index: poppler-0.24.4/splash/Splash.cc
===================================================================
--- poppler-0.24.4.orig/splash/Splash.cc
+++ poppler-0.24.4/splash/Splash.cc
@@ -5714,20 +5714,42 @@ SplashError Splash::blitTransparent(Spla
 				    int xDest, int yDest, int w, int h) {
   SplashColorPtr p, sp;
   Guchar *q;
-  int x, y, mask, srcMask;
+  int x, y, mask, srcMask, width = w, height = h;
 
   if (src->mode != bitmap->mode) {
     return splashErrModeMismatch;
   }
 
+  if (unlikely(!bitmap->data)) {
+    return splashErrZeroImage;
+  }
+
+  if (src->getWidth() - xSrc < width)
+    width = src->getWidth() - xSrc;
+
+  if (src->getHeight() - ySrc < height)
+    height = src->getHeight() - ySrc;
+
+  if (bitmap->getWidth() - xDest < width)
+    width = bitmap->getWidth() - xDest;
+
+  if (bitmap->getHeight() - yDest < height)
+    height = bitmap->getHeight() - yDest;
+
+  if (width < 0)
+    width = 0;
+
+  if (height < 0)
+    height = 0;
+
   switch (bitmap->mode) {
   case splashModeMono1:
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)];
       mask = 0x80 >> (xDest & 7);
       sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)];
       srcMask = 0x80 >> (xSrc & 7);
-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
 	if (*sp & srcMask) {
 	  *p |= mask;
 	} else {
@@ -5745,20 +5767,20 @@ SplashError Splash::blitTransparent(Spla
     }
     break;
   case splashModeMono8:
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest];
       sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc];
-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
 	*p++ = *sp++;
       }
     }
     break;
   case splashModeRGB8:
   case splashModeBGR8:
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest];
       sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc];
-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
 	*p++ = *sp++;
 	*p++ = *sp++;
 	*p++ = *sp++;
@@ -5766,10 +5788,10 @@ SplashError Splash::blitTransparent(Spla
     }
     break;
   case splashModeXBGR8:
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
       sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
 	*p++ = *sp++;
 	*p++ = *sp++;
 	*p++ = *sp++;
@@ -5780,10 +5802,10 @@ SplashError Splash::blitTransparent(Spla
     break;
 #if SPLASH_CMYK
   case splashModeCMYK8:
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
       sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
 	*p++ = *sp++;
 	*p++ = *sp++;
 	*p++ = *sp++;
@@ -5792,10 +5814,10 @@ SplashError Splash::blitTransparent(Spla
     }
     break;
   case splashModeDeviceN8:
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest];
       sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc];
-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
         for (int cp=0; cp < SPOT_NCOMPS+4; cp++)
           *p++ = *sp++;
       }
@@ -5805,9 +5827,9 @@ SplashError Splash::blitTransparent(Spla
   }
 
   if (bitmap->alpha) {
-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
       q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest];
-      memset(q, 0x00, w);
+      memset(q, 0x00, width);
     }
   }

Places

File CVE-2019-10872.patch of Package poppler.27867

Places