File CVE-2019-7310.patch of Package poppler.27867

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2019-7310.patch of Package poppler.27867

From b54e1fc3e0d2600621a28d50f9f085b9e38619c2 Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Fri, 1 Feb 2019 08:42:27 +0100
Subject: [PATCH] Also defend against requests for negative XRef indices.
 oss-fuzz/12797

---
 poppler/XRef.cc | 5 +++++
 1 file changed, 5 insertions(+)

Index: poppler-0.24.4/poppler/XRef.cc
===================================================================
--- poppler-0.24.4.orig/poppler/XRef.cc
+++ poppler-0.24.4/poppler/XRef.cc
@@ -1608,13 +1608,32 @@ void XRef::readXRefUntil(int untilEntryN
   }
 }
 
+namespace {
+  struct DummyXRefEntry : XRefEntry {
+    DummyXRefEntry() {
+      offset = 0;
+      gen = -1;
+      type = xrefEntryNone;
+      flags = 0;
+    }
+  };
+
+  DummyXRefEntry dummyXRefEntry;
+}
+
 XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
 {
+  if (unlikely(i < 0)) {
+    error(errInternal, -1, "Request for invalid XRef entry [{0:d}]", i);
+    return &dummyXRefEntry;
+  }
+
   if (entries[i].type == xrefEntryNone) {
 
     if ((!xRefStream) && mainXRefEntriesOffset) {
       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
         error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
+        return &dummyXRefEntry;
       }
     } else {
       // Read XRef tables until the entry we're looking for is found
@@ -1623,12 +1642,7 @@ XRefEntry *XRef::getEntry(int i, GBool c
       // We might have reconstructed the xref
       // Check again i is in bounds
       if (unlikely(i >= size)) {
-        static XRefEntry dummy;
-        dummy.offset = 0;
-        dummy.gen = -1;
-        dummy.type = xrefEntryNone;
-        dummy.flags = 0;
-        return &dummy;
+        return &dummyXRefEntry;
       }
 
       if (entries[i].type == xrefEntryNone) {

Places

File CVE-2019-7310.patch of Package poppler.27867

Places