diff -Nru poppler-0.41.0/debian/changelog poppler-0.41.0/debian/changelog --- poppler-0.41.0/debian/changelog 2019-02-28 12:29:11.000000000 +0000 +++ poppler-0.41.0/debian/changelog 2019-06-26 14:20:33.000000000 +0000 @@ -1,3 +1,51 @@ +poppler (0.41.0-0ubuntu1.14) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS in GfxImageColorMap::getGray + - debian/patches/CVE-2017-9865.patch: clear buffers in + utils/HtmlOutputDev.cc, utils/ImageOutputDev.cc. + - CVE-2017-9865 + * SECURITY UPDATE: memory leak in GfxColorSpace::setDisplayProfile + - debian/patches/CVE-2018-18897.patch: enforcing single initialization + in poppler/GfxState.cc, qt5/src/poppler-qt5.h. + - CVE-2018-18897 + * SECURITY UPDATE: DoS via crafted PDF file + - debian/patches/CVE-2018-20662.patch: check XRef's Catalog for being a + Dict in utils/pdfunite.cc. + - CVE-2018-20662 + * SECURITY UPDATE: buffer over-read in downsample_row_box_filter + - debian/patches/CVE-2019-9631-1.patch: compute correct coverage values + for box filter in poppler/CairoRescaleBox.cc. + - debian/patches/CVE-2019-9631-2.patch: constrain number of cycles in + rescale filter in poppler/CairoRescaleBox.cc. + - CVE-2019-9631 + * SECURITY UPDATE: dict marking mishandling + - debian/patches/CVE-2019-9903.patch: fix stack overflow on broken file + in poppler/PDFDoc.cc. + - CVE-2019-9903 + * SECURITY UPDATE: DoS via FPE + - debian/patches/CVE-2019-10018-10023.patch: check for zero in + poppler/Function.cc. + - CVE-2019-10018 + - CVE-2019-10023 + * SECURITY UPDATE: DoS via FPE + - debian/patches/CVE-2019-10019.patch: check nStripes in + poppler/PSOutputDev.cc. + - CVE-2019-10019 + * SECURITY UPDATE: DoS via FPE + - debian/patches/CVE-2019-10021.patch: check nBits in + poppler/Stream.cc. + - CVE-2019-10021 + * SECURITY UPDATE: heap-based buffer over-read + - debian/patches/CVE-2019-10872.patch: restrict filling of overlapping + boxes in splash/Splash.cc. + - CVE-2019-10872 + * SECURITY UPDATE: buffer over-read in JPXStream::init + - debian/patches/CVE-2019-12293.patch: fail gracefully if not all + components have the same WxH in poppler/JPEG2000Stream.cc. + - CVE-2019-12293 + + -- Marc Deslauriers Wed, 26 Jun 2019 10:14:59 -0400 + poppler (0.41.0-0ubuntu1.13) xenial-security; urgency=medium * SECURITY UPDATE: Denial of service diff -Nru poppler-0.41.0/debian/patches/CVE-2017-9865.patch poppler-0.41.0/debian/patches/CVE-2017-9865.patch --- poppler-0.41.0/debian/patches/CVE-2017-9865.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-9865.patch 2019-06-26 14:08:31.000000000 +0000 @@ -0,0 +1,54 @@ +From 75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= +Date: Wed, 12 Jul 2017 14:12:46 +0100 +Subject: CVE-2017-9865 (fdo#100774) avoid stack buffer overflow + +in GfxImageColorMap:getGray + +by passing first arg to getGray of maximum possibly required size + +and similar in HtmlOutputDev::drawPngImage +--- + utils/HtmlOutputDev.cc | 6 ++++-- + utils/ImageOutputDev.cc | 6 ++++-- + 2 files changed, 8 insertions(+), 4 deletions(-) + +Index: poppler-0.41.0/utils/HtmlOutputDev.cc +=================================================================== +--- poppler-0.41.0.orig/utils/HtmlOutputDev.cc 2019-06-26 10:08:28.097428870 -0400 ++++ poppler-0.41.0/utils/HtmlOutputDev.cc 2019-06-26 10:08:28.085428769 -0400 +@@ -1423,8 +1423,9 @@ void HtmlOutputDev::drawPngImage(GfxStat + int invert_bits = 0xff; + if (colorMap) { + GfxGray gray; +- Guchar zero = 0; +- colorMap->getGray(&zero, &gray); ++ Guchar zero[gfxColorMaxComps]; ++ memset(zero, 0, sizeof(zero)); ++ colorMap->getGray(zero, &gray); + if (colToByte(gray) == 0) + invert_bits = 0x00; + } +Index: poppler-0.41.0/utils/ImageOutputDev.cc +=================================================================== +--- poppler-0.41.0.orig/utils/ImageOutputDev.cc 2019-06-26 10:08:28.097428870 -0400 ++++ poppler-0.41.0/utils/ImageOutputDev.cc 2019-06-26 10:08:28.085428769 -0400 +@@ -324,7 +324,7 @@ void ImageOutputDev::writeImageFile(ImgW + GfxRGB rgb; + GfxCMYK cmyk; + GfxGray gray; +- Guchar zero = 0; ++ Guchar zero[gfxColorMaxComps]; + int invert_bits; + + setFilename(ext); +@@ -357,7 +357,8 @@ void ImageOutputDev::writeImageFile(ImgW + // the mask we leave the data unchanged. + invert_bits = 0xff; + if (colorMap) { +- colorMap->getGray(&zero, &gray); ++ memset(zero, 0, sizeof(zero)); ++ colorMap->getGray(zero, &gray); + if (colToByte(gray) == 0) + invert_bits = 0x00; + } diff -Nru poppler-0.41.0/debian/patches/CVE-2018-18897.patch poppler-0.41.0/debian/patches/CVE-2018-18897.patch --- poppler-0.41.0/debian/patches/CVE-2018-18897.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-18897.patch 2019-06-26 14:39:31.000000000 +0000 @@ -0,0 +1,62 @@ +Backport of: + +From e07c8b4784234383cb5ddcf1133ea91a772506e2 Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Tue, 1 Jan 2019 10:54:40 +0100 +Subject: [PATCH] Avoid global display profile state becoming an uncontrolled + memory leak by enforcing single initialization. Closes #654 + +--- + poppler/GfxState.cc | 9 +++++++++ + qt5/src/poppler-qt5.h | 4 ++++ + 2 files changed, 13 insertions(+) + +Index: poppler-0.41.0/poppler/GfxState.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/GfxState.cc 2019-06-26 10:09:08.753763503 -0400 ++++ poppler-0.41.0/poppler/GfxState.cc 2019-06-26 10:09:08.741763406 -0400 +@@ -252,6 +252,10 @@ static unsigned int getCMSNChannels(cmsC + static cmsHPROFILE loadColorProfile(const char *fileName); + + void GfxColorSpace::setDisplayProfile(void *displayProfileA) { ++ if (displayProfile != NULL) { ++ error(errInternal, -1, "The display color profile can only be set once before any rendering is done."); ++ return; ++ } + displayProfile = displayProfileA; + if (displayProfile != NULL) { + cmsHTRANSFORM transform; +@@ -275,6 +279,11 @@ void GfxColorSpace::setDisplayProfile(vo + } + + void GfxColorSpace::setDisplayProfileName(GooString *name) { ++ if (displayProfile != NULL) { ++ error(errInternal, -1, "The display color profile can only be set before any rendering is done."); ++ return; ++ } ++ delete displayProfileName; + displayProfileName = name->copy(); + } + +Index: poppler-0.41.0/qt5/src/poppler-qt5.h +=================================================================== +--- poppler-0.41.0.orig/qt5/src/poppler-qt5.h 2019-06-26 10:09:08.753763503 -0400 ++++ poppler-0.41.0/qt5/src/poppler-qt5.h 2019-06-26 10:09:08.745763439 -0400 +@@ -912,6 +912,8 @@ delete it; + + \param outputProfileA is a \c cmsHPROFILE of the LCMS library. + ++ \note This should be called before any rendering happens and only once during the lifetime of the current process. ++ + \since 0.12 + */ + void setColorDisplayProfile(void *outputProfileA); +@@ -920,6 +922,8 @@ delete it; + + \param name is the name of the display profile to set. + ++ \note This should be called before any rendering happens. ++ + \since 0.12 + */ + void setColorDisplayProfileName(const QString &name); diff -Nru poppler-0.41.0/debian/patches/CVE-2018-20662.patch poppler-0.41.0/debian/patches/CVE-2018-20662.patch --- poppler-0.41.0/debian/patches/CVE-2018-20662.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2018-20662.patch 2019-06-26 17:18:40.000000000 +0000 @@ -0,0 +1,52 @@ +Backport of: + +From 7b4e372deeb716eb3fe3a54b31ed41af759224f9 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Mon, 4 Mar 2019 12:55:12 +0100 +Subject: [PATCH] pdfunite: Check XRef's Catalog for being a Dict + +Check whether Catalog from XRef is Dict for each document +passed to pdfunite and return error if not. + +https://gitlab.freedesktop.org/poppler/poppler/issues/706 +--- + utils/pdfunite.cc | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +Index: poppler-0.41.0/utils/pdfunite.cc +=================================================================== +--- poppler-0.41.0.orig/utils/pdfunite.cc 2019-06-26 13:17:33.437287946 -0400 ++++ poppler-0.41.0/utils/pdfunite.cc 2019-06-26 13:18:33.269517860 -0400 +@@ -206,7 +206,10 @@ int main (int argc, char *argv[]) + for (i = 1; i < argc - 1; i++) { + GooString *gfileName = new GooString(argv[i]); + PDFDoc *doc = new PDFDoc(gfileName, NULL, NULL, NULL); +- if (doc->isOk() && !doc->isEncrypted()) { ++ Object tempCatObj; ++ doc->getXRef()->getCatalog(&tempCatObj); ++ if (doc->isOk() && !doc->isEncrypted() && ++ tempCatObj.isDict()) { + docs.push_back(doc); + if (doc->getPDFMajorVersion() > majorVersion) { + majorVersion = doc->getPDFMajorVersion(); +@@ -217,12 +220,18 @@ int main (int argc, char *argv[]) + } + } + } else if (doc->isOk()) { +- error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]); +- return -1; ++ if (doc->isEncrypted()) { ++ error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]); ++ return -1; ++ } else if (!tempCatObj.isDict()) { ++ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary ('{0:s}')", argv[i]); ++ return -1; ++ } + } else { + error(errSyntaxError, -1, "Could not merge damaged documents ('{0:s}')", argv[i]); + return -1; + } ++ tempCatObj.free(); + } + + if (!(f = fopen(fileName, "wb"))) { diff -Nru poppler-0.41.0/debian/patches/CVE-2019-10018-10023.patch poppler-0.41.0/debian/patches/CVE-2019-10018-10023.patch --- poppler-0.41.0/debian/patches/CVE-2019-10018-10023.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-10018-10023.patch 2019-06-26 14:11:19.000000000 +0000 @@ -0,0 +1,41 @@ +From e2ab2fa9d8c41e0115b2c276a2594cd2f7c217e6 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 19 Jun 2017 23:18:51 +0200 +Subject: Fix crash on malformed files + +Bug #101500 +--- + poppler/Function.cc | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +(limited to 'poppler/Function.cc') + +diff --git a/poppler/Function.cc b/poppler/Function.cc +index 7f359b8..785933d 100644 +--- a/poppler/Function.cc ++++ b/poppler/Function.cc +@@ -1623,7 +1623,9 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) { + case psOpIdiv: + i2 = stack->popInt(); + i1 = stack->popInt(); +- stack->pushInt(i1 / i2); ++ if (likely(i2 != 0)) { ++ stack->pushInt(i1 / i2); ++ } + break; + case psOpIndex: + stack->index(stack->popInt()); +@@ -1659,7 +1661,9 @@ void PostScriptFunction::exec(PSStack *stack, int codePtr) { + case psOpMod: + i2 = stack->popInt(); + i1 = stack->popInt(); +- stack->pushInt(i1 % i2); ++ if (likely(i2 != 0)) { ++ stack->pushInt(i1 % i2); ++ } + break; + case psOpMul: + if (stack->topTwoAreInts()) { +-- +cgit v1.1 + diff -Nru poppler-0.41.0/debian/patches/CVE-2019-10019.patch poppler-0.41.0/debian/patches/CVE-2019-10019.patch --- poppler-0.41.0/debian/patches/CVE-2019-10019.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-10019.patch 2019-06-26 14:11:29.000000000 +0000 @@ -0,0 +1,25 @@ +From 4552af28684e18c6153ce5598b121a73477af4d6 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sun, 4 Sep 2016 15:24:14 +0200 +Subject: Do not crash on invalid files where nStripes is 0 + +Bug #85276 +--- + poppler/PSOutputDev.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +Index: poppler-0.41.0/poppler/PSOutputDev.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/PSOutputDev.cc 2019-06-26 10:11:27.458824272 -0400 ++++ poppler-0.41.0/poppler/PSOutputDev.cc 2019-06-26 10:11:27.454824243 -0400 +@@ -3321,6 +3321,10 @@ GBool PSOutputDev::checkPageSlice(Page * + } + nStripes = (int)ceil((double)(sliceW * sliceH) / + (double)rasterizationSliceSize); ++ if (unlikely(nStripes == 0)) { ++ delete splashOut; ++ return gFalse; ++ } + stripeH = (sliceH + nStripes - 1) / nStripes; + + // render the stripes diff -Nru poppler-0.41.0/debian/patches/CVE-2019-10021.patch poppler-0.41.0/debian/patches/CVE-2019-10021.patch --- poppler-0.41.0/debian/patches/CVE-2019-10021.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-10021.patch 2019-06-26 14:11:37.000000000 +0000 @@ -0,0 +1,23 @@ +From 5266fa426d73c5dbdb3dd903d50885097833acc6 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 20 Jun 2017 23:58:26 +0200 +Subject: Fix crash in malformed document + +Bug #101526 +--- + poppler/Stream.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: poppler-0.41.0/poppler/Stream.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/Stream.cc 2019-06-26 10:11:35.910885334 -0400 ++++ poppler-0.41.0/poppler/Stream.cc 2019-06-26 10:11:35.910885334 -0400 +@@ -458,7 +458,7 @@ ImageStream::ImageStream(Stream *strA, i + + nVals = width * nComps; + inputLineSize = (nVals * nBits + 7) >> 3; +- if (nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) { ++ if (nComps <= 0 || nBits <= 0 || nVals > INT_MAX / nBits - 7 || width > INT_MAX / nComps) { + inputLineSize = -1; + } + inputLine = (Guchar *)gmallocn_checkoverflow(inputLineSize, sizeof(char)); diff -Nru poppler-0.41.0/debian/patches/CVE-2019-10872.patch poppler-0.41.0/debian/patches/CVE-2019-10872.patch --- poppler-0.41.0/debian/patches/CVE-2019-10872.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-10872.patch 2019-06-26 14:13:55.000000000 +0000 @@ -0,0 +1,140 @@ +Backport of: + +From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Mon, 13 May 2019 15:08:38 +0200 +Subject: [PATCH] Splash: Restrict filling of overlapping boxes + +Check whether area to fill in Splash::blitTransparent() +does not run out of allocated memory for source and for destination +and shrink it if needed. + +Fixes #750 +--- + splash/Splash.cc | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +Index: poppler-0.41.0/splash/Splash.cc +=================================================================== +--- poppler-0.41.0.orig/splash/Splash.cc 2019-06-26 10:13:53.083828643 -0400 ++++ poppler-0.41.0/splash/Splash.cc 2019-06-26 10:13:53.083828643 -0400 +@@ -5805,7 +5805,7 @@ SplashError Splash::blitTransparent(Spla + int xDest, int yDest, int w, int h) { + SplashColorPtr p, sp; + Guchar *q; +- int x, y, mask, srcMask; ++ int x, y, mask, srcMask, width = w, height = h; + + if (src->mode != bitmap->mode) { + return splashErrModeMismatch; +@@ -5815,14 +5815,32 @@ SplashError Splash::blitTransparent(Spla + return splashErrZeroImage; + } + ++ if (src->getWidth() - xSrc < width) ++ width = src->getWidth() - xSrc; ++ ++ if (src->getHeight() - ySrc < height) ++ height = src->getHeight() - ySrc; ++ ++ if (bitmap->getWidth() - xDest < width) ++ width = bitmap->getWidth() - xDest; ++ ++ if (bitmap->getHeight() - yDest < height) ++ height = bitmap->getHeight() - yDest; ++ ++ if (width < 0) ++ width = 0; ++ ++ if (height < 0) ++ height = 0; ++ + switch (bitmap->mode) { + case splashModeMono1: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)]; + mask = 0x80 >> (xDest & 7); + sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)]; + srcMask = 0x80 >> (xSrc & 7); +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + if (*sp & srcMask) { + *p |= mask; + } else { +@@ -5840,20 +5858,20 @@ SplashError Splash::blitTransparent(Spla + } + break; + case splashModeMono8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest]; + sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + } + } + break; + case splashModeRGB8: + case splashModeBGR8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5861,10 +5879,10 @@ SplashError Splash::blitTransparent(Spla + } + break; + case splashModeXBGR8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5875,10 +5893,10 @@ SplashError Splash::blitTransparent(Spla + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5887,10 +5905,10 @@ SplashError Splash::blitTransparent(Spla + } + break; + case splashModeDeviceN8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + for (int cp=0; cp < SPOT_NCOMPS+4; cp++) + *p++ = *sp++; + } +@@ -5900,9 +5918,9 @@ SplashError Splash::blitTransparent(Spla + } + + if (bitmap->alpha) { +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest]; +- memset(q, 0x00, w); ++ memset(q, 0x00, width); + } + } + diff -Nru poppler-0.41.0/debian/patches/CVE-2019-12293.patch poppler-0.41.0/debian/patches/CVE-2019-12293.patch --- poppler-0.41.0/debian/patches/CVE-2019-12293.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-12293.patch 2019-06-26 14:14:28.000000000 +0000 @@ -0,0 +1,29 @@ +From 89a5367d49b2556a2635dbb6d48d6a6b182a2c6c Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Thu, 23 May 2019 00:54:29 +0200 +Subject: [PATCH] JPEG2000Stream: fail gracefully if not all components have + the same WxH + +I think this is just a mistake, or at least the only file we have with +this scenario is a fuzzed one +--- + poppler/JPEG2000Stream.cc | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +Index: poppler-0.41.0/poppler/JPEG2000Stream.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/JPEG2000Stream.cc 2019-06-26 10:14:26.100043735 -0400 ++++ poppler-0.41.0/poppler/JPEG2000Stream.cc 2019-06-26 10:14:26.096043709 -0400 +@@ -186,6 +186,12 @@ void JPXStream::init() + close(); + break; + } ++ const int componentPixels = priv->image->comps[component].w * priv->image->comps[component].h; ++ if (componentPixels != priv->npixels) { ++ error(errSyntaxWarning, -1, "Component {0:d} has different WxH than component 0", component); ++ close(); ++ break; ++ } + unsigned char *cdata = (unsigned char *)priv->image->comps[component].data; + int adjust = 0; + if (priv->image->comps[component].prec > 8) diff -Nru poppler-0.41.0/debian/patches/CVE-2019-9631-1.patch poppler-0.41.0/debian/patches/CVE-2019-9631-1.patch --- poppler-0.41.0/debian/patches/CVE-2019-9631-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-9631-1.patch 2019-06-26 14:09:45.000000000 +0000 @@ -0,0 +1,32 @@ +From d716e636231c8d636bf2139896d817b66fe6d510 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Thu, 21 Mar 2019 13:15:37 +0100 +Subject: [PATCH] cairo: Compute correct coverage values for box filter + +Use double precision for computation of coverage +of the left most pixel in the box filter. + +Issue #736 +--- + poppler/CairoRescaleBox.cc | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +Index: poppler-0.41.0/poppler/CairoRescaleBox.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/CairoRescaleBox.cc 2019-06-26 10:09:43.994044279 -0400 ++++ poppler-0.41.0/poppler/CairoRescaleBox.cc 2019-06-26 10:09:43.986044215 -0400 +@@ -226,10 +226,10 @@ static int compute_coverage (int coverag + /* I have a proof of this, which this margin is too narrow to contain */ + for (i=0; i +Date: Thu, 21 Mar 2019 13:47:51 +0100 +Subject: [PATCH] cairo: Constrain number of cycles in rescale filter + +Pass address of the first byte after end of the source buffer +to downsample_row_box_filter() so that we can check +that we don't run out of it. + +Fixes issue #736 +--- + poppler/CairoRescaleBox.cc | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +Index: poppler-0.41.0/poppler/CairoRescaleBox.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/CairoRescaleBox.cc 2019-06-26 10:09:49.766089488 -0400 ++++ poppler-0.41.0/poppler/CairoRescaleBox.cc 2019-06-26 10:09:49.762089456 -0400 +@@ -61,7 +61,7 @@ + + static void downsample_row_box_filter ( + int start, int width, +- uint32_t *src, uint32_t *dest, ++ uint32_t *src, uint32_t *src_limit, uint32_t *dest, + int coverage[], int pixel_coverage) + { + /* we need an array of the pixel contribution of each destination pixel on the boundaries. +@@ -89,13 +89,13 @@ static void downsample_row_box_filter ( + /* skip to start */ + /* XXX: it might be possible to do this directly instead of iteratively, however + * the iterative solution is simple */ +- while (x < start) ++ while (x < start && src < src_limit) + { + int box = 1 << FIXED_SHIFT; + int start_coverage = coverage[x]; + box -= start_coverage; + src++; +- while (box >= pixel_coverage) ++ while (box >= pixel_coverage && src < src_limit) + { + src++; + box -= pixel_coverage; +@@ -103,7 +103,7 @@ static void downsample_row_box_filter ( + x++; + } + +- while (x < start + width) ++ while (x < start + width && src < src_limit) + { + uint32_t a = 0; + uint32_t r = 0; +@@ -120,7 +120,7 @@ static void downsample_row_box_filter ( + x++; + box -= start_coverage; + +- while (box >= pixel_coverage) ++ while (box >= pixel_coverage && src < src_limit) + { + a += ((*src >> 24) & 0xff) * pixel_coverage; + r += ((*src >> 16) & 0xff) * pixel_coverage; +@@ -134,7 +134,7 @@ static void downsample_row_box_filter ( + /* multiply by whatever is leftover + * this ensures that we don't bias down. + * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */ +- if (box > 0) ++ if (box > 0 && src < src_limit) + { + a += ((*src >> 24) & 0xff) * box; + r += ((*src >> 16) & 0xff) * box; +@@ -336,7 +336,7 @@ GBool CairoRescaleBox::downScaleImage(un + int start_coverage_y = y_coverage[dest_y]; + + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + src_y++; + box -= start_coverage_y; +@@ -344,7 +344,7 @@ GBool CairoRescaleBox::downScaleImage(un + while (box >= pixel_coverage_y) + { + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + src_y++; + box -= pixel_coverage_y; +@@ -354,7 +354,7 @@ GBool CairoRescaleBox::downScaleImage(un + if (box > 0) + { + getRow(src_y, scanline); +- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x); ++ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x); + columns++; + } + diff -Nru poppler-0.41.0/debian/patches/CVE-2019-9903.patch poppler-0.41.0/debian/patches/CVE-2019-9903.patch --- poppler-0.41.0/debian/patches/CVE-2019-9903.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2019-9903.patch 2019-06-26 14:10:49.000000000 +0000 @@ -0,0 +1,25 @@ +Backport of: + +From fada09a2ccc11a3a1d308e810f1336d8df6011fd Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 18 Mar 2019 00:50:00 +0100 +Subject: [PATCH] pdfunite: Fix stack overflow on broken file + +Fixes issue #741 +--- + poppler/PDFDoc.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: poppler-0.41.0/poppler/PDFDoc.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/PDFDoc.cc 2019-06-26 10:10:01.686182182 -0400 ++++ poppler-0.41.0/poppler/PDFDoc.cc 2019-06-26 10:10:37.258453619 -0400 +@@ -1498,7 +1498,7 @@ void PDFDoc::markObject (Object* obj, XR + case objArray: + array = obj->getArray(); + for (int i=0; igetLength(); i++) { +- markObject(array->getNF(i, &obj1), xRef, countRef, numOffset, oldRefNum, newRefNum); ++ markObject(array->getNF(i, &obj1), xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts); + obj1.free(); + } + break; diff -Nru poppler-0.41.0/debian/patches/series poppler-0.41.0/debian/patches/series --- poppler-0.41.0/debian/patches/series 2019-02-28 12:25:25.000000000 +0000 +++ poppler-0.41.0/debian/patches/series 2019-06-26 14:14:24.000000000 +0000 @@ -36,3 +36,14 @@ CVE-2018-20551.patch CVE-2019-7310.patch CVE-2019-9200.patch +CVE-2017-9865.patch +CVE-2018-18897.patch +CVE-2018-20662.patch +CVE-2019-9631-1.patch +CVE-2019-9631-2.patch +CVE-2019-9903.patch +CVE-2019-10018-10023.patch +CVE-2019-10019.patch +CVE-2019-10021.patch +CVE-2019-10872.patch +CVE-2019-12293.patch