diff options
Diffstat (limited to 'app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch')
-rw-r--r-- | app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch new file mode 100644 index 000000000000..bd84e96fba3b --- /dev/null +++ b/app-text/poppler/files/poppler-0.57.0-CVE-2017-14519.patch @@ -0,0 +1,100 @@ +From 778180c0c09002f6adfc272eba6b0d0e4401c4cc Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Wed, 13 Sep 2017 23:01:03 +0200 +Subject: [PATCH 3/4] Gfx::doShowText: Fix infinite recursion on broken files + +Bug #102701 +--- + poppler/Gfx.cc | 25 +++++++++++++++++++++++-- + poppler/Gfx.h | 1 + + poppler/GfxFont.cc | 9 +++++++++ + poppler/GfxFont.h | 1 + + 4 files changed, 34 insertions(+), 2 deletions(-) + +diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc +index 37220280..9feac54c 100644 +--- a/poppler/Gfx.cc ++++ b/poppler/Gfx.cc +@@ -4031,12 +4031,33 @@ void Gfx::doShowText(GooString *s) { + state->transformDelta(dx, dy, &ddx, &ddy); + if (!out->beginType3Char(state, curX + riseX, curY + riseY, ddx, ddy, + code, u, uLen)) { +- ((Gfx8BitFont *)font)->getCharProc(code, &charProc); ++ ((Gfx8BitFont *)font)->getCharProcNF(code, &charProc); ++ int refNum = -1; ++ if (charProc.isRef()) { ++ refNum = charProc.getRef().num; ++ charProc.fetch(((Gfx8BitFont *)font)->getCharProcs()->getXRef(), &charProc); ++ } + if ((resDict = ((Gfx8BitFont *)font)->getResources())) { + pushResources(resDict); + } + if (charProc.isStream()) { +- display(&charProc, gFalse); ++ std::set<int>::iterator charProcDrawingIt; ++ bool displayCharProc = true; ++ if (refNum != -1) { ++ if (charProcDrawing.find(refNum) == charProcDrawing.end()) { ++ charProcDrawingIt = charProcDrawing.insert(refNum).first; ++ } else { ++ displayCharProc = false; ++ error(errSyntaxError, -1, "CharProc wants to draw a CharProc that is already beign drawn"); ++ } ++ } ++ if (displayCharProc) { ++ display(&charProc, gFalse); ++ ++ if (refNum != -1) { ++ charProcDrawing.erase(charProcDrawingIt); ++ } ++ } + } else { + error(errSyntaxError, getPos(), "Missing or bad Type3 CharProc entry"); + } +diff --git a/poppler/Gfx.h b/poppler/Gfx.h +index a82f9f4a..44adaed5 100644 +--- a/poppler/Gfx.h ++++ b/poppler/Gfx.h +@@ -228,6 +228,7 @@ private: + Parser *parser; // parser for page content stream(s) + + std::set<int> formsDrawing; // the forms that are being drawn ++ std::set<int> charProcDrawing; // the charProc that are being drawn + + GBool // callback to check for an abort + (*abortCheckCbk)(void *data); +diff --git a/poppler/GfxFont.cc b/poppler/GfxFont.cc +index b59ec06c..bb87c5a0 100644 +--- a/poppler/GfxFont.cc ++++ b/poppler/GfxFont.cc +@@ -1818,6 +1818,15 @@ Object *Gfx8BitFont::getCharProc(int code, Object *proc) { + return proc; + } + ++Object *Gfx8BitFont::getCharProcNF(int code, Object *proc) { ++ if (enc[code] && charProcs.isDict()) { ++ charProcs.dictLookupNF(enc[code], proc); ++ } else { ++ proc->initNull(); ++ } ++ return proc; ++} ++ + Dict *Gfx8BitFont::getResources() { + return resources.isDict() ? resources.getDict() : (Dict *)NULL; + } +diff --git a/poppler/GfxFont.h b/poppler/GfxFont.h +index de7a7464..89a0ca0d 100644 +--- a/poppler/GfxFont.h ++++ b/poppler/GfxFont.h +@@ -353,6 +353,7 @@ public: + + // Return the Type 3 CharProc for the character associated with <code>. + Object *getCharProc(int code, Object *proc); ++ Object *getCharProcNF(int code, Object *proc); + + // Return the Type 3 Resources dictionary, or NULL if none. + Dict *getResources(); +-- +2.14.1 + |