diff -Nru poppler-0.41.0/debian/changelog poppler-0.41.0/debian/changelog --- poppler-0.41.0/debian/changelog 2017-09-29 15:30:37.000000000 +0000 +++ poppler-0.41.0/debian/changelog 2017-10-04 15:13:13.000000000 +0000 @@ -1,3 +1,44 @@ +poppler (0.41.0-0ubuntu1.4) xenial-security; urgency=medium + + * SECURITY UPDATE: Floating point exception + - debian/patches/CVE-2017-14518.patch: Fix divide by 0 on broken + documents in splash/Splash.cc. + - CVE-2017-14518 + * SECURITY UPDATE: Floating point exception + - debian/patches/CVE-2017-14520.patch: don't try to scale if srcHeight or + srcWidth is less than 1 in splash/Splash.cc. + - CVE-2017-14520 + * SECURITY UPDATE: Floating point exception in ImageStream + - debian/patches/CVE-2017-14617.patch: Fix crash in broken files in + poppler/Stream.cc. + - CVE-2017-14617 + * SECURITY UPDATE: NULL pointer dereference + - debian/patches/CVE-2017-14926.patch: Fix crash on broken files + in poppler/Annot.cc. + - CVE-2017-14926 + * SECURITY UPDATE: NULL pointer dereference + - debian/patches/CVE-2017-14928.patch: Fix crash broken files + in poppler/Annot.cc. + - CVE-2017-14928 + * SECURITY UPDATE: Memory corruption + - debian/patches/CVE-2017-14929.patch: Fix infinite recursion + in poppler/Gfx.cc, poppler/GfxState.cc, poppler/GfxState.h. + - CVE-2017-14929 + * SECURITY UPDATE: NULL pointer dereference + - debian/patches/CVE-2017-14975.patch: fix crash in convertToType0 in + fofi/FoFiType1C.cc. + - CVE-2017-14975 + * SECURITY UPDATE: NULL pointer dereference + - debian/patches/CVE-2017-14977.patch: fix NULL deference pointer in + fofi/FoFiTrueType.cc. + - CVE-2017-14977 + * SECURITY UPDATE: Integer overflow and heap overflow + - debian/patches/CVE-2017-9776.patch: fix malformed documents + in poppler/JBIG2Stream.cc. + - CVE-2017-9776 + + -- Leonidas S. Barbosa Wed, 04 Oct 2017 12:12:46 -0300 + poppler (0.41.0-0ubuntu1.3) xenial-security; urgency=medium * SECURITY UPDATE: Memory corruption - infinite loop diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14518.patch poppler-0.41.0/debian/patches/CVE-2017-14518.patch --- poppler-0.41.0/debian/patches/CVE-2017-14518.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14518.patch 2017-10-04 15:10:20.000000000 +0000 @@ -0,0 +1,20 @@ +From 80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 13 Sep 2017 23:09:45 +0200 +Subject: isImageInterpolationRequired: Fix divide by 0 on broken documents + +Bug #102688 + +Index: poppler-0.41.0/splash/Splash.cc +=================================================================== +--- poppler-0.41.0.orig/splash/Splash.cc ++++ poppler-0.41.0/splash/Splash.cc +@@ -4136,7 +4136,7 @@ SplashError Splash::arbitraryTransformIm + static GBool isImageInterpolationRequired(int srcWidth, int srcHeight, + int scaledWidth, int scaledHeight, + GBool interpolate) { +- if (interpolate) ++ if (interpolate || srcWidth == 0 || srcHeight == 0) + return gTrue; + + /* When scale factor is >= 400% we don't interpolate. See bugs #25268, #9860 */ diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14520.patch poppler-0.41.0/debian/patches/CVE-2017-14520.patch --- poppler-0.41.0/debian/patches/CVE-2017-14520.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14520.patch 2017-10-04 15:10:32.000000000 +0000 @@ -0,0 +1,21 @@ +From 504b3590182175390f474657a372e78fb1508262 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Thu, 14 Sep 2017 19:14:23 +0200 +Subject: Splash::scaleImage: Do not try to scale if srcHeight or srcWidth are + < 1 + +Bug #102719 + +Index: poppler-0.41.0/splash/Splash.cc +=================================================================== +--- poppler-0.41.0.orig/splash/Splash.cc ++++ poppler-0.41.0/splash/Splash.cc +@@ -4154,7 +4154,7 @@ SplashBitmap *Splash::scaleImage(SplashI + SplashBitmap *dest; + + dest = new SplashBitmap(scaledWidth, scaledHeight, 1, srcMode, srcAlpha, gTrue, bitmap->getSeparationList()); +- if (dest->getDataPtr() != NULL) { ++ if (dest->getDataPtr() != NULL && srcHeight > 0 && srcWidth > 0) { + if (scaledHeight < srcHeight) { + if (scaledWidth < srcWidth) { + scaleImageYdXd(src, srcData, srcMode, nComps, srcAlpha, diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14617.patch poppler-0.41.0/debian/patches/CVE-2017-14617.patch --- poppler-0.41.0/debian/patches/CVE-2017-14617.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14617.patch 2017-10-04 15:10:44.000000000 +0000 @@ -0,0 +1,25 @@ +From 939465c40902d72e0c05d4f3a27ee67e4a007ed7 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 19 Sep 2017 21:19:03 +0200 +Subject: Fix crash in broken files + +Bug #102854 + +Index: poppler-0.48.0/poppler/Stream.cc +=================================================================== +--- poppler-0.48.0.orig/poppler/Stream.cc ++++ poppler-0.48.0/poppler/Stream.cc +@@ -470,11 +470,10 @@ ImageStream::ImageStream(Stream *strA, i + } else { + imgLineSize = nVals; + } +- if (width > INT_MAX / nComps) { +- // force a call to gmallocn(-1,...), which will throw an exception ++ if (nComps <= 0 || width > INT_MAX / nComps) { + imgLineSize = -1; + } +- imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); ++ imgLine = (Guchar *)gmallocn_checkoverflow(imgLineSize, sizeof(Guchar)); + } + imgIdx = nVals; + } diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14926.patch poppler-0.41.0/debian/patches/CVE-2017-14926.patch --- poppler-0.41.0/debian/patches/CVE-2017-14926.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14926.patch 2017-10-04 15:11:07.000000000 +0000 @@ -0,0 +1,30 @@ +Backport of: + +From 2532df6060092e9fab7f041ae9598aff9cdd94bb Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Fri, 8 Sep 2017 18:28:15 +0200 +Subject: Annot: Fix crash on broken files + +Bug #102601 + +Index: poppler-0.41.0/poppler/Annot.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/Annot.cc ++++ poppler-0.41.0/poppler/Annot.cc +@@ -6862,13 +6862,13 @@ AnnotRichMedia::Content::Content(Dict *d + assets = (Asset **)gmallocn(nAssets, sizeof(Asset *)); + + int counter = 0; +- for (int i = 0; i < obj2.arrayGetLength(); i += 2) { ++ for (int i = 0; i < nAssets; ++i) { + Object objKey; + + assets[counter] = new AnnotRichMedia::Asset; + +- obj2.arrayGet(i, &objKey); +- obj2.arrayGet(i + 1, &assets[counter]->fileSpec); ++ obj2.arrayGet(i * 2, &objKey); ++ obj2.arrayGet(i * 2 + 1, &assets[counter]->fileSpec); + + assets[counter]->name = new GooString( objKey.getString() ); + ++counter; diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14928.patch poppler-0.41.0/debian/patches/CVE-2017-14928.patch --- poppler-0.41.0/debian/patches/CVE-2017-14928.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14928.patch 2017-10-04 15:11:19.000000000 +0000 @@ -0,0 +1,61 @@ +From 1316c7a41f4dd7276f404f775ebb5fef2d24ab1c Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Fri, 8 Sep 2017 18:29:42 +0200 +Subject: Annot: Fix crash on broken files + +Bug #102607 + +Index: poppler-0.41.0/poppler/Annot.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/Annot.cc ++++ poppler-0.41.0/poppler/Annot.cc +@@ -6982,26 +6982,30 @@ AnnotRichMedia::Configuration::Configura + } else if (!strcmp(name, "Video")) { + type = typeVideo; + } else { +- // determine from first instance ++ // determine from first non null instance ++ type = typeFlash; // default in case all instances are null + if (instances && nInstances > 0) { +- AnnotRichMedia::Instance *instance = instances[0]; +- switch (instance->getType()) { +- case AnnotRichMedia::Instance::type3D: +- type = type3D; +- break; +- case AnnotRichMedia::Instance::typeFlash: +- type = typeFlash; +- break; +- case AnnotRichMedia::Instance::typeSound: +- type = typeSound; +- break; +- case AnnotRichMedia::Instance::typeVideo: +- type = typeVideo; +- break; +- default: +- type = typeFlash; +- break; +- } ++ for (int i = 0; i < nInstances; ++i) { ++ AnnotRichMedia::Instance *instance = instances[i]; ++ if (instance) { ++ switch (instance->getType()) { ++ case AnnotRichMedia::Instance::type3D: ++ type = type3D; ++ break; ++ case AnnotRichMedia::Instance::typeFlash: ++ type = typeFlash; ++ break; ++ case AnnotRichMedia::Instance::typeSound: ++ type = typeSound; ++ break; ++ case AnnotRichMedia::Instance::typeVideo: ++ type = typeVideo; ++ break; ++ } ++ // break the loop since we found the first non null instance ++ break; ++ } ++ } + } + } + } diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14929.patch poppler-0.41.0/debian/patches/CVE-2017-14929.patch --- poppler-0.41.0/debian/patches/CVE-2017-14929.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14929.patch 2017-10-04 15:11:25.000000000 +0000 @@ -0,0 +1,250 @@ +Backport of: + +From 2c92c7b6a828c9db8a38f079ea7a3d51c12a481d Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 25 Sep 2017 19:33:44 +0200 +Subject: Fix infinite recursion on broken files + +Bug #102969 +Index: poppler-0.41.0/poppler/Gfx.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/Gfx.cc ++++ poppler-0.41.0/poppler/Gfx.cc +@@ -465,11 +465,19 @@ GfxPattern *GfxResources::lookupPattern( + GfxResources *resPtr; + GfxPattern *pattern; + Object obj; ++ Object obj2; + + for (resPtr = this; resPtr; resPtr = resPtr->next) { + if (resPtr->patternDict.isDict()) { +- if (!resPtr->patternDict.dictLookup(name, &obj)->isNull()) { +- pattern = GfxPattern::parse(resPtr, &obj, out, state); ++ if (!resPtr->patternDict.dictLookupNF(name, &obj)->isNull()) { ++ Ref patternRef = { -1, -1 }; ++ if (obj.isRef()) { ++ patternRef = obj.getRef(); ++ obj.fetch(resPtr->patternDict.getDict()->getXRef(), &obj2); ++ } ++ ++ pattern = GfxPattern::parse(resPtr, &obj2, out, state, patternRef.num); ++ obj2.free(); + obj.free(); + return pattern; + } +@@ -2283,18 +2291,34 @@ void Gfx::doTilingPatternFill(GfxTilingP + xi0, yi0, xi1, yi1, xstep, ystep)) { + goto restore; + } else { +- out->updatePatternOpacity(state); +- for (yi = yi0; yi < yi1; ++yi) { +- for (xi = xi0; xi < xi1; ++xi) { +- x = xi * xstep; +- y = yi * ystep; +- m1[4] = x * m[0] + y * m[2] + m[4]; +- m1[5] = x * m[1] + y * m[3] + m[5]; +- drawForm(tPat->getContentStream(), tPat->getResDict(), +- m1, tPat->getBBox()); ++ bool shouldDrawForm = gTrue; ++ std::set::iterator patternRefIt; ++ const int patternRefNum = tPat->getPatternRefNum(); ++ if (patternRefNum != -1) { ++ if (formsDrawing.find(patternRefNum) == formsDrawing.end()) { ++ patternRefIt = formsDrawing.insert(patternRefNum).first; ++ } else { ++ shouldDrawForm = gFalse; ++ } ++ } ++ ++ if (shouldDrawForm) { ++ out->updatePatternOpacity(state); ++ for (yi = yi0; yi < yi1; ++yi) { ++ for (xi = xi0; xi < xi1; ++xi) { ++ x = xi * xstep; ++ y = yi * ystep; ++ m1[4] = x * m[0] + y * m[2] + m[4]; ++ m1[5] = x * m[1] + y * m[3] + m[5]; ++ drawForm(tPat->getContentStream(), tPat->getResDict(), ++ m1, tPat->getBBox()); ++ } ++ } ++ out->clearPatternOpacity(state); ++ if (patternRefNum != -1) { ++ formsDrawing.erase(patternRefIt); + } + } +- out->clearPatternOpacity(state); + } + + // restore graphics state +Index: poppler-0.41.0/poppler/GfxState.cc +=================================================================== +--- poppler-0.41.0.orig/poppler/GfxState.cc ++++ poppler-0.41.0/poppler/GfxState.cc +@@ -3429,14 +3429,17 @@ void GfxPatternColorSpace::getDefaultCol + // Pattern + //------------------------------------------------------------------------ + +-GfxPattern::GfxPattern(int typeA) { +- type = typeA; ++GfxPattern::GfxPattern(int typeA, int patternRefNumA) ++ : type(typeA) ++ , patternRefNum(patternRefNumA) ++{ ++ + } + + GfxPattern::~GfxPattern() { + } + +-GfxPattern *GfxPattern::parse(GfxResources *res, Object *obj, OutputDev *out, GfxState *state) { ++GfxPattern *GfxPattern::parse(GfxResources *res, Object *obj, OutputDev *out, GfxState *state, int patternRefNum) { + GfxPattern *pattern; + Object obj1; + +@@ -3449,9 +3452,9 @@ GfxPattern *GfxPattern::parse(GfxResourc + } + pattern = NULL; + if (obj1.isInt() && obj1.getInt() == 1) { +- pattern = GfxTilingPattern::parse(obj); ++ pattern = GfxTilingPattern::parse(obj, patternRefNum); + } else if (obj1.isInt() && obj1.getInt() == 2) { +- pattern = GfxShadingPattern::parse(res, obj, out, state); ++ pattern = GfxShadingPattern::parse(res, obj, out, state, patternRefNum); + } + obj1.free(); + return pattern; +@@ -3461,7 +3464,7 @@ GfxPattern *GfxPattern::parse(GfxResourc + // GfxTilingPattern + //------------------------------------------------------------------------ + +-GfxTilingPattern *GfxTilingPattern::parse(Object *patObj) { ++GfxTilingPattern *GfxTilingPattern::parse(Object *patObj, int patternRefNum) { + GfxTilingPattern *pat; + Dict *dict; + int paintTypeA, tilingTypeA; +@@ -3538,7 +3541,7 @@ GfxTilingPattern *GfxTilingPattern::pars + obj1.free(); + + pat = new GfxTilingPattern(paintTypeA, tilingTypeA, bboxA, xStepA, yStepA, +- &resDictA, matrixA, patObj); ++ &resDictA, matrixA, patObj, patternRefNum); + resDictA.free(); + return pat; + } +@@ -3546,8 +3549,8 @@ GfxTilingPattern *GfxTilingPattern::pars + GfxTilingPattern::GfxTilingPattern(int paintTypeA, int tilingTypeA, + double *bboxA, double xStepA, double yStepA, + Object *resDictA, double *matrixA, +- Object *contentStreamA): +- GfxPattern(1) ++ Object *contentStreamA, int patternRefNumA) : ++ GfxPattern(1, patternRefNumA) + { + int i; + +@@ -3572,14 +3575,14 @@ GfxTilingPattern::~GfxTilingPattern() { + + GfxPattern *GfxTilingPattern::copy() { + return new GfxTilingPattern(paintType, tilingType, bbox, xStep, yStep, +- &resDict, matrix, &contentStream); ++ &resDict, matrix, &contentStream, getPatternRefNum()); + } + + //------------------------------------------------------------------------ + // GfxShadingPattern + //------------------------------------------------------------------------ + +-GfxShadingPattern *GfxShadingPattern::parse(GfxResources *res, Object *patObj, OutputDev *out, GfxState *state) { ++GfxShadingPattern *GfxShadingPattern::parse(GfxResources *res, Object *patObj, OutputDev *out, GfxState *state, int patternRefNum) { + Dict *dict; + GfxShading *shadingA; + double matrixA[6]; +@@ -3612,11 +3615,11 @@ GfxShadingPattern *GfxShadingPattern::pa + } + obj1.free(); + +- return new GfxShadingPattern(shadingA, matrixA); ++ return new GfxShadingPattern(shadingA, matrixA, patternRefNum); + } + +-GfxShadingPattern::GfxShadingPattern(GfxShading *shadingA, double *matrixA): +- GfxPattern(2) ++GfxShadingPattern::GfxShadingPattern(GfxShading *shadingA, double *matrixA, int patternRefNumA): ++ GfxPattern(2, patternRefNumA) + { + int i; + +@@ -3631,7 +3634,7 @@ GfxShadingPattern::~GfxShadingPattern() + } + + GfxPattern *GfxShadingPattern::copy() { +- return new GfxShadingPattern(shading->copy(), matrix); ++ return new GfxShadingPattern(shading->copy(), matrix, getPatternRefNum()); + } + + //------------------------------------------------------------------------ +Index: poppler-0.41.0/poppler/GfxState.h +=================================================================== +--- poppler-0.41.0.orig/poppler/GfxState.h ++++ poppler-0.41.0/poppler/GfxState.h +@@ -758,18 +758,21 @@ private: + class GfxPattern { + public: + +- GfxPattern(int typeA); ++ GfxPattern(int typeA, int patternRefNumA); + virtual ~GfxPattern(); + +- static GfxPattern *parse(GfxResources *res, Object *obj, OutputDev *out, GfxState *state); ++ static GfxPattern *parse(GfxResources *res, Object *obj, OutputDev *out, GfxState *state, int patternRefNum); + + virtual GfxPattern *copy() = 0; + + int getType() { return type; } + ++ int getPatternRefNum() const { return patternRefNum; } ++ + private: + + int type; ++ int patternRefNum; + }; + + //------------------------------------------------------------------------ +@@ -779,7 +782,7 @@ private: + class GfxTilingPattern: public GfxPattern { + public: + +- static GfxTilingPattern *parse(Object *patObj); ++ static GfxTilingPattern *parse(Object *patObj, int patternRefNum); + virtual ~GfxTilingPattern(); + + virtual GfxPattern *copy(); +@@ -799,7 +802,7 @@ private: + GfxTilingPattern(int paintTypeA, int tilingTypeA, + double *bboxA, double xStepA, double yStepA, + Object *resDictA, double *matrixA, +- Object *contentStreamA); ++ Object *contentStreamA, int patternRefNumA); + + int paintType; + int tilingType; +@@ -817,7 +820,7 @@ private: + class GfxShadingPattern: public GfxPattern { + public: + +- static GfxShadingPattern *parse(GfxResources *res, Object *patObj, OutputDev *out, GfxState *state); ++ static GfxShadingPattern *parse(GfxResources *res, Object *patObj, OutputDev *out, GfxState *state, int patternRefNum); + virtual ~GfxShadingPattern(); + + virtual GfxPattern *copy(); +@@ -827,7 +830,7 @@ public: + + private: + +- GfxShadingPattern(GfxShading *shadingA, double *matrixA); ++ GfxShadingPattern(GfxShading *shadingA, double *matrixA, int patternRefNumA); + + GfxShading *shading; + double matrix[6]; diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14975.patch poppler-0.41.0/debian/patches/CVE-2017-14975.patch --- poppler-0.41.0/debian/patches/CVE-2017-14975.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14975.patch 2017-10-04 15:11:35.000000000 +0000 @@ -0,0 +1,503 @@ +From a5e5649ecf16fa05770620dbbd4985935dc2bbff Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Mon, 11 Sep 2017 12:35:16 +0200 +Subject: Fix crash in FoFiType1C::convertToType0 in broken files + +Bug #102653 + +diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc +index c4595a3..7a82785 100644 +--- a/fofi/FoFiType1C.cc ++++ b/fofi/FoFiType1C.cc +@@ -13,7 +13,7 @@ + // All changes made under the Poppler project to this file are licensed + // under GPL version 2 or later + // +-// Copyright (C) 2009, 2010 Albert Astals Cid ++// Copyright (C) 2009, 2010, 2017 Albert Astals Cid + // Copyright (C) 2012 Thomas Freitag + // + // To see a description of the changes please see the Changelog file that +@@ -33,6 +33,7 @@ + #include "goo/gmem.h" + #include "goo/gstrtod.h" + #include "goo/GooString.h" ++#include "poppler/Error.h" + #include "FoFiEncodings.h" + #include "FoFiType1C.h" + +@@ -879,253 +880,257 @@ void FoFiType1C::convertToType0(char *psName, int *codeMap, int nCodes, + } + } + ++ if (privateDicts) { + // write the descendant Type 1 fonts +- for (i = 0; i < nCIDs; i += 256) { +- +- //~ this assumes that all CIDs in this block have the same FD -- +- //~ to handle multiple FDs correctly, need to somehow divide the +- //~ font up by FD; as a kludge we ignore CID 0, which is .notdef +- fd = 0; +- // if fdSelect is NULL, we have an 8-bit font, so just leave fd=0 +- if (fdSelect) { +- for (j = i==0 ? 1 : 0; j < 256 && i+j < nCIDs; ++j) { +- if (cidMap[i+j] >= 0) { +- fd = fdSelect[cidMap[i+j]]; +- break; +- } ++ for (i = 0; i < nCIDs; i += 256) { ++ ++ //~ this assumes that all CIDs in this block have the same FD -- ++ //~ to handle multiple FDs correctly, need to somehow divide the ++ //~ font up by FD; as a kludge we ignore CID 0, which is .notdef ++ fd = 0; ++ // if fdSelect is NULL, we have an 8-bit font, so just leave fd=0 ++ if (fdSelect) { ++ for (j = i==0 ? 1 : 0; j < 256 && i+j < nCIDs; ++j) { ++ if (cidMap[i+j] >= 0) { ++ fd = fdSelect[cidMap[i+j]]; ++ break; ++ } ++ } + } +- } + +- // font dictionary (unencrypted section) +- (*outputFunc)(outputStream, "16 dict begin\n", 14); +- (*outputFunc)(outputStream, "/FontName /", 11); +- (*outputFunc)(outputStream, psName, strlen(psName)); +- buf = GooString::format("_{0:02x} def\n", i >> 8); +- (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); +- delete buf; +- (*outputFunc)(outputStream, "/FontType 1 def\n", 16); +- if (privateDicts[fd].hasFontMatrix) { +- buf = GooString::format("/FontMatrix [{0:.8g} {1:.8g} {2:.8g} {3:.8g} {4:.8g} {5:.8g}] def\n", +- privateDicts[fd].fontMatrix[0], +- privateDicts[fd].fontMatrix[1], +- privateDicts[fd].fontMatrix[2], +- privateDicts[fd].fontMatrix[3], +- privateDicts[fd].fontMatrix[4], +- privateDicts[fd].fontMatrix[5]); ++ // font dictionary (unencrypted section) ++ (*outputFunc)(outputStream, "16 dict begin\n", 14); ++ (*outputFunc)(outputStream, "/FontName /", 11); ++ (*outputFunc)(outputStream, psName, strlen(psName)); ++ buf = GooString::format("_{0:02x} def\n", i >> 8); + (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); + delete buf; +- } else if (topDict.hasFontMatrix) { +- (*outputFunc)(outputStream, "/FontMatrix [1 0 0 1 0 0] def\n", 30); +- } else { +- (*outputFunc)(outputStream, +- "/FontMatrix [0.001 0 0 0.001 0 0] def\n", 38); +- } +- buf = GooString::format("/FontBBox [{0:.4g} {1:.4g} {2:.4g} {3:.4g}] def\n", +- topDict.fontBBox[0], topDict.fontBBox[1], +- topDict.fontBBox[2], topDict.fontBBox[3]); +- (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); +- delete buf; +- buf = GooString::format("/PaintType {0:d} def\n", topDict.paintType); +- (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); +- delete buf; +- if (topDict.paintType != 0) { +- buf = GooString::format("/StrokeWidth {0:.4g} def\n", topDict.strokeWidth); +- (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); +- delete buf; +- } +- (*outputFunc)(outputStream, "/Encoding 256 array\n", 20); +- for (j = 0; j < 256 && i+j < nCIDs; ++j) { +- buf = GooString::format("dup {0:d} /c{1:02x} put\n", j, j); ++ (*outputFunc)(outputStream, "/FontType 1 def\n", 16); ++ if (privateDicts[fd].hasFontMatrix) { ++ buf = GooString::format("/FontMatrix [{0:.8g} {1:.8g} {2:.8g} {3:.8g} {4:.8g} {5:.8g}] def\n", ++ privateDicts[fd].fontMatrix[0], ++ privateDicts[fd].fontMatrix[1], ++ privateDicts[fd].fontMatrix[2], ++ privateDicts[fd].fontMatrix[3], ++ privateDicts[fd].fontMatrix[4], ++ privateDicts[fd].fontMatrix[5]); ++ (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); ++ delete buf; ++ } else if (topDict.hasFontMatrix) { ++ (*outputFunc)(outputStream, "/FontMatrix [1 0 0 1 0 0] def\n", 30); ++ } else { ++ (*outputFunc)(outputStream, ++ "/FontMatrix [0.001 0 0 0.001 0 0] def\n", 38); ++ } ++ buf = GooString::format("/FontBBox [{0:.4g} {1:.4g} {2:.4g} {3:.4g}] def\n", ++ topDict.fontBBox[0], topDict.fontBBox[1], ++ topDict.fontBBox[2], topDict.fontBBox[3]); + (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); + delete buf; +- } +- if (j < 256) { +- buf = GooString::format("{0:d} 1 255 {{ 1 index exch /.notdef put }} for\n", +- j); ++ buf = GooString::format("/PaintType {0:d} def\n", topDict.paintType); + (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); + delete buf; +- } +- (*outputFunc)(outputStream, "readonly def\n", 13); +- (*outputFunc)(outputStream, "currentdict end\n", 16); +- +- // start the binary section +- (*outputFunc)(outputStream, "currentfile eexec\n", 18); +- eb.outputFunc = outputFunc; +- eb.outputStream = outputStream; +- eb.ascii = gTrue; +- eb.r1 = 55665; +- eb.line = 0; +- +- // start the private dictionary +- eexecWrite(&eb, "\x83\xca\x73\xd5"); +- eexecWrite(&eb, "dup /Private 32 dict dup begin\n"); +- eexecWrite(&eb, "/RD {string currentfile exch readstring pop}" +- " executeonly def\n"); +- eexecWrite(&eb, "/ND {noaccess def} executeonly def\n"); +- eexecWrite(&eb, "/NP {noaccess put} executeonly def\n"); +- eexecWrite(&eb, "/MinFeature {16 16} def\n"); +- eexecWrite(&eb, "/password 5839 def\n"); +- if (privateDicts[fd].nBlueValues) { +- eexecWrite(&eb, "/BlueValues ["); +- for (k = 0; k < privateDicts[fd].nBlueValues; ++k) { +- buf = GooString::format("{0:s}{1:d}", +- k > 0 ? " " : "", +- privateDicts[fd].blueValues[k]); ++ if (topDict.paintType != 0) { ++ buf = GooString::format("/StrokeWidth {0:.4g} def\n", topDict.strokeWidth); ++ (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); ++ delete buf; ++ } ++ (*outputFunc)(outputStream, "/Encoding 256 array\n", 20); ++ for (j = 0; j < 256 && i+j < nCIDs; ++j) { ++ buf = GooString::format("dup {0:d} /c{1:02x} put\n", j, j); ++ (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); ++ delete buf; ++ } ++ if (j < 256) { ++ buf = GooString::format("{0:d} 1 255 {{ 1 index exch /.notdef put }} for\n", ++ j); ++ (*outputFunc)(outputStream, buf->getCString(), buf->getLength()); ++ delete buf; ++ } ++ (*outputFunc)(outputStream, "readonly def\n", 13); ++ (*outputFunc)(outputStream, "currentdict end\n", 16); ++ ++ // start the binary section ++ (*outputFunc)(outputStream, "currentfile eexec\n", 18); ++ eb.outputFunc = outputFunc; ++ eb.outputStream = outputStream; ++ eb.ascii = gTrue; ++ eb.r1 = 55665; ++ eb.line = 0; ++ ++ // start the private dictionary ++ eexecWrite(&eb, "\x83\xca\x73\xd5"); ++ eexecWrite(&eb, "dup /Private 32 dict dup begin\n"); ++ eexecWrite(&eb, "/RD {string currentfile exch readstring pop}" ++ " executeonly def\n"); ++ eexecWrite(&eb, "/ND {noaccess def} executeonly def\n"); ++ eexecWrite(&eb, "/NP {noaccess put} executeonly def\n"); ++ eexecWrite(&eb, "/MinFeature {16 16} def\n"); ++ eexecWrite(&eb, "/password 5839 def\n"); ++ if (privateDicts[fd].nBlueValues) { ++ eexecWrite(&eb, "/BlueValues ["); ++ for (k = 0; k < privateDicts[fd].nBlueValues; ++k) { ++ buf = GooString::format("{0:s}{1:d}", ++ k > 0 ? " " : "", ++ privateDicts[fd].blueValues[k]); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ eexecWrite(&eb, "] def\n"); ++ } ++ if (privateDicts[fd].nOtherBlues) { ++ eexecWrite(&eb, "/OtherBlues ["); ++ for (k = 0; k < privateDicts[fd].nOtherBlues; ++k) { ++ buf = GooString::format("{0:s}{1:d}", ++ k > 0 ? " " : "", ++ privateDicts[fd].otherBlues[k]); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ eexecWrite(&eb, "] def\n"); ++ } ++ if (privateDicts[fd].nFamilyBlues) { ++ eexecWrite(&eb, "/FamilyBlues ["); ++ for (k = 0; k < privateDicts[fd].nFamilyBlues; ++k) { ++ buf = GooString::format("{0:s}{1:d}", k > 0 ? " " : "", ++ privateDicts[fd].familyBlues[k]); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ eexecWrite(&eb, "] def\n"); ++ } ++ if (privateDicts[fd].nFamilyOtherBlues) { ++ eexecWrite(&eb, "/FamilyOtherBlues ["); ++ for (k = 0; k < privateDicts[fd].nFamilyOtherBlues; ++k) { ++ buf = GooString::format("{0:s}{1:d}", k > 0 ? " " : "", ++ privateDicts[fd].familyOtherBlues[k]); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ eexecWrite(&eb, "] def\n"); ++ } ++ if (privateDicts[fd].blueScale != 0.039625) { ++ buf = GooString::format("/BlueScale {0:.4g} def\n", ++ privateDicts[fd].blueScale); + eexecWrite(&eb, buf->getCString()); + delete buf; + } +- eexecWrite(&eb, "] def\n"); +- } +- if (privateDicts[fd].nOtherBlues) { +- eexecWrite(&eb, "/OtherBlues ["); +- for (k = 0; k < privateDicts[fd].nOtherBlues; ++k) { +- buf = GooString::format("{0:s}{1:d}", +- k > 0 ? " " : "", +- privateDicts[fd].otherBlues[k]); ++ if (privateDicts[fd].blueShift != 7) { ++ buf = GooString::format("/BlueShift {0:d} def\n", ++ privateDicts[fd].blueShift); + eexecWrite(&eb, buf->getCString()); + delete buf; + } +- eexecWrite(&eb, "] def\n"); +- } +- if (privateDicts[fd].nFamilyBlues) { +- eexecWrite(&eb, "/FamilyBlues ["); +- for (k = 0; k < privateDicts[fd].nFamilyBlues; ++k) { +- buf = GooString::format("{0:s}{1:d}", k > 0 ? " " : "", +- privateDicts[fd].familyBlues[k]); ++ if (privateDicts[fd].blueFuzz != 1) { ++ buf = GooString::format("/BlueFuzz {0:d} def\n", ++ privateDicts[fd].blueFuzz); + eexecWrite(&eb, buf->getCString()); + delete buf; + } +- eexecWrite(&eb, "] def\n"); +- } +- if (privateDicts[fd].nFamilyOtherBlues) { +- eexecWrite(&eb, "/FamilyOtherBlues ["); +- for (k = 0; k < privateDicts[fd].nFamilyOtherBlues; ++k) { +- buf = GooString::format("{0:s}{1:d}", k > 0 ? " " : "", +- privateDicts[fd].familyOtherBlues[k]); ++ if (privateDicts[fd].hasStdHW) { ++ buf = GooString::format("/StdHW [{0:.4g}] def\n", privateDicts[fd].stdHW); + eexecWrite(&eb, buf->getCString()); + delete buf; + } +- eexecWrite(&eb, "] def\n"); +- } +- if (privateDicts[fd].blueScale != 0.039625) { +- buf = GooString::format("/BlueScale {0:.4g} def\n", +- privateDicts[fd].blueScale); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].blueShift != 7) { +- buf = GooString::format("/BlueShift {0:d} def\n", +- privateDicts[fd].blueShift); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].blueFuzz != 1) { +- buf = GooString::format("/BlueFuzz {0:d} def\n", +- privateDicts[fd].blueFuzz); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].hasStdHW) { +- buf = GooString::format("/StdHW [{0:.4g}] def\n", privateDicts[fd].stdHW); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].hasStdVW) { +- buf = GooString::format("/StdVW [{0:.4g}] def\n", privateDicts[fd].stdVW); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].nStemSnapH) { +- eexecWrite(&eb, "/StemSnapH ["); +- for (k = 0; k < privateDicts[fd].nStemSnapH; ++k) { +- buf = GooString::format("{0:s}{1:.4g}", +- k > 0 ? " " : "", privateDicts[fd].stemSnapH[k]); ++ if (privateDicts[fd].hasStdVW) { ++ buf = GooString::format("/StdVW [{0:.4g}] def\n", privateDicts[fd].stdVW); + eexecWrite(&eb, buf->getCString()); + delete buf; + } +- eexecWrite(&eb, "] def\n"); +- } +- if (privateDicts[fd].nStemSnapV) { +- eexecWrite(&eb, "/StemSnapV ["); +- for (k = 0; k < privateDicts[fd].nStemSnapV; ++k) { +- buf = GooString::format("{0:s}{1:.4g}", +- k > 0 ? " " : "", privateDicts[fd].stemSnapV[k]); ++ if (privateDicts[fd].nStemSnapH) { ++ eexecWrite(&eb, "/StemSnapH ["); ++ for (k = 0; k < privateDicts[fd].nStemSnapH; ++k) { ++ buf = GooString::format("{0:s}{1:.4g}", ++ k > 0 ? " " : "", privateDicts[fd].stemSnapH[k]); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ eexecWrite(&eb, "] def\n"); ++ } ++ if (privateDicts[fd].nStemSnapV) { ++ eexecWrite(&eb, "/StemSnapV ["); ++ for (k = 0; k < privateDicts[fd].nStemSnapV; ++k) { ++ buf = GooString::format("{0:s}{1:.4g}", ++ k > 0 ? " " : "", privateDicts[fd].stemSnapV[k]); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ eexecWrite(&eb, "] def\n"); ++ } ++ if (privateDicts[fd].hasForceBold) { ++ buf = GooString::format("/ForceBold {0:s} def\n", ++ privateDicts[fd].forceBold ? "true" : "false"); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ if (privateDicts[fd].forceBoldThreshold != 0) { ++ buf = GooString::format("/ForceBoldThreshold {0:.4g} def\n", ++ privateDicts[fd].forceBoldThreshold); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ if (privateDicts[fd].languageGroup != 0) { ++ buf = GooString::format("/LanguageGroup {0:d} def\n", ++ privateDicts[fd].languageGroup); ++ eexecWrite(&eb, buf->getCString()); ++ delete buf; ++ } ++ if (privateDicts[fd].expansionFactor != 0.06) { ++ buf = GooString::format("/ExpansionFactor {0:.4g} def\n", ++ privateDicts[fd].expansionFactor); + eexecWrite(&eb, buf->getCString()); + delete buf; + } +- eexecWrite(&eb, "] def\n"); +- } +- if (privateDicts[fd].hasForceBold) { +- buf = GooString::format("/ForceBold {0:s} def\n", +- privateDicts[fd].forceBold ? "true" : "false"); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].forceBoldThreshold != 0) { +- buf = GooString::format("/ForceBoldThreshold {0:.4g} def\n", +- privateDicts[fd].forceBoldThreshold); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].languageGroup != 0) { +- buf = GooString::format("/LanguageGroup {0:d} def\n", +- privateDicts[fd].languageGroup); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } +- if (privateDicts[fd].expansionFactor != 0.06) { +- buf = GooString::format("/ExpansionFactor {0:.4g} def\n", +- privateDicts[fd].expansionFactor); +- eexecWrite(&eb, buf->getCString()); +- delete buf; +- } + +- // set up the subroutines +- ok = gTrue; +- getIndex(privateDicts[fd].subrsOffset, &subrIdx, &ok); +- if (!ok) { +- subrIdx.pos = -1; +- } ++ // set up the subroutines ++ ok = gTrue; ++ getIndex(privateDicts[fd].subrsOffset, &subrIdx, &ok); ++ if (!ok) { ++ subrIdx.pos = -1; ++ } + +- // start the CharStrings +- eexecWrite(&eb, "2 index /CharStrings 256 dict dup begin\n"); ++ // start the CharStrings ++ eexecWrite(&eb, "2 index /CharStrings 256 dict dup begin\n"); + +- // write the .notdef CharString +- ok = gTrue; +- getIndexVal(&charStringsIdx, 0, &val, &ok); +- if (ok) { +- eexecCvtGlyph(&eb, ".notdef", val.pos, val.len, +- &subrIdx, &privateDicts[fd]); +- } +- +- // write the CharStrings +- for (j = 0; j < 256 && i+j < nCIDs; ++j) { +- if (cidMap[i+j] >= 0) { +- ok = gTrue; +- getIndexVal(&charStringsIdx, cidMap[i+j], &val, &ok); +- if (ok) { +- buf = GooString::format("c{0:02x}", j); +- eexecCvtGlyph(&eb, buf->getCString(), val.pos, val.len, +- &subrIdx, &privateDicts[fd]); +- delete buf; +- } ++ // write the .notdef CharString ++ ok = gTrue; ++ getIndexVal(&charStringsIdx, 0, &val, &ok); ++ if (ok) { ++ eexecCvtGlyph(&eb, ".notdef", val.pos, val.len, ++ &subrIdx, &privateDicts[fd]); + } +- } +- eexecWrite(&eb, "end\n"); +- eexecWrite(&eb, "end\n"); +- eexecWrite(&eb, "readonly put\n"); +- eexecWrite(&eb, "noaccess put\n"); +- eexecWrite(&eb, "dup /FontName get exch definefont pop\n"); +- eexecWrite(&eb, "mark currentfile closefile\n"); + +- // trailer +- if (eb.line > 0) { +- (*outputFunc)(outputStream, "\n", 1); +- } +- for (j = 0; j < 8; ++j) { +- (*outputFunc)(outputStream, "0000000000000000000000000000000000000000000000000000000000000000\n", 65); ++ // write the CharStrings ++ for (j = 0; j < 256 && i+j < nCIDs; ++j) { ++ if (cidMap[i+j] >= 0) { ++ ok = gTrue; ++ getIndexVal(&charStringsIdx, cidMap[i+j], &val, &ok); ++ if (ok) { ++ buf = GooString::format("c{0:02x}", j); ++ eexecCvtGlyph(&eb, buf->getCString(), val.pos, val.len, ++ &subrIdx, &privateDicts[fd]); ++ delete buf; ++ } ++ } ++ } ++ eexecWrite(&eb, "end\n"); ++ eexecWrite(&eb, "end\n"); ++ eexecWrite(&eb, "readonly put\n"); ++ eexecWrite(&eb, "noaccess put\n"); ++ eexecWrite(&eb, "dup /FontName get exch definefont pop\n"); ++ eexecWrite(&eb, "mark currentfile closefile\n"); ++ ++ // trailer ++ if (eb.line > 0) { ++ (*outputFunc)(outputStream, "\n", 1); ++ } ++ for (j = 0; j < 8; ++j) { ++ (*outputFunc)(outputStream, "0000000000000000000000000000000000000000000000000000000000000000\n", 65); ++ } ++ (*outputFunc)(outputStream, "cleartomark\n", 12); + } +- (*outputFunc)(outputStream, "cleartomark\n", 12); ++ } else { ++ error(errSyntaxError, -1, "FoFiType1C::convertToType0 without privateDicts"); + } + + // write the Type 0 parent font +-- +cgit v0.10.2 + diff -Nru poppler-0.41.0/debian/patches/CVE-2017-14977.patch poppler-0.41.0/debian/patches/CVE-2017-14977.patch --- poppler-0.41.0/debian/patches/CVE-2017-14977.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-14977.patch 2017-10-04 15:11:45.000000000 +0000 @@ -0,0 +1,23 @@ +From 19eedc6fb693a62f305e13079501e3105f869f3c Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 30 Sep 2017 11:12:31 +0200 +Subject: Fix crash in broken files + +Bug #103045 + +diff --git a/fofi/FoFiTrueType.cc b/fofi/FoFiTrueType.cc +index 58f604a..4495cb3 100644 +--- a/fofi/FoFiTrueType.cc ++++ b/fofi/FoFiTrueType.cc +@@ -451,7 +451,7 @@ int FoFiTrueType::mapNameToGID(char *name) { + GBool FoFiTrueType::getCFFBlock(char **start, int *length) { + int i; + +- if (!openTypeCFF) { ++ if (!openTypeCFF || !tables) { + return gFalse; + } + i = seekTable("CFF "); +-- +cgit v0.10.2 + diff -Nru poppler-0.41.0/debian/patches/CVE-2017-9776.patch poppler-0.41.0/debian/patches/CVE-2017-9776.patch --- poppler-0.41.0/debian/patches/CVE-2017-9776.patch 1970-01-01 00:00:00.000000000 +0000 +++ poppler-0.41.0/debian/patches/CVE-2017-9776.patch 2017-10-04 15:11:58.000000000 +0000 @@ -0,0 +1,21 @@ +Backported of: + +From a3a98a6d83dfbf49f565f5aa2d7c07153a7f62fc Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Wed, 21 Jun 2017 00:55:20 +0200 +Subject: Fix crash in malformed documents + + +diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc +index a20c220..9e3a0a6 100644 +--- a/poppler/JBIG2Stream.cc ++++ b/poppler/JBIG2Stream.cc +@@ -892,6 +892,8 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, + oneByte = x0 == ((x1 - 1) & ~7); + + for (yy = y0; yy < y1; ++yy) { ++ if (unlikely((y + yy >= h) || (y + yy < 0))) ++ continue; + + // one byte per line -- need to mask both left and right side + if (oneByte) { diff -Nru poppler-0.41.0/debian/patches/series poppler-0.41.0/debian/patches/series --- poppler-0.41.0/debian/patches/series 2017-09-29 15:30:54.000000000 +0000 +++ poppler-0.41.0/debian/patches/series 2017-10-04 15:11:58.000000000 +0000 @@ -9,3 +9,12 @@ CVE-2017-9775.patch CVE-2017-2820.patch CVE-2017-14519.patch +CVE-2017-14518.patch +CVE-2017-14520.patch +CVE-2017-14617.patch +CVE-2017-14926.patch +CVE-2017-14928.patch +CVE-2017-14929.patch +CVE-2017-14975.patch +CVE-2017-14977.patch +CVE-2017-9776.patch