--- poppler-0.5.1.orig/debian/libpoppler-qt-dev.dirs +++ poppler-0.5.1/debian/libpoppler-qt-dev.dirs @@ -0,0 +1,3 @@ +usr/include/poppler +usr/lib +usr/lib/pkgconfig --- poppler-0.5.1.orig/debian/libpoppler-dev.dirs +++ poppler-0.5.1/debian/libpoppler-dev.dirs @@ -0,0 +1,3 @@ +usr/include/poppler +usr/lib +usr/lib/pkgconfig --- poppler-0.5.1.orig/debian/patches/002_CVE-2006-0301.patch +++ poppler-0.5.1/debian/patches/002_CVE-2006-0301.patch @@ -0,0 +1,38 @@ +diff -Nur poppler-0.5.0/splash/Splash.cc poppler-0.5.0.new/splash/Splash.cc +--- poppler-0.5.0/splash/Splash.cc 2005-11-20 21:40:28.000000000 +0000 ++++ poppler-0.5.0.new/splash/Splash.cc 2006-02-03 18:13:19.000000000 +0000 +@@ -928,6 +928,10 @@ + int alpha2, ialpha2; + Guchar t; + ++ if ( (unsigned) x >= (unsigned) bitmap->getWidth() || ++ (unsigned) y >= (unsigned) bitmap->getHeight()) ++ return; ++ + if (noClip || state->clip->test(x, y)) { + if (alpha != 1 || softMask || state->blendFunc) { + blendFunc = state->blendFunc ? state->blendFunc : &blendNormal; +@@ -1195,6 +1199,11 @@ + updateModY(y); + } + ++ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() || ++ (unsigned) x1 >= (unsigned) bitmap->getWidth() || ++ (unsigned) y >= (unsigned) bitmap->getHeight()) ++ return; ++ + if (alpha != 1 || softMask || state->blendFunc) { + blendFunc = state->blendFunc ? state->blendFunc : &blendNormal; + if (softMask) { +@@ -1825,6 +1834,11 @@ + updateModY(y); + } + ++ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() || ++ (unsigned) x1 >= (unsigned) bitmap->getWidth() || ++ (unsigned) y >= (unsigned) bitmap->getHeight()) ++ return; ++ + switch (bitmap->mode) { + case splashModeMono1: + p = &bitmap->data[y * bitmap->rowSize + (x0 >> 3)]; --- poppler-0.5.1.orig/debian/patches/102_embedded-font-fixes.patch +++ poppler-0.5.1/debian/patches/102_embedded-font-fixes.patch @@ -0,0 +1,148 @@ +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/CairoFontEngine.cc poppler-0.5.1.new/poppler/CairoFontEngine.cc +--- poppler-0.5.1/poppler/CairoFontEngine.cc 2005-12-21 09:21:24.000000000 -0800 ++++ poppler-0.5.1.new/poppler/CairoFontEngine.cc 2008-04-15 13:22:32.000000000 -0700 +@@ -73,6 +73,12 @@ + refObj.initRef(embRef.num, embRef.gen); + refObj.fetch(xref, &strObj); + refObj.free(); ++ if (!strObj.isStream()) { ++ error(-1, "Embedded font object is wrong type"); ++ strObj.free(); ++ fclose(tmpFile); ++ goto err2; ++ } + strObj.streamReset(); + while ((c = strObj.streamGetChar()) != EOF) { + fputc(c, tmpFile); +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/Object.h poppler-0.5.1.new/poppler/Object.h +--- poppler-0.5.1/poppler/Object.h 2006-01-23 06:43:37.000000000 -0800 ++++ poppler-0.5.1.new/poppler/Object.h 2008-04-15 13:24:37.000000000 -0700 +@@ -67,17 +67,18 @@ + //------------------------------------------------------------------------ + + #ifdef DEBUG_MEM +-#define initObj(t) ++numAlloc[type = t] ++#define initObj(t) zeroUnion(); ++numAlloc[type = t] + #else +-#define initObj(t) type = t ++#define initObj(t) zeroUnion(); type = t + #endif + + class Object { + public: +- ++ // attempt to clear the anonymous union ++ void zeroUnion() { this->name = NULL; } + // Default constructor. + Object(): +- type(objNone) {} ++ type(objNone) { zeroUnion(); } + + // Initialize an object. + Object *initBool(GBool boolnA) +@@ -219,16 +220,16 @@ + #include "Array.h" + + inline int Object::arrayGetLength() +- { return array->getLength(); } ++ { if (type != objArray) return 0; return array->getLength(); } + + inline void Object::arrayAdd(Object *elem) +- { array->add(elem); } ++ { if (type == objArray) array->add(elem); } + + inline Object *Object::arrayGet(int i, Object *obj) +- { return array->get(i, obj); } ++ { if (type != objArray) return obj->initNull(); return array->get(i, obj); } + + inline Object *Object::arrayGetNF(int i, Object *obj) +- { return array->getNF(i, obj); } ++ { if (type != objArray) return obj->initNull(); return array->getNF(i, obj); } + + //------------------------------------------------------------------------ + // Dict accessors. +@@ -237,31 +238,31 @@ + #include "Dict.h" + + inline int Object::dictGetLength() +- { return dict->getLength(); } ++ { if (type != objDict) return 0; return dict->getLength(); } + + inline void Object::dictAdd(const UGooString &key, Object *val) +- { dict->add(key, val); } ++ { if (type == objDict) dict->add(key, val); } + + inline GBool Object::dictIs(char *dictType) +- { return dict->is(dictType); } ++ { return (type == objDict) && dict->is(dictType); } + + inline GBool Object::isDict(char *dictType) +- { return type == objDict && dictIs(dictType); } ++ { return (type == objDict) && dictIs(dictType); } + + inline Object *Object::dictLookup(const UGooString &key, Object *obj) +- { return dict->lookup(key, obj); } ++ { if (type != objDict) return obj->initNull(); return dict->lookup(key, obj); } + + inline Object *Object::dictLookupNF(const UGooString &key, Object *obj) +- { return dict->lookupNF(key, obj); } ++ { if (type != objDict) return obj->initNull(); return dict->lookupNF(key, obj); } + + inline UGooString *Object::dictGetKey(int i) +- { return dict->getKey(i); } ++ { if (type != objDict) return NULL; return dict->getKey(i); } + + inline Object *Object::dictGetVal(int i, Object *obj) +- { return dict->getVal(i, obj); } ++ { if (type != objDict) return obj->initNull(); return dict->getVal(i, obj); } + + inline Object *Object::dictGetValNF(int i, Object *obj) +- { return dict->getValNF(i, obj); } ++ { if (type != objDict) return obj->initNull(); return dict->getValNF(i, obj); } + + //------------------------------------------------------------------------ + // Stream accessors. +@@ -270,33 +271,33 @@ + #include "Stream.h" + + inline GBool Object::streamIs(char *dictType) +- { return stream->getDict()->is(dictType); } ++ { return (type == objStream) && stream->getDict()->is(dictType); } + + inline GBool Object::isStream(char *dictType) +- { return type == objStream && streamIs(dictType); } ++ { return (type == objStream) && streamIs(dictType); } + + inline void Object::streamReset() +- { stream->reset(); } ++ { if (type == objStream) stream->reset(); } + + inline void Object::streamClose() +- { stream->close(); } ++ { if (type == objStream) stream->close(); } + + inline int Object::streamGetChar() +- { return stream->getChar(); } ++ { if (type != objStream) return EOF; return stream->getChar(); } + + inline int Object::streamLookChar() +- { return stream->lookChar(); } ++ { if (type != objStream) return EOF; return stream->lookChar(); } + + inline char *Object::streamGetLine(char *buf, int size) +- { return stream->getLine(buf, size); } ++ { if (type != objStream) return NULL; return stream->getLine(buf, size); } + + inline Guint Object::streamGetPos() +- { return stream->getPos(); } ++ { if (type != objStream) return 0; return stream->getPos(); } + + inline void Object::streamSetPos(Guint pos, int dir) +- { stream->setPos(pos, dir); } ++ { if (type == objStream) stream->setPos(pos, dir); } + + inline Dict *Object::streamGetDict() +- { return stream->getDict(); } ++ { if (type != objStream) return NULL; return stream->getDict(); } + + #endif --- poppler-0.5.1.orig/debian/patches/106_security_CVE-2010-3702.patch +++ poppler-0.5.1/debian/patches/106_security_CVE-2010-3702.patch @@ -0,0 +1,23 @@ +Description: fix possible arbitrary code execution via malformed PDF +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=e853106b58d6b4b0467dbd6436c9bb1cfbd372cf +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599165 + +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1//poppler/Gfx.cc poppler-0.5.1.new//poppler/Gfx.cc +--- poppler-0.5.1//poppler/Gfx.cc 2010-10-13 16:42:13.000000000 -0400 ++++ poppler-0.5.1.new//poppler/Gfx.cc 2010-10-13 16:42:28.000000000 -0400 +@@ -434,6 +434,7 @@ + subPage = gFalse; + printCommands = globalParams->getPrintCommands(); + profileCommands = globalParams->getProfileCommands(); ++ parser = NULL; + + // start the resource stack + res = new GfxResources(xref, resDict, NULL); +@@ -476,6 +477,7 @@ + xref = xrefA; + subPage = gTrue; + printCommands = globalParams->getPrintCommands(); ++ parser = NULL; + + // start the resource stack + res = new GfxResources(xref, resDict, NULL); --- poppler-0.5.1.orig/debian/patches/105_security_CVE-2009-360x.patch +++ poppler-0.5.1/debian/patches/105_security_CVE-2009-360x.patch @@ -0,0 +1,206 @@ +# +# Description: fix multiple overflows +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=1082e1671afd8ab91583dabc876304008acb021c +# +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/Stream.cc poppler-0.5.1.new/poppler/Stream.cc +--- poppler-0.5.1/poppler/Stream.cc 2009-10-19 11:27:11.000000000 -0400 ++++ poppler-0.5.1.new/poppler/Stream.cc 2009-10-19 11:29:07.000000000 -0400 +@@ -333,6 +333,10 @@ + } else { + imgLineSize = nVals; + } ++ if (width > INT_MAX / nComps) { ++ // force a call to gmallocn(-1,...), which will throw an exception ++ imgLineSize = -1; ++ } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/XRef.cc poppler-0.5.1.new/poppler/XRef.cc +--- poppler-0.5.1/poppler/XRef.cc 2006-01-23 09:43:38.000000000 -0500 ++++ poppler-0.5.1.new/poppler/XRef.cc 2009-10-19 11:31:20.000000000 -0400 +@@ -58,6 +58,8 @@ + // generation 0. + ObjectStream(XRef *xref, int objStrNumA); + ++ GBool isOk() { return ok; } ++ + ~ObjectStream(); + + // Return the object number of this object stream. +@@ -73,6 +75,7 @@ + int nObjects; // number of objects in the stream + Object *objs; // the objects (length = nObjects) + int *objNums; // the object numbers (length = nObjects) ++ GBool ok; + }; + + ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { +@@ -86,6 +89,7 @@ + nObjects = 0; + objs = NULL; + objNums = NULL; ++ ok = gFalse; + + if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { + goto err1; +@@ -111,8 +115,11 @@ + goto err1; + } + +- if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) { +- error(-1, "Invalid 'nObjects'"); ++ // this is an arbitrary limit to avoid integer overflow problems ++ // in the 'new Object[nObjects]' call (Acrobat apparently limits ++ // object streams to 100-200 objects) ++ if (nObjects > 1000000) { ++ error(-1, "Too many objects in an object stream"); + goto err1; + } + +@@ -172,10 +179,10 @@ + } + + gfree(offsets); ++ ok = gTrue; + + err1: + objStr.free(); +- return; + } + + ObjectStream::~ObjectStream() { +@@ -889,6 +896,11 @@ + delete objStr; + } + objStr = new ObjectStream(this, e->offset); ++ if (!objStr->isOk()) { ++ delete objStr; ++ objStr = NULL; ++ goto err; ++ } + } + objStr->getObject(e->gen, num, obj); + break; +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/splash/SplashBitmap.cc poppler-0.5.1.new/splash/SplashBitmap.cc +--- poppler-0.5.1/splash/SplashBitmap.cc 2009-10-19 11:27:11.000000000 -0400 ++++ poppler-0.5.1.new/splash/SplashBitmap.cc 2009-10-19 11:36:22.000000000 -0400 +@@ -11,6 +11,7 @@ + #endif + + #include ++#include + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashBitmap.h" +@@ -26,33 +27,59 @@ + mode = modeA; + switch (mode) { + case splashModeMono1: +- rowSize = (width + 7) >> 3; ++ if (width > 0) { ++ rowSize = (width + 7) >> 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeMono8: +- rowSize = width; ++ if (width > 0) { ++ rowSize = width; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeAMono8: +- rowSize = width * 2; ++ if (width > 0 && width <= INT_MAX / 2) { ++ rowSize = width * 2; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeRGB8: + case splashModeBGR8: +- rowSize = width * 3; ++ if (width > 0 && width <= INT_MAX / 3) { ++ rowSize = width * 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeARGB8: + case splashModeBGRA8: + #if SPLASH_CMYK + case splashModeCMYK8: + #endif +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #if SPLASH_CMYK + case splashModeACMYK8: +- rowSize = width * 5; ++ if (width > 0 && width <= INT_MAX / 5) { ++ rowSize = width * 5; ++ } else { ++ rowSize = -1; ++ } + break; + #endif + } +- rowSize += rowPad - 1; +- rowSize -= rowSize % rowPad; ++ if (rowSize > 0) { ++ rowSize += rowPad - 1; ++ rowSize -= rowSize % rowPad; ++ } + data = (SplashColorPtr)gmallocn(rowSize, height); + if (!topDown) { + data += (height - 1) * rowSize; +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/splash/Splash.cc poppler-0.5.1.new/splash/Splash.cc +--- poppler-0.5.1/splash/Splash.cc 2009-10-19 11:27:12.000000000 -0400 ++++ poppler-0.5.1.new/splash/Splash.cc 2009-10-19 11:32:55.000000000 -0400 +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashMath.h" +@@ -2461,6 +2462,9 @@ + xq = w % scaledWidth; + + // allocate pixel buffer ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } + pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); + + // init y scale Bresenham +@@ -2782,6 +2786,9 @@ + xq = w % scaledWidth; + + // allocate pixel buffer ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } + pixBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); + + pixAcc0 = pixAcc1 = pixAcc2 = 0; // make gcc happy +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/splash/SplashErrorCodes.h poppler-0.5.1.new/splash/SplashErrorCodes.h +--- poppler-0.5.1/splash/SplashErrorCodes.h 2005-03-03 14:45:59.000000000 -0500 ++++ poppler-0.5.1.new/splash/SplashErrorCodes.h 2009-10-19 11:36:54.000000000 -0400 +@@ -27,4 +27,8 @@ + + #define splashErrSingularMatrix 8 // matrix is singular + ++#define splashErrBadArg 9 // bad argument ++ ++#define splashErrZeroImage 254 // image of 0x0 ++ + #endif --- poppler-0.5.1.orig/debian/patches/004_CVE-2007-0104.patch +++ poppler-0.5.1/debian/patches/004_CVE-2007-0104.patch @@ -0,0 +1,63 @@ +diff -Nur poppler-0.5.4/poppler/Catalog.cc poppler-0.5.4.new/poppler/Catalog.cc +--- poppler-0.5.4/poppler/Catalog.cc 2006-09-13 17:10:52.000000000 +0200 ++++ poppler-0.5.4.new/poppler/Catalog.cc 2007-01-16 17:57:43.000000000 +0100 +@@ -26,6 +26,12 @@ + #include "UGooString.h" + #include "Catalog.h" + ++// This define is used to limit the depth of recursive readPageTree calls ++// This is needed because the page tree nodes can reference their parents ++// leaving us in an infinite loop ++// Most sane pdf documents don't have a call depth higher than 10 ++#define MAX_CALL_DEPTH 1000 ++ + //------------------------------------------------------------------------ + // Catalog + //------------------------------------------------------------------------ +@@ -75,7 +81,7 @@ + pageRefs[i].num = -1; + pageRefs[i].gen = -1; + } +- numPages = readPageTree(pagesDict.getDict(), NULL, 0); ++ numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); + if (numPages != numPages0) { + error(-1, "Page count in top-level pages object is incorrect"); + } +@@ -217,7 +223,7 @@ + return s; + } + +-int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { ++int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { + Object kids; + Object kid; + Object kidRef; +@@ -262,9 +268,13 @@ + // This should really be isDict("Pages"), but I've seen at least one + // PDF file where the /Type entry is missing. + } else if (kid.isDict()) { +- if ((start = readPageTree(kid.getDict(), attrs1, start)) +- < 0) +- goto err2; ++ if (callDepth > MAX_CALL_DEPTH) { ++ error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); ++ } else { ++ if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) ++ < 0) ++ goto err2; ++ } + } else { + error(-1, "Kid object (page %d) is wrong type (%s)", + start+1, kid.getTypeName()); +diff -Nur poppler-0.5.4/poppler/Catalog.h poppler-0.5.4.new/poppler/Catalog.h +--- poppler-0.5.4/poppler/Catalog.h 2006-01-23 15:43:36.000000000 +0100 ++++ poppler-0.5.4.new/poppler/Catalog.h 2007-01-16 17:58:09.000000000 +0100 +@@ -193,7 +193,7 @@ + PageMode pageMode; // page mode + PageLayout pageLayout; // page layout + +- int readPageTree(Dict *pages, PageAttrs *attrs, int start); ++ int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); + Object *findDestInTree(Object *tree, GooString *name, Object *obj); + }; + --- poppler-0.5.1.orig/debian/patches/101_CVE-2007-5393.patch +++ poppler-0.5.1/debian/patches/101_CVE-2007-5393.patch @@ -0,0 +1,583 @@ +diff -Nur poppler-0.5.1/poppler/Stream.cc poppler-0.5.1.new/poppler/Stream.cc +--- poppler-0.5.1/poppler/Stream.cc 2007-11-13 10:07:24.000000000 -0500 ++++ poppler-0.5.1.new/poppler/Stream.cc 2007-11-13 10:07:29.000000000 -0500 +@@ -1286,20 +1286,27 @@ + columns = columnsA; + if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) { + columns = 1; ++ } else if (columns > INT_MAX - 2) { ++ columns = INT_MAX - 2; + } + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +- refLine = (short *)gmallocn(columns + 4, sizeof(short)); +- codingLine = (short *)gmallocn(columns + 3, sizeof(short)); ++ ++ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns ++ // ---> max codingLine size = columns + 1 ++ // refLine has one extra guard entry at the end ++ // ---> max refLine size = columns + 2 ++ refLine = (int *)gmallocn(columns + 2, sizeof(int)); ++ codingLine = (int *)gmallocn(columns + 1, sizeof(int)); + + eof = gFalse; + row = 0; + nextLine2D = encoding < 0; + inputBits = 0; +- codingLine[0] = 0; +- codingLine[1] = refLine[2] = columns; +- a0 = 1; ++ codingLine[0] = columns; ++ a0i = 0; ++ outputBits = 0; + + buf = EOF; + } +@@ -1318,9 +1325,9 @@ + row = 0; + nextLine2D = encoding < 0; + inputBits = 0; +- codingLine[0] = 0; +- codingLine[1] = refLine[2] = columns; +- a0 = 1; ++ codingLine[0] = columns; ++ a0i = 0; ++ outputBits = 0; + buf = EOF; + + // skip any initial zero bits and end-of-line marker, and get the 2D +@@ -1337,165 +1344,230 @@ + } + } + ++inline void CCITTFaxStream::addPixels(int a1, int blackPixels) { ++ if (a1 > codingLine[a0i]) { ++ if (a1 > columns) { ++ error(getPos(), "CCITTFax row is wrong length (%d)", a1); ++ err = gTrue; ++ a1 = columns; ++ } ++ if ((a0i & 1) ^ blackPixels) { ++ ++a0i; ++ } ++ codingLine[a0i] = a1; ++ } ++} ++ ++inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) { ++ if (a1 > codingLine[a0i]) { ++ if (a1 > columns) { ++ error(getPos(), "CCITTFax row is wrong length (%d)", a1); ++ err = gTrue; ++ a1 = columns; ++ } ++ if ((a0i & 1) ^ blackPixels) { ++ ++a0i; ++ } ++ codingLine[a0i] = a1; ++ } else if (a1 < codingLine[a0i]) { ++ if (a1 < 0) { ++ error(getPos(), "Invalid CCITTFax code"); ++ err = gTrue; ++ a1 = 0; ++ } ++ while (a0i > 0 && a1 <= codingLine[a0i - 1]) { ++ --a0i; ++ } ++ codingLine[a0i] = a1; ++ } ++} ++ + int CCITTFaxStream::lookChar() { + short code1, code2, code3; +- int a0New; +- GBool err, gotEOL; +- int ret; +- int bits, i; +- +- // if at eof just return EOF +- if (eof && codingLine[a0] >= columns) { +- return EOF; ++ int b1i, blackPixels, i, bits; ++ GBool gotEOL; ++ ++ if (buf != EOF) { ++ return buf; + } + + // read the next row +- err = gFalse; +- if (codingLine[a0] >= columns) { ++ if (outputBits == 0) { ++ ++ // if at eof just return EOF ++ if (eof) { ++ return EOF; ++ } ++ ++ err = gFalse; + + // 2-D encoding + if (nextLine2D) { + for (i = 0; codingLine[i] < columns; ++i) + refLine[i] = codingLine[i]; +- refLine[i] = refLine[i + 1] = columns; +- b1 = 1; +- a0New = codingLine[a0 = 0] = 0; +- do { ++ ++ refLine[i++] = columns; ++ refLine[i] = columns; ++ codingLine[0] = 0; ++ a0i = 0; ++ b1i = 0; ++ blackPixels = 0; ++ // invariant: ++ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] ++ // <= columns ++ // exception at left edge: ++ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible ++ // exception at right edge: ++ // refLine[b1i] = refLine[b1i+1] = columns is possible ++ while (codingLine[a0i] < columns) { + code1 = getTwoDimCode(); + switch (code1) { + case twoDimPass: +- if (refLine[b1] < columns) { +- a0New = refLine[b1 + 1]; +- b1 += 2; ++ addPixels(refLine[b1i + 1], blackPixels); ++ if (refLine[b1i + 1] < columns) { ++ b1i += 2; + } + break; + case twoDimHoriz: +- if ((a0 & 1) == 0) { +- code1 = code2 = 0; ++ code1 = code2 = 0; ++ if (blackPixels) { + do { +- code1 += code3 = getWhiteCode(); ++ code1 += code3 = getBlackCode(); + } while (code3 >= 64); + do { +- code2 += code3 = getBlackCode(); ++ code2 += code3 = getWhiteCode(); + } while (code3 >= 64); + } else { +- code1 = code2 = 0; + do { +- code1 += code3 = getBlackCode(); ++ code1 += code3 = getWhiteCode(); + } while (code3 >= 64); + do { +- code2 += code3 = getWhiteCode(); ++ code2 += code3 = getBlackCode(); + } while (code3 >= 64); + } +- if (code1 > 0 || code2 > 0) { +- codingLine[a0 + 1] = a0New + code1; +- ++a0; +- a0New = codingLine[a0 + 1] = codingLine[a0] + code2; +- ++a0; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ addPixels(codingLine[a0i] + code1, blackPixels); ++ if (codingLine[a0i] < columns) { ++ addPixels(codingLine[a0i] + code2, blackPixels ^ 1); ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; + } + break; +- case twoDimVert0: +- a0New = codingLine[++a0] = refLine[b1]; +- if (refLine[b1] < columns) { +- ++b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVertR3: ++ addPixels(refLine[b1i] + 3, blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; +- case twoDimVertR1: +- a0New = codingLine[++a0] = refLine[b1] + 1; +- if (refLine[b1] < columns) { +- ++b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVertR2: ++ addPixels(refLine[b1i] + 2, blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; +- case twoDimVertL1: +- if (a0 == 0 || refLine[b1] - 1 > a0New) { +- a0New = codingLine[++a0] = refLine[b1] - 1; +- --b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVertR1: ++ addPixels(refLine[b1i] + 1, blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; +- case twoDimVertR2: +- a0New = codingLine[++a0] = refLine[b1] + 2; +- if (refLine[b1] < columns) { +- ++b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVert0: ++ addPixels(refLine[b1i], blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; +- case twoDimVertL2: +- if (a0 == 0 || refLine[b1] - 2 > a0New) { +- a0New = codingLine[++a0] = refLine[b1] - 2; +- --b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVertL3: ++ addPixelsNeg(refLine[b1i] - 3, blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; +- case twoDimVertR3: +- a0New = codingLine[++a0] = refLine[b1] + 3; +- if (refLine[b1] < columns) { +- ++b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVertL2: ++ addPixelsNeg(refLine[b1i] - 2, blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; +- case twoDimVertL3: +- if (a0 == 0 || refLine[b1] - 3 > a0New) { +- a0New = codingLine[++a0] = refLine[b1] - 3; +- --b1; +- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) +- b1 += 2; ++ case twoDimVertL1: ++ addPixelsNeg(refLine[b1i] - 1, blackPixels); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < columns) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { ++ b1i += 2; ++ } + } + break; + case EOF: ++ addPixels(columns, 0); + eof = gTrue; +- codingLine[a0 = 0] = columns; +- return EOF; ++ break; + default: + error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); ++ addPixels(columns, 0); + err = gTrue; + break; + } +- } while (codingLine[a0] < columns); ++ } + + // 1-D encoding + } else { +- codingLine[a0 = 0] = 0; +- while (1) { ++ codingLine[0] = 0; ++ a0i = 0; ++ blackPixels = 0; ++ while (codingLine[a0i] < columns) { + code1 = 0; +- do { +- code1 += code3 = getWhiteCode(); +- } while (code3 >= 64); +- codingLine[a0+1] = codingLine[a0] + code1; +- ++a0; +- if (codingLine[a0] >= columns) +- break; +- code2 = 0; +- do { +- code2 += code3 = getBlackCode(); +- } while (code3 >= 64); +- codingLine[a0+1] = codingLine[a0] + code2; +- ++a0; +- if (codingLine[a0] >= columns) +- break; ++ if (blackPixels) { ++ do { ++ code1 += code3 = getBlackCode(); ++ } while (code3 >= 64); ++ } else { ++ do { ++ code1 += code3 = getWhiteCode(); ++ } while (code3 >= 64); ++ } ++ addPixels(codingLine[a0i] + code1, blackPixels); ++ blackPixels ^= 1; + } + } + +- if (codingLine[a0] != columns) { +- error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]); +- // force the row to be the correct length +- while (codingLine[a0] > columns) { +- --a0; +- } +- codingLine[++a0] = columns; +- err = gTrue; +- } +- + // byte-align the row + if (byteAlign) { + inputBits &= ~7; +@@ -1554,14 +1626,17 @@ + // this if we know the stream contains end-of-line markers because + // the "just plow on" technique tends to work better otherwise + } else if (err && endOfLine) { +- do { ++ while (1) { ++ code1 = lookBits(13); + if (code1 == EOF) { + eof = gTrue; + return EOF; + } ++ if ((code1 >> 1) == 0x001) { ++ break; ++ } + eatBits(1); +- code1 = lookBits(13); +- } while ((code1 >> 1) != 0x001); ++ } + eatBits(12); + if (encoding > 0) { + eatBits(1); +@@ -1569,11 +1644,11 @@ + } + } + +- a0 = 0; +- outputBits = codingLine[1] - codingLine[0]; +- if (outputBits == 0) { +- a0 = 1; +- outputBits = codingLine[2] - codingLine[1]; ++ // set up for output ++ if (codingLine[0] > 0) { ++ outputBits = codingLine[a0i = 0]; ++ } else { ++ outputBits = codingLine[a0i = 1]; + } + + ++row; +@@ -1581,39 +1656,43 @@ + + // get a byte + if (outputBits >= 8) { +- ret = ((a0 & 1) == 0) ? 0xff : 0x00; +- if ((outputBits -= 8) == 0) { +- ++a0; +- if (codingLine[a0] < columns) { +- outputBits = codingLine[a0 + 1] - codingLine[a0]; +- } ++ buf = (a0i & 1) ? 0x00 : 0xff; ++ outputBits -= 8; ++ if (outputBits == 0 && codingLine[a0i] < columns) { ++ ++a0i; ++ outputBits = codingLine[a0i] - codingLine[a0i - 1]; + } + } else { + bits = 8; +- ret = 0; ++ buf = 0; + do { + if (outputBits > bits) { +- i = bits; +- bits = 0; +- if ((a0 & 1) == 0) { +- ret |= 0xff >> (8 - i); ++ buf <<= bits; ++ if (!(a0i & 1)) { ++ buf |= 0xff >> (8 - bits); + } +- outputBits -= i; ++ outputBits -= bits; ++ bits = 0; + } else { +- i = outputBits; +- bits -= outputBits; +- if ((a0 & 1) == 0) { +- ret |= (0xff >> (8 - i)) << bits; ++ buf <<= outputBits; ++ if (!(a0i & 1)) { ++ buf |= 0xff >> (8 - outputBits); + } ++ bits -= outputBits; + outputBits = 0; +- ++a0; +- if (codingLine[a0] < columns) { +- outputBits = codingLine[a0 + 1] - codingLine[a0]; ++ if (codingLine[a0i] < columns) { ++ ++a0i; ++ outputBits = codingLine[a0i] - codingLine[a0i - 1]; ++ } else if (bits > 0) { ++ buf <<= bits; ++ bits = 0; + } + } +- } while (bits > 0 && codingLine[a0] < columns); ++ } while (bits); ++ } ++ if (black) { ++ buf ^= 0xff; + } +- buf = black ? (ret ^ 0xff) : ret; + return buf; + } + +@@ -1655,6 +1734,9 @@ + code = 0; // make gcc happy + if (endOfBlock) { + code = lookBits(12); ++ if (code == EOF) { ++ return 1; ++ } + if ((code >> 5) == 0) { + p = &whiteTab1[code]; + } else { +@@ -1667,6 +1749,9 @@ + } else { + for (n = 1; n <= 9; ++n) { + code = lookBits(n); ++ if (code == EOF) { ++ return 1; ++ } + if (n < 9) { + code <<= 9 - n; + } +@@ -1678,6 +1763,9 @@ + } + for (n = 11; n <= 12; ++n) { + code = lookBits(n); ++ if (code == EOF) { ++ return 1; ++ } + if (n < 12) { + code <<= 12 - n; + } +@@ -1703,9 +1791,12 @@ + code = 0; // make gcc happy + if (endOfBlock) { + code = lookBits(13); ++ if (code == EOF) { ++ return 1; ++ } + if ((code >> 7) == 0) { + p = &blackTab1[code]; +- } else if ((code >> 9) == 0) { ++ } else if ((code >> 9) == 0 && (code >> 7) != 0) { + p = &blackTab2[(code >> 1) - 64]; + } else { + p = &blackTab3[code >> 7]; +@@ -1717,6 +1808,9 @@ + } else { + for (n = 2; n <= 6; ++n) { + code = lookBits(n); ++ if (code == EOF) { ++ return 1; ++ } + if (n < 6) { + code <<= 6 - n; + } +@@ -1728,6 +1822,9 @@ + } + for (n = 7; n <= 12; ++n) { + code = lookBits(n); ++ if (code == EOF) { ++ return 1; ++ } + if (n < 12) { + code <<= 12 - n; + } +@@ -1741,6 +1838,9 @@ + } + for (n = 10; n <= 13; ++n) { + code = lookBits(n); ++ if (code == EOF) { ++ return 1; ++ } + if (n < 13) { + code <<= 13 - n; + } +diff -Nur poppler-0.5.1/poppler/Stream.h poppler-0.5.1.new/poppler/Stream.h +--- poppler-0.5.1/poppler/Stream.h 2006-02-28 14:34:46.000000000 -0500 ++++ poppler-0.5.1.new/poppler/Stream.h 2007-11-13 10:07:29.000000000 -0500 +@@ -517,13 +517,15 @@ + int row; // current row + int inputBuf; // input buffer + int inputBits; // number of bits in input buffer +- short *refLine; // reference line changing elements +- int b1; // index into refLine +- short *codingLine; // coding line changing elements +- int a0; // index into codingLine ++ int *codingLine; // coding line changing elements ++ int *refLine; // reference line changing elements ++ int a0i; // index into codingLine ++ GBool err; // error on current line + int outputBits; // remaining ouput bits + int buf; // character buffer + ++ void addPixels(int a1, int black); ++ void addPixelsNeg(int a1, int black); + short getTwoDimCode(); + short getWhiteCode(); + short getBlackCode(); --- poppler-0.5.1.orig/debian/patches/107_security_CVE-2010-3704.patch +++ poppler-0.5.1/debian/patches/107_security_CVE-2010-3704.patch @@ -0,0 +1,17 @@ +Description: fix possible arbitrary code execution via malformed PDF +Origin: backport, http://cgit.freedesktop.org/poppler/poppler/commit/?id=39d140bfc0b8239bdd96d6a55842034ae5c05473 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599165 + +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1//fofi/FoFiType1.cc poppler-0.5.1.new//fofi/FoFiType1.cc +--- poppler-0.5.1//fofi/FoFiType1.cc 2005-10-05 11:47:16.000000000 -0400 ++++ poppler-0.5.1.new//fofi/FoFiType1.cc 2010-10-13 16:44:25.000000000 -0400 +@@ -178,7 +178,8 @@ + if (*p2) { + c = *p2; + *p2 = '\0'; +- if ((code = atoi(p)) < 256) { ++ code = atoi(p); ++ if (code < 256 && code >= 0) { + *p2 = c; + for (p = p2; *p == ' ' || *p == '\t'; ++p) ; + if (*p == '/') { --- poppler-0.5.1.orig/debian/patches/000_splash_build_fix.patch +++ poppler-0.5.1/debian/patches/000_splash_build_fix.patch @@ -0,0 +1,19 @@ +diff -Nur poppler-0.5.1/glib/Makefile.in poppler-0.5.1.new/glib/Makefile.in +--- poppler-0.5.1/glib/Makefile.in 2006-02-28 22:51:30.000000000 +0000 ++++ poppler-0.5.1.new/glib/Makefile.in 2006-03-06 19:06:55.000000000 +0000 +@@ -66,7 +66,6 @@ + @BUILD_CAIRO_OUTPUT_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) + libpoppler_glib_la_DEPENDENCIES = \ + $(top_builddir)/poppler/libpoppler.la \ +- $(top_builddir)/poppler/libpoppler-cairo.la \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) + am__objects_1 = poppler-enums.lo +@@ -307,7 +306,6 @@ + + libpoppler_glib_la_LIBADD = \ + $(top_builddir)/poppler/libpoppler.la \ +- $(top_builddir)/poppler/libpoppler-cairo.la \ + $(POPPLER_GLIB_LIBS) \ + $(FREETYPE_LIBS) \ + $(cairo_libs) --- poppler-0.5.1.orig/debian/patches/101_CVE-2007-5392.patch +++ poppler-0.5.1/debian/patches/101_CVE-2007-5392.patch @@ -0,0 +1,16 @@ +diff -Nur poppler-0.5.1/poppler/Stream.cc poppler-0.5.1.new/poppler/Stream.cc +--- poppler-0.5.1/poppler/Stream.cc 2007-11-13 10:07:04.000000000 -0500 ++++ poppler-0.5.1.new/poppler/Stream.cc 2007-11-13 10:07:16.000000000 -0500 +@@ -1965,6 +1965,12 @@ + // allocate a buffer for the whole image + bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth; + bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight; ++ if (bufWidth <= 0 || bufHeight <= 0 || ++ bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) { ++ error(getPos(), "Invalid image size in DCT stream"); ++ y = height; ++ return; ++ } + for (i = 0; i < numComps; ++i) { + frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int)); + memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int)); --- poppler-0.5.1.orig/debian/patches/000_incorrect_define_fix.patch +++ poppler-0.5.1/debian/patches/000_incorrect_define_fix.patch @@ -0,0 +1,24 @@ +=================================================================== +RCS file: /srv/anoncvs.freedesktop.org/cvs/poppler/poppler/poppler/Page.cc,v +rcsdiff: /srv/anoncvs.freedesktop.org/cvs/poppler/poppler/poppler/Page.cc,v: warning: Unknown phrases like `commitid ...;' are present. +retrieving revision 1.11 +retrieving revision 1.12 +diff -u -r1.11 -r1.12 +--- Page.cc 2006/01/18 22:32:13 1.11 ++++ poppler/Page.cc 2006/03/16 22:04:56 1.12 +@@ -391,7 +391,6 @@ + // draw non-link annotations + annotList = new Annots(xref, catalog, annots.fetch(xref, &obj)); + obj.free(); +-#ifdef USE_ANNOTS_VIEW + if (annotList->getNumAnnots() > 0) { + if (globalParams->getPrintCommands()) { + printf("***** Annotations\n"); +@@ -405,7 +404,6 @@ + } + out->dump(); + } +-#endif + delete annotList; + + delete gfx; --- poppler-0.5.1.orig/debian/patches/001_jpxstream_int_crash.patch +++ poppler-0.5.1/debian/patches/001_jpxstream_int_crash.patch @@ -0,0 +1,12 @@ +diff -Nur poppler-0.5.0/poppler/JPXStream.h poppler-0.5.0.new/poppler/JPXStream.h +--- poppler-0.5.0/poppler/JPXStream.h 2005-09-07 04:34:40.000000000 +0200 ++++ poppler-0.5.0.new/poppler/JPXStream.h 2006-01-19 23:22:00.000000000 +0100 +@@ -211,7 +211,7 @@ + + //----- computed + Guint x0, y0, x1, y1; // bounds of the tile-comp, in ref coords +- Guint cbW; // code-block width ++ int cbW; // code-block width + Guint cbH; // code-block height + + //----- image data --- poppler-0.5.1.orig/debian/patches/003_refcount.patch +++ poppler-0.5.1/debian/patches/003_refcount.patch @@ -0,0 +1,139 @@ +diff -Nur poppler-0.5.1/glib/poppler-page.cc poppler-0.5.1.new/glib/poppler-page.cc +--- poppler-0.5.1/glib/poppler-page.cc 2006-02-28 18:54:58.000000000 +0100 ++++ poppler-0.5.1.new/glib/poppler-page.cc 2006-04-28 16:13:11.000000000 +0200 +@@ -277,7 +277,7 @@ + dst += pixbuf_n_channels; + } + } +- delete pixel; ++ delete [] pixel; + } + + #endif +diff -Nur poppler-0.5.1/poppler/Gfx.cc poppler-0.5.1.new/poppler/Gfx.cc +--- poppler-0.5.1/poppler/Gfx.cc 2006-02-25 21:53:34.000000000 +0100 ++++ poppler-0.5.1.new/poppler/Gfx.cc 2006-04-28 16:13:11.000000000 +0200 +@@ -2523,6 +2523,8 @@ + args[1].getNum()); + fflush(stdout); + } ++ ++ font->incRefCnt(); + state->setFont(font, args[1].getNum()); + fontChanged = gTrue; + } +diff -Nur poppler-0.5.1/poppler/GfxFont.cc poppler-0.5.1.new/poppler/GfxFont.cc +--- poppler-0.5.1/poppler/GfxFont.cc 2006-02-25 21:53:34.000000000 +0100 ++++ poppler-0.5.1.new/poppler/GfxFont.cc 2006-04-28 16:13:11.000000000 +0200 +@@ -148,6 +148,7 @@ + family = NULL; + stretch = StretchNotDefined; + weight = WeightNotDefined; ++ refCnt = 1; + } + + GfxFont::~GfxFont() { +@@ -167,6 +168,15 @@ + } + } + ++void GfxFont::incRefCnt() { ++ refCnt++; ++} ++ ++void GfxFont::decRefCnt() { ++ if (--refCnt == 0) ++ delete this; ++} ++ + void GfxFont::readFontDescriptor(XRef *xref, Dict *fontDict) { + Object obj1, obj2, obj3, obj4; + double t; +@@ -457,6 +467,7 @@ + Object obj1, obj2, obj3; + int n, i, a, b, m; + ++ refCnt = 1; + type = typeA; + ctu = NULL; + +@@ -1108,6 +1119,7 @@ + int c1, c2; + int excepsSize, i, j, k, n; + ++ refCnt = 1; + ascent = 0.95; + descent = -0.35; + fontBBox[0] = fontBBox[1] = fontBBox[2] = fontBBox[3] = 0; +@@ -1620,7 +1632,7 @@ + + for (i = 0; i < numFonts; ++i) { + if (fonts[i]) { +- delete fonts[i]; ++ fonts[i]->decRefCnt(); + } + } + gfree(fonts); +diff -Nur poppler-0.5.1/poppler/GfxFont.h poppler-0.5.1.new/poppler/GfxFont.h +--- poppler-0.5.1/poppler/GfxFont.h 2006-02-25 21:53:34.000000000 +0100 ++++ poppler-0.5.1.new/poppler/GfxFont.h 2006-04-28 16:13:11.000000000 +0200 +@@ -115,6 +115,9 @@ + + GBool isOk() { return ok; } + ++ void incRefCnt(); ++ void decRefCnt(); ++ + // Get font tag. + GooString *getTag() { return tag; } + +@@ -215,6 +218,7 @@ + double missingWidth; // "default" width + double ascent; // max height above baseline + double descent; // max depth below baseline ++ int refCnt; + GBool ok; + }; + +diff -Nur poppler-0.5.1/poppler/GfxState.cc poppler-0.5.1.new/poppler/GfxState.cc +--- poppler-0.5.1/poppler/GfxState.cc 2006-02-25 21:53:34.000000000 +0100 ++++ poppler-0.5.1.new/poppler/GfxState.cc 2006-04-28 16:13:11.000000000 +0200 +@@ -21,6 +21,7 @@ + #include "Array.h" + #include "Page.h" + #include "GfxState.h" ++#include "GfxFont.h" + #include "UGooString.h" + + //------------------------------------------------------------------------ +@@ -3849,6 +3850,9 @@ + if (saved) { + delete saved; + } ++ if (font) { ++ font->decRefCnt(); ++ } + } + + // Used for copy(); +@@ -3870,6 +3874,9 @@ + lineDash = (double *)gmallocn(lineDashLength, sizeof(double)); + memcpy(lineDash, state->lineDash, lineDashLength * sizeof(double)); + } ++ if (font) ++ font->incRefCnt(); ++ + saved = NULL; + } + +diff -Nur poppler-0.5.1/poppler/TextOutputDev.cc poppler-0.5.1.new/poppler/TextOutputDev.cc +--- poppler-0.5.1/poppler/TextOutputDev.cc 2005-12-21 23:23:41.000000000 +0100 ++++ poppler-0.5.1.new/poppler/TextOutputDev.cc 2006-04-28 16:13:11.000000000 +0200 +@@ -3359,6 +3359,7 @@ + + state->setFillColor(glyph_color); + out->updateFillColor(state); ++ word->font->gfxFont->incRefCnt(); + state->setFont(word->font->gfxFont, word->fontSize); + out->updateFont(state); + --- poppler-0.5.1.orig/debian/patches/104_security_CVE-2009-3605.patch +++ poppler-0.5.1/debian/patches/104_security_CVE-2009-3605.patch @@ -0,0 +1,381 @@ +# +# Description: fix unsafe malloc usage +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb22f812b31858e519411f57747d39bd8 +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=0131f0a01cba8691d10a18de1137a4744988b346 +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=7b2d314a61fd0e12f47c62996cb49ec0d1ba747a +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=284a92899602daa4a7f429e61849e794569310b5 +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=5d328282da4713356fbe4283bd992ac2fc9010a2 +# +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/glib/poppler-page.cc poppler-0.5.1.new/glib/poppler-page.cc +--- poppler-0.5.1/glib/poppler-page.cc 2009-10-22 10:30:20.000000000 -0400 ++++ poppler-0.5.1.new/glib/poppler-page.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -154,7 +154,7 @@ + + output_dev = page->document->output_dev; + cairo_rowstride = cairo_width * 4; +- cairo_data = (guchar *) gmalloc (cairo_height * cairo_rowstride); ++ cairo_data = (guchar *) gmallocn (cairo_height, cairo_rowstride); + if (transparent) + memset (cairo_data, 0x00, cairo_height * cairo_rowstride); + else +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/goo/gmem.c poppler-0.5.1.new/goo/gmem.c +--- poppler-0.5.1/goo/gmem.c 2006-02-28 14:34:46.000000000 -0500 ++++ poppler-0.5.1.new/goo/gmem.c 2009-10-22 10:32:57.000000000 -0400 +@@ -55,7 +55,7 @@ + + #endif /* DEBUG_MEM */ + +-void *gmalloc(size_t size) { ++void *gmalloc(int size) { + #ifdef DEBUG_MEM + size_t size1; + char *mem; +@@ -97,7 +97,7 @@ + #endif + } + +-void *grealloc(void *p, size_t size) { ++void *grealloc(void *p, int size) { + #ifdef DEBUG_MEM + GMemHdr *hdr; + void *q; +@@ -141,19 +141,51 @@ + void *gmallocn(int nObjs, int objSize) { + int n; + ++ if (nObjs == 0) { ++ return NULL; ++ } + n = nObjs * objSize; +- if (objSize == 0 || n / objSize != nObjs) { ++ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } + return gmalloc(n); + } + ++void *gmallocn_checkoverflow(int nObjs, int objSize) { ++ int n; ++ ++ if (nObjs == 0) { ++ return NULL; ++ } ++ n = nObjs * objSize; ++ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { ++ fprintf(stderr, "Bogus memory allocation size\n"); ++ return NULL; ++ } ++ return gmalloc(n); ++} ++ ++void *gmallocn3(int a, int b, int c) { ++ int n = a * b; ++ if (b <= 0 || a < 0 || a >= INT_MAX / b) { ++ fprintf(stderr, "Bogus memory allocation size\n"); ++ exit(1); ++ } ++ return gmallocn(n, c); ++} ++ + void *greallocn(void *p, int nObjs, int objSize) { + int n; + ++ if (nObjs == 0) { ++ if (p) { ++ gfree(p); ++ } ++ return NULL; ++ } + n = nObjs * objSize; +- if (objSize == 0 || n / objSize != nObjs) { ++ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/goo/gmem.h poppler-0.5.1.new/goo/gmem.h +--- poppler-0.5.1/goo/gmem.h 2005-08-29 11:24:00.000000000 -0400 ++++ poppler-0.5.1.new/goo/gmem.h 2009-10-22 10:33:19.000000000 -0400 +@@ -19,13 +19,13 @@ + * Same as malloc, but prints error message and exits if malloc() + * returns NULL. + */ +-extern void *gmalloc(size_t size); ++extern void *gmalloc(int size); + + /* + * Same as realloc, but prints error message and exits if realloc() + * returns NULL. If

is NULL, calls malloc instead of realloc(). + */ +-extern void *grealloc(void *p, size_t size); ++extern void *grealloc(void *p, int size); + + /* + * These are similar to gmalloc and grealloc, but take an object count +@@ -34,6 +34,8 @@ + * doesn't overflow an int. + */ + extern void *gmallocn(int nObjs, int objSize); ++extern void *gmallocn_checkoverflow(int nObjs, int objSize); ++extern void *gmallocn3(int a, int b, int c); + extern void *greallocn(void *p, int nObjs, int objSize); + + /* +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/ArthurOutputDev.cc poppler-0.5.1.new/poppler/ArthurOutputDev.cc +--- poppler-0.5.1/poppler/ArthurOutputDev.cc 2006-02-25 15:53:34.000000000 -0500 ++++ poppler-0.5.1.new/poppler/ArthurOutputDev.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -682,7 +682,7 @@ + QMatrix matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn3 (width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/CairoOutputDev.cc poppler-0.5.1.new/poppler/CairoOutputDev.cc +--- poppler-0.5.1/poppler/CairoOutputDev.cc 2009-10-22 10:30:20.000000000 -0400 ++++ poppler-0.5.1.new/poppler/CairoOutputDev.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -366,7 +366,7 @@ + if (needFontUpdate) + updateFont(state); + +- glyphs = (cairo_glyph_t *) gmalloc (len * sizeof (cairo_glyph_t)); ++ glyphs = (cairo_glyph_t *) gmallocn (len, sizeof (cairo_glyph_t)); + glyphCount = 0; + } + +@@ -502,7 +502,7 @@ + } + + row_stride = (width + 3) & ~3; +- buffer = (unsigned char *) malloc (height * row_stride); ++ buffer = (unsigned char *) gmallocn (height, row_stride); + if (buffer == NULL) { + error(-1, "Unable to allocate memory for image."); + return; +@@ -567,7 +567,7 @@ + + int row_stride = (maskWidth + 3) & ~3; + unsigned char *maskBuffer; +- maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight); ++ maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight); + unsigned char *maskDest; + cairo_surface_t *maskImage; + cairo_pattern_t *maskPattern; +@@ -596,7 +596,7 @@ + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn3 (width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +@@ -671,7 +671,7 @@ + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmallocn (width, height * 4); ++ buffer = (unsigned char *)gmallocn3 (width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/GfxState.cc poppler-0.5.1.new/poppler/GfxState.cc +--- poppler-0.5.1/poppler/GfxState.cc 2009-10-22 10:30:20.000000000 -0400 ++++ poppler-0.5.1.new/poppler/GfxState.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -1124,7 +1124,7 @@ + int i, j, n; + + n = base->getNComps(); +- line = (Guchar *) gmalloc (length * n); ++ line = (Guchar *) gmallocn (length, n); + for (i = 0; i < length; i++) + for (j = 0; j < n; j++) + line[i * n + j] = lookup[in[i] * n + j]; +@@ -3312,7 +3312,7 @@ + nComps2 = colorSpace2->getNComps(); + lookup2 = indexedCS->getLookup(); + colorSpace2->getDefaultRanges(x, y, indexHigh); +- byte_lookup = (Guchar *)gmalloc ((maxPixel + 1) * nComps2); ++ byte_lookup = (Guchar *)gmallocn ((maxPixel + 1), nComps2); + for (k = 0; k < nComps2; ++k) { + lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1, + sizeof(GfxColorComp)); +@@ -3462,7 +3462,7 @@ + switch (colorSpace->getMode()) { + case csIndexed: + case csSeparation: +- tmp_line = (Guchar *) gmalloc (length * nComps2); ++ tmp_line = (Guchar *) gmallocn (length, nComps2); + for (i = 0; i < length; i++) { + for (j = 0; j < nComps2; j++) { + tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j]; +@@ -3495,7 +3495,7 @@ + switch (colorSpace->getMode()) { + case csIndexed: + case csSeparation: +- tmp_line = (Guchar *) gmalloc (length * nComps2); ++ tmp_line = (Guchar *) gmallocn (length, nComps2); + for (i = 0; i < length; i++) { + for (j = 0; j < nComps2; j++) { + tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j]; +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/JBIG2Stream.cc poppler-0.5.1.new/poppler/JBIG2Stream.cc +--- poppler-0.5.1/poppler/JBIG2Stream.cc 2009-10-22 10:30:20.000000000 -0400 ++++ poppler-0.5.1.new/poppler/JBIG2Stream.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -693,7 +693,7 @@ + return; + } + // need to allocate one extra guard byte for use in combine() +- data = (Guchar *)gmalloc(h * line + 1); ++ data = (Guchar *)gmallocn(h, line + 1); + data[h * line] = 0; + } + +@@ -710,7 +710,7 @@ + return; + } + // need to allocate one extra guard byte for use in combine() +- data = (Guchar *)gmalloc(h * line + 1); ++ data = (Guchar *)gmallocn(h, line + 1); + memcpy(data, bitmap->data, h * line); + data[h * line] = 0; + } +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/PSOutputDev.cc poppler-0.5.1.new/poppler/PSOutputDev.cc +--- poppler-0.5.1/poppler/PSOutputDev.cc 2006-02-28 13:20:37.000000000 -0500 ++++ poppler-0.5.1.new/poppler/PSOutputDev.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -2111,7 +2111,7 @@ + if ((ffTT = FoFiTrueType::load(fileName->getCString(), faceIndex))) { + int n = ((GfxCIDFont *)font)->getCIDToGIDLen(); + if (n) { +- codeToGID = (Gushort *)gmalloc(n * sizeof(Gushort)); ++ codeToGID = (Gushort *)gmallocn(n, sizeof(Gushort)); + memcpy(codeToGID, ((GfxCIDFont *)font)->getCIDToGID(), n * sizeof(Gushort)); + } else { + codeToGID = ((GfxCIDFont *)font)->getCodeToGIDMap(ffTT, &n); +@@ -3630,7 +3630,7 @@ + width, -height, height); + + // allocate a line buffer +- lineBuf = (Guchar *)gmalloc(4 * width); ++ lineBuf = (Guchar *)gmallocn(width, 4); + + // set up to process the data stream + imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/SplashOutputDev.cc poppler-0.5.1.new/poppler/SplashOutputDev.cc +--- poppler-0.5.1/poppler/SplashOutputDev.cc 2006-02-25 15:53:35.000000000 -0500 ++++ poppler-0.5.1.new/poppler/SplashOutputDev.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -1929,7 +1929,7 @@ + } + break; + case splashModeRGB8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -1939,7 +1939,7 @@ + } + break; + case splashModeBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -1950,7 +1950,7 @@ + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getCMYK(&pix, &cmyk); +@@ -2207,7 +2207,7 @@ + } + break; + case splashModeRGB8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2217,7 +2217,7 @@ + } + break; + case splashModeBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2228,7 +2228,7 @@ + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getCMYK(&pix, &cmyk); +@@ -2365,7 +2365,7 @@ + } + break; + case splashModeRGB8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2375,7 +2375,7 @@ + } + break; + case splashModeBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2386,7 +2386,7 @@ + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getCMYK(&pix, &cmyk); +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/splash/Splash.cc poppler-0.5.1.new/splash/Splash.cc +--- poppler-0.5.1/splash/Splash.cc 2009-10-22 10:30:20.000000000 -0400 ++++ poppler-0.5.1.new/splash/Splash.cc 2009-10-22 10:30:39.000000000 -0400 +@@ -2461,7 +2461,7 @@ + xq = w % scaledWidth; + + // allocate pixel buffer +- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w); ++ pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); + + // init y scale Bresenham + yt = 0; +@@ -2782,7 +2782,7 @@ + xq = w % scaledWidth; + + // allocate pixel buffer +- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); ++ pixBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); + + pixAcc0 = pixAcc1 = pixAcc2 = 0; // make gcc happy + #if SPLASH_CMYK +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/splash/SplashFTFont.cc poppler-0.5.1.new/splash/SplashFTFont.cc +--- poppler-0.5.1/splash/SplashFTFont.cc 2006-01-23 09:42:27.000000000 -0500 ++++ poppler-0.5.1.new/splash/SplashFTFont.cc 2009-10-22 10:32:02.000000000 -0400 +@@ -207,7 +207,7 @@ + } else { + rowSize = (bitmap->w + 7) >> 3; + } +- bitmap->data = (Guchar *)gmalloc(rowSize * bitmap->h); ++ bitmap->data = (Guchar *)gmallocn_checkoverflow(rowSize, bitmap->h); + bitmap->freeData = gTrue; + for (i = 0, p = bitmap->data, q = slot->bitmap.buffer; + i < bitmap->h; --- poppler-0.5.1.orig/debian/patches/101_CVE-2007-4352.patch +++ poppler-0.5.1/debian/patches/101_CVE-2007-4352.patch @@ -0,0 +1,15 @@ +diff -Nur poppler-0.5.1/poppler/Stream.cc poppler-0.5.1.new/poppler/Stream.cc +--- poppler-0.5.1/poppler/Stream.cc 2007-11-13 10:06:36.000000000 -0500 ++++ poppler-0.5.1.new/poppler/Stream.cc 2007-11-13 10:06:50.000000000 -0500 +@@ -3021,6 +3021,11 @@ + } + scanInfo.firstCoeff = str->getChar(); + scanInfo.lastCoeff = str->getChar(); ++ if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 || ++ scanInfo.firstCoeff > scanInfo.lastCoeff) { ++ error(getPos(), "Bad DCT coefficient numbers in scan info block"); ++ return gFalse; ++ } + c = str->getChar(); + scanInfo.ah = (c >> 4) & 0x0f; + scanInfo.al = c & 0x0f; --- poppler-0.5.1.orig/debian/patches/103_security_jbig2.patch +++ poppler-0.5.1/debian/patches/103_security_jbig2.patch @@ -0,0 +1,1145 @@ +# +# Description: fix denial of service and possible code execution from +# multiple integer and buffer overflows, and other issues with +# JBIG2 decoding. +# Patch: Based on Albert Astals Cid's poppler patch +# +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/CairoOutputDev.cc poppler-0.5.1.new/poppler/CairoOutputDev.cc +--- poppler-0.5.1/poppler/CairoOutputDev.cc 2006-02-25 15:53:34.000000000 -0500 ++++ poppler-0.5.1.new/poppler/CairoOutputDev.cc 2009-04-09 20:10:43.000000000 -0400 +@@ -671,7 +671,7 @@ + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn (width, height * 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/JBIG2Stream.cc poppler-0.5.1.new/poppler/JBIG2Stream.cc +--- poppler-0.5.1/poppler/JBIG2Stream.cc 2006-02-28 14:34:46.000000000 -0500 ++++ poppler-0.5.1.new/poppler/JBIG2Stream.cc 2009-04-09 20:12:37.000000000 -0400 +@@ -422,12 +422,14 @@ + table[i] = table[len]; + + // assign prefixes +- i = 0; +- prefix = 0; +- table[i++].prefix = prefix++; +- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { +- prefix <<= table[i].prefixLen - table[i-1].prefixLen; +- table[i].prefix = prefix++; ++ if (table[0].rangeLen != jbig2HuffmanEOT) { ++ i = 0; ++ prefix = 0; ++ table[i++].prefix = prefix++; ++ for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { ++ prefix <<= table[i].prefixLen - table[i-1].prefixLen; ++ table[i].prefix = prefix++; ++ } + } + } + +@@ -491,7 +493,7 @@ + } + if (p->bits < 0) { + error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); +- return 0; ++ return EOF; + } + bufLen -= p->bits; + return p->n; +@@ -507,7 +509,7 @@ + ++nBytesRead; + } + while (1) { +- if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) { ++ if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) { + if (bufLen <= 12) { + code = buf << (12 - bufLen); + } else { +@@ -550,14 +552,15 @@ + ++nBytesRead; + } + while (1) { +- if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) { ++ if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) { + if (bufLen <= 13) { + code = buf << (13 - bufLen); + } else { + code = buf >> (bufLen - 13); + } + p = &blackTab1[code & 0x7f]; +- } else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) { ++ } else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 && ++ ((buf >> (bufLen - 6)) & 0x03) != 0) { + if (bufLen <= 12) { + code = buf << (12 - bufLen); + } else { +@@ -667,6 +670,7 @@ + void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp); + Guchar *getDataPtr() { return data; } + int getDataSize() { return h * line; } ++ GBool isOk() { return data != NULL; } + + private: + +@@ -761,6 +765,8 @@ + inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { + if (y < 0 || y >= h || x >= w) { + ptr->p = NULL; ++ ptr->shift = 0; // make gcc happy ++ ptr->x = 0; // make gcc happy + } else if (x < 0) { + ptr->p = &data[y * line]; + ptr->shift = 7; +@@ -805,6 +811,10 @@ + Guint src0, src1, src, dest, s1, s2, m1, m2, m3; + GBool oneByte; + ++ // check for the pathological case where y = -2^31 ++ if (y < -0x7fffffff) { ++ return; ++ } + if (y < 0) { + y0 = -y; + } else { +@@ -1229,6 +1239,7 @@ + Guint segNum, segFlags, segType, page, segLength; + Guint refFlags, nRefSegs; + Guint *refSegs; ++ int segDataPos; + int c1, c2, c3; + Guint i; + +@@ -1296,6 +1307,16 @@ + goto eofError2; + } + ++ // keep track of the start of the segment data ++ segDataPos = getPos(); ++ ++ // check for missing page information segment ++ if (!pageBitmap && ((segType >= 4 && segType <= 7) || ++ (segType >= 20 && segType <= 43))) { ++ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); ++ goto syntaxError; ++ } ++ + // read the segment data + switch (segType) { + case 0: +@@ -1373,6 +1394,45 @@ + break; + } + ++ // Make sure the segment handler read all of the bytes in the ++ // segment data, unless this segment is marked as having an ++ // unknown length (section 7.2.7 of the JBIG2 Final Committee Draft) ++ ++ if (segLength != 0xffffffff) { ++ ++ int segExtraBytes = segDataPos + segLength - getPos(); ++ if (segExtraBytes > 0) { ++ ++ // If we didn't read all of the bytes in the segment data, ++ // indicate an error, and throw away the rest of the data. ++ ++ // v.3.1.01.13 of the LuraTech PDF Compressor Server will ++ // sometimes generate an extraneous NULL byte at the end of ++ // arithmetic-coded symbol dictionary segments when numNewSyms ++ // == 0. Segments like this often occur for blank pages. ++ ++ error(getPos(), "%d extraneous byte%s after segment", ++ segExtraBytes, (segExtraBytes > 1) ? "s" : ""); ++ ++ // Burn through the remaining bytes -- inefficient, but ++ // hopefully we're not doing this much ++ ++ int trash; ++ for (int i = segExtraBytes; i > 0; i--) { ++ readByte(&trash); ++ } ++ ++ } else if (segExtraBytes < 0) { ++ ++ // If we read more bytes than we should have, according to the ++ // segment length field, note an error. ++ ++ error(getPos(), "Previous segment handler read too many bytes"); ++ ++ } ++ ++ } ++ + gfree(refSegs); + } + +@@ -1411,6 +1471,8 @@ + Guint i, j, k; + Guchar *p; + ++ symWidths = NULL; ++ + // symbol dictionary flags + if (!readUWord(&flags)) { + goto eofError; +@@ -1466,20 +1528,38 @@ + codeTables = new GooList(); + numInputSyms = 0; + for (i = 0; i < nRefSegs; ++i) { +- seg = findSegment(refSegs[i]); +- if (seg->getType() == jbig2SegSymbolDict) { +- numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); +- } else if (seg->getType() == jbig2SegCodeTable) { +- codeTables->append(seg); ++ // This is need by bug 12014, returning gFalse makes it not crash ++ // but we end up with a empty page while acroread is able to render ++ // part of it ++ if ((seg = findSegment(refSegs[i]))) { ++ if (seg->getType() == jbig2SegSymbolDict) { ++ j = ((JBIG2SymbolDict *)seg)->getSize(); ++ if (numInputSyms > UINT_MAX - j) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } ++ numInputSyms += j; ++ } else if (seg->getType() == jbig2SegCodeTable) { ++ codeTables->append(seg); ++ } ++ } else { ++ delete codeTables; ++ return gFalse; + } + } ++ if (numInputSyms > UINT_MAX - numNewSyms) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } + + // compute symbol code length +- symCodeLen = 0; +- i = 1; +- while (i < numInputSyms + numNewSyms) { ++ symCodeLen = 1; ++ i = (numInputSyms + numNewSyms) >> 1; ++ while (i) { + ++symCodeLen; +- i <<= 1; ++ i >>= 1; + } + + // get the input symbol bitmaps +@@ -1492,7 +1572,7 @@ + inputSymbolDict = NULL; + for (i = 0; i < nRefSegs; ++i) { + seg = findSegment(refSegs[i]); +- if (seg->getType() == jbig2SegSymbolDict) { ++ if (seg != NULL && seg->getType() == jbig2SegSymbolDict) { + inputSymbolDict = (JBIG2SymbolDict *)seg; + for (j = 0; j < inputSymbolDict->getSize(); ++j) { + bitmaps[k++] = inputSymbolDict->getBitmap(j); +@@ -1510,6 +1590,9 @@ + } else if (huffDH == 1) { + huffDHTable = huffTableE; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDW == 0) { +@@ -1517,17 +1600,26 @@ + } else if (huffDW == 1) { + huffDWTable = huffTableC; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffBMSize == 0) { + huffBMSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffBMSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffAggInst == 0) { + huffAggInstTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffAggInstTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +@@ -1560,7 +1652,6 @@ + } + + // allocate symbol widths storage +- symWidths = NULL; + if (huff && !refAgg) { + symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); + } +@@ -1602,6 +1693,10 @@ + goto syntaxError; + } + symWidth += dw; ++ if (i >= numNewSyms) { ++ error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + + // using a collective bitmap, so don't read a bitmap here + if (huff && !refAgg) { +@@ -1638,6 +1733,10 @@ + arithDecoder->decodeInt(&refDX, iardxStats); + arithDecoder->decodeInt(&refDY, iardyStats); + } ++ if (symID >= numInputSyms + i) { ++ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + refBitmap = bitmaps[symID]; + bitmaps[numInputSyms + i] = + readGenericRefinementRegion(symWidth, symHeight, +@@ -1704,6 +1803,13 @@ + } else { + arithDecoder->decodeInt(&run, iaexStats); + } ++ if (i + run > numInputSyms + numNewSyms || ++ (ex && j + run > numExSyms)) { ++ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); ++ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL); ++ delete symbolDict; ++ goto syntaxError; ++ } + if (ex) { + for (cnt = 0; cnt < run; ++cnt) { + symbolDict->setBitmap(j++, bitmaps[i++]->copy()); +@@ -1713,6 +1819,12 @@ + } + ex = !ex; + } ++ if (j != numExSyms) { ++ error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); ++ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL); ++ delete symbolDict; ++ goto syntaxError; ++ } + + for (i = 0; i < numNewSyms; ++i) { + delete bitmaps[numInputSyms + i]; +@@ -1735,6 +1847,10 @@ + + return gTrue; + ++ codeTableError: ++ error(getPos(), "Missing code table in JBIG2 symbol dictionary"); ++ delete codeTables; ++ + syntaxError: + for (i = 0; i < numNewSyms; ++i) { + if (bitmaps[numInputSyms + i]) { +@@ -1837,6 +1953,8 @@ + } + } else { + error(getPos(), "Invalid segment reference in JBIG2 text region"); ++ delete codeTables; ++ return; + } + } + symCodeLen = 0; +@@ -1871,6 +1989,9 @@ + } else if (huffFS == 1) { + huffFSTable = huffTableG; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDS == 0) { +@@ -1880,6 +2001,9 @@ + } else if (huffDS == 2) { + huffDSTable = huffTableJ; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDT == 0) { +@@ -1889,6 +2013,9 @@ + } else if (huffDT == 2) { + huffDTTable = huffTableM; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDW == 0) { +@@ -1896,6 +2023,9 @@ + } else if (huffRDW == 1) { + huffRDWTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDH == 0) { +@@ -1903,6 +2033,9 @@ + } else if (huffRDH == 1) { + huffRDHTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDX == 0) { +@@ -1910,6 +2043,9 @@ + } else if (huffRDX == 1) { + huffRDXTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDY == 0) { +@@ -1917,11 +2053,17 @@ + } else if (huffRDY == 1) { + huffRDYTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRSize == 0) { + huffRSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +@@ -1995,18 +2137,20 @@ + + gfree(syms); + +- // combine the region bitmap into the page bitmap +- if (imm) { +- if (pageH == 0xffffffff && y + h > curPageH) { +- pageBitmap->expand(y + h, pageDefPixel); +- } +- pageBitmap->combine(bitmap, x, y, extCombOp); +- delete bitmap; ++ if (bitmap) { ++ // combine the region bitmap into the page bitmap ++ if (imm) { ++ if (pageH == 0xffffffff && y + h > curPageH) { ++ pageBitmap->expand(y + h, pageDefPixel); ++ } ++ pageBitmap->combine(bitmap, x, y, extCombOp); ++ delete bitmap; + +- // store the region bitmap +- } else { +- bitmap->setSegNum(segNum); +- segments->append(bitmap); ++ // store the region bitmap ++ } else { ++ bitmap->setSegNum(segNum); ++ segments->append(bitmap); ++ } + } + + // clean up the Huffman decoder +@@ -2016,8 +2160,15 @@ + + return; + ++ codeTableError: ++ error(getPos(), "Missing code table in JBIG2 text region"); ++ gfree(codeTables); ++ delete syms; ++ return; ++ + eofError: + error(getPos(), "Unexpected EOF in JBIG2 stream"); ++ return; + } + + JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, +@@ -2052,6 +2203,10 @@ + + // allocate the bitmap + bitmap = new JBIG2Bitmap(0, w, h); ++ if (!bitmap->isOk()) { ++ delete bitmap; ++ return NULL; ++ } + if (defPixel) { + bitmap->clearToOne(); + } else { +@@ -2128,73 +2283,84 @@ + ri = 0; + } + if (ri) { ++ GBool decodeSuccess; + if (huff) { +- huffDecoder->decodeInt(&rdw, huffRDWTable); +- huffDecoder->decodeInt(&rdh, huffRDHTable); +- huffDecoder->decodeInt(&rdx, huffRDXTable); +- huffDecoder->decodeInt(&rdy, huffRDYTable); +- huffDecoder->decodeInt(&bmSize, huffRSizeTable); ++ decodeSuccess = huffDecoder->decodeInt(&rdw, huffRDWTable); ++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdh, huffRDHTable); ++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdx, huffRDXTable); ++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdy, huffRDYTable); ++ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&bmSize, huffRSizeTable); + huffDecoder->reset(); + arithDecoder->start(); + } else { +- arithDecoder->decodeInt(&rdw, iardwStats); +- arithDecoder->decodeInt(&rdh, iardhStats); +- arithDecoder->decodeInt(&rdx, iardxStats); +- arithDecoder->decodeInt(&rdy, iardyStats); ++ decodeSuccess = arithDecoder->decodeInt(&rdw, iardwStats); ++ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdh, iardhStats); ++ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdx, iardxStats); ++ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats); ++ } ++ ++ if (decodeSuccess && syms[symID]) ++ { ++ refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; ++ refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; ++ ++ symbolBitmap = ++ readGenericRefinementRegion(rdw + syms[symID]->getWidth(), ++ rdh + syms[symID]->getHeight(), ++ templ, gFalse, syms[symID], ++ refDX, refDY, atx, aty); + } +- refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; +- refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; +- +- symbolBitmap = +- readGenericRefinementRegion(rdw + syms[symID]->getWidth(), +- rdh + syms[symID]->getHeight(), +- templ, gFalse, syms[symID], +- refDX, refDY, atx, aty); + //~ do we need to use the bmSize value here (in Huffman mode)? + } else { + symbolBitmap = syms[symID]; + } + +- // combine the symbol bitmap into the region bitmap +- //~ something is wrong here - refCorner shouldn't degenerate into +- //~ two cases +- bw = symbolBitmap->getWidth() - 1; +- bh = symbolBitmap->getHeight() - 1; +- if (transposed) { +- switch (refCorner) { +- case 0: // bottom left +- bitmap->combine(symbolBitmap, tt, s, combOp); +- break; +- case 1: // top left +- bitmap->combine(symbolBitmap, tt, s, combOp); +- break; +- case 2: // bottom right +- bitmap->combine(symbolBitmap, tt - bw, s, combOp); +- break; +- case 3: // top right +- bitmap->combine(symbolBitmap, tt - bw, s, combOp); +- break; ++ if (symbolBitmap) { ++ // combine the symbol bitmap into the region bitmap ++ //~ something is wrong here - refCorner shouldn't degenerate into ++ //~ two cases ++ bw = symbolBitmap->getWidth() - 1; ++ bh = symbolBitmap->getHeight() - 1; ++ if (transposed) { ++ switch (refCorner) { ++ case 0: // bottom left ++ bitmap->combine(symbolBitmap, tt, s, combOp); ++ break; ++ case 1: // top left ++ bitmap->combine(symbolBitmap, tt, s, combOp); ++ break; ++ case 2: // bottom right ++ bitmap->combine(symbolBitmap, tt - bw, s, combOp); ++ break; ++ case 3: // top right ++ bitmap->combine(symbolBitmap, tt - bw, s, combOp); ++ break; ++ } ++ s += bh; ++ } else { ++ switch (refCorner) { ++ case 0: // bottom left ++ bitmap->combine(symbolBitmap, s, tt - bh, combOp); ++ break; ++ case 1: // top left ++ bitmap->combine(symbolBitmap, s, tt, combOp); ++ break; ++ case 2: // bottom right ++ bitmap->combine(symbolBitmap, s, tt - bh, combOp); ++ break; ++ case 3: // top right ++ bitmap->combine(symbolBitmap, s, tt, combOp); ++ break; ++ } ++ s += bw; + } +- s += bh; +- } else { +- switch (refCorner) { +- case 0: // bottom left +- bitmap->combine(symbolBitmap, s, tt - bh, combOp); +- break; +- case 1: // top left +- bitmap->combine(symbolBitmap, s, tt, combOp); +- break; +- case 2: // bottom right +- bitmap->combine(symbolBitmap, s, tt - bh, combOp); +- break; +- case 3: // top right +- bitmap->combine(symbolBitmap, s, tt, combOp); +- break; ++ if (ri) { ++ delete symbolBitmap; + } +- s += bw; +- } +- if (ri) { +- delete symbolBitmap; ++ } else { ++ // NULL symbolBitmap only happens on error ++ delete bitmap; ++ return NULL; + } + } + +@@ -2325,7 +2491,7 @@ + return; + } + seg = findSegment(refSegs[0]); +- if (seg->getType() != jbig2SegPatternDict) { ++ if (seg == NULL || seg->getType() != jbig2SegPatternDict) { + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } +@@ -2368,9 +2534,9 @@ + skipBitmap = new JBIG2Bitmap(0, gridW, gridH); + skipBitmap->clearToZero(); + for (m = 0; m < gridH; ++m) { +- xx = gridX + m * stepY; +- yy = gridY + m * stepX; + for (n = 0; n < gridW; ++n) { ++ xx = gridX + m * stepY + n * stepX; ++ yy = gridY + m * stepX - n * stepY; + if (((xx + (int)patW) >> 8) <= 0 || (xx >> 8) >= (int)w || + ((yy + (int)patH) >> 8) <= 0 || (yy >> 8) >= (int)h) { + skipBitmap->setPixel(n, m); +@@ -2417,6 +2583,9 @@ + } + + gfree(grayImg); ++ if (skipBitmap) { ++ delete skipBitmap; ++ } + + // combine the region bitmap into the page bitmap + if (imm) { +@@ -2489,7 +2658,9 @@ + + // read the bitmap + bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, +- NULL, atx, aty, mmr ? 0 : length - 18); ++ NULL, atx, aty, mmr ? length - 18 : 0); ++ if (!bitmap) ++ return; + + // combine the region bitmap into the page bitmap + if (imm) { +@@ -2511,6 +2682,43 @@ + error(getPos(), "Unexpected EOF in JBIG2 stream"); + } + ++inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w) { ++ if (a1 > codingLine[*a0i]) { ++ if (a1 > w) { ++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); ++ a1 = w; ++ } ++ if ((*a0i & 1) ^ blackPixels) { ++ ++*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } ++} ++ ++inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w) { ++ if (a1 > codingLine[*a0i]) { ++ if (a1 > w) { ++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); ++ a1 = w; ++ } ++ if ((*a0i & 1) ^ blackPixels) { ++ ++*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } else if (a1 < codingLine[*a0i]) { ++ if (a1 < 0) { ++ error(getPos(), "Invalid JBIG2 MMR code"); ++ a1 = 0; ++ } ++ while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) { ++ --*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } ++} ++ + JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h, + int templ, GBool tpgdOn, + GBool useSkip, JBIG2Bitmap *skip, +@@ -2519,13 +2727,17 @@ + JBIG2Bitmap *bitmap; + GBool ltp; + Guint ltpCX, cx, cx0, cx1, cx2; +- JBIG2BitmapPtr cxPtr0, cxPtr1; +- JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3; ++ JBIG2BitmapPtr cxPtr0 = {0}, cxPtr1 = {0}; ++ JBIG2BitmapPtr atPtr0 = {0}, atPtr1 = {0}, atPtr2 = {0}, atPtr3 = {0}; + int *refLine, *codingLine; + int code1, code2, code3; +- int x, y, a0, pix, i, refI, codingI; ++ int x, y, a0i, b1i, blackPixels, pix, i; + + bitmap = new JBIG2Bitmap(0, w, h); ++ if (!bitmap->isOk()) { ++ delete bitmap; ++ return NULL; ++ } + bitmap->clearToZero(); + + //----- MMR decode +@@ -2533,9 +2745,18 @@ + if (mmr) { + + mmrDecoder->reset(); ++ if (w > INT_MAX - 2) { ++ error(getPos(), "Bad width in JBIG2 generic bitmap"); ++ // force a call to gmalloc(-1), which will throw an exception ++ w = -3; ++ } ++ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w ++ // ---> max codingLine size = w + 1 ++ // refLine has one extra guard entry at the end ++ // ---> max refLine size = w + 2 ++ codingLine = (int *)gmallocn(w + 1, sizeof(int)); + refLine = (int *)gmallocn(w + 2, sizeof(int)); +- codingLine = (int *)gmallocn(w + 2, sizeof(int)); +- codingLine[0] = codingLine[1] = w; ++ codingLine[0] = w; + + for (y = 0; y < h; ++y) { + +@@ -2543,128 +2764,157 @@ + for (i = 0; codingLine[i] < w; ++i) { + refLine[i] = codingLine[i]; + } +- refLine[i] = refLine[i + 1] = w; ++ refLine[i++] = w; ++ refLine[i] = w; + + // decode a line +- refI = 0; // b1 = refLine[refI] +- codingI = 0; // a1 = codingLine[codingI] +- a0 = 0; +- do { ++ codingLine[0] = 0; ++ a0i = 0; ++ b1i = 0; ++ blackPixels = 0; ++ // invariant: ++ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w ++ // exception at left edge: ++ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible ++ // exception at right edge: ++ // refLine[b1i] = refLine[b1i+1] = w is possible ++ while (codingLine[a0i] < w) { + code1 = mmrDecoder->get2DCode(); + switch (code1) { + case twoDimPass: +- if (refLine[refI] < w) { +- a0 = refLine[refI + 1]; +- refI += 2; +- } +- break; ++ mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w); ++ if (refLine[b1i + 1] < w) { ++ b1i += 2; ++ } ++ break; + case twoDimHoriz: +- if (codingI & 1) { +- code1 = 0; +- do { +- code1 += code3 = mmrDecoder->getBlackCode(); +- } while (code3 >= 64); +- code2 = 0; +- do { +- code2 += code3 = mmrDecoder->getWhiteCode(); +- } while (code3 >= 64); +- } else { +- code1 = 0; +- do { +- code1 += code3 = mmrDecoder->getWhiteCode(); +- } while (code3 >= 64); +- code2 = 0; +- do { +- code2 += code3 = mmrDecoder->getBlackCode(); +- } while (code3 >= 64); +- } +- if (code1 > 0 || code2 > 0) { +- a0 = codingLine[codingI++] = a0 + code1; +- a0 = codingLine[codingI++] = a0 + code2; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVert0: +- a0 = codingLine[codingI++] = refLine[refI]; +- if (refLine[refI] < w) { +- ++refI; +- } +- break; +- case twoDimVertR1: +- a0 = codingLine[codingI++] = refLine[refI] + 1; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVertR2: +- a0 = codingLine[codingI++] = refLine[refI] + 2; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; ++ code1 = code2 = 0; ++ if (blackPixels) { ++ do { ++ code1 += code3 = mmrDecoder->getBlackCode(); ++ } while (code3 >= 64); ++ do { ++ code2 += code3 = mmrDecoder->getWhiteCode(); ++ } while (code3 >= 64); ++ } else { ++ do { ++ code1 += code3 = mmrDecoder->getWhiteCode(); ++ } while (code3 >= 64); ++ do { ++ code2 += code3 = mmrDecoder->getBlackCode(); ++ } while (code3 >= 64); ++ } ++ mmrAddPixels(codingLine[a0i] + code1, blackPixels, ++ codingLine, &a0i, w); ++ if (codingLine[a0i] < w) { ++ mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1, ++ codingLine, &a0i, w); ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ break; + case twoDimVertR3: +- a0 = codingLine[codingI++] = refLine[refI] + 3; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVertL1: +- a0 = codingLine[codingI++] = refLine[refI] - 1; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; +- case twoDimVertL2: +- a0 = codingLine[codingI++] = refLine[refI] - 2; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; ++ mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertR2: ++ mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertR1: ++ mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVert0: ++ mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; + case twoDimVertL3: +- a0 = codingLine[codingI++] = refLine[refI] - 3; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; ++ mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertL2: ++ mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertL1: ++ mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case EOF: ++ mmrAddPixels(w, 0, codingLine, &a0i, w); ++ break; + default: + error(getPos(), "Illegal code in JBIG2 MMR bitmap data"); ++ mmrAddPixels(w, 0, codingLine, &a0i, w); + break; + } +- } while (a0 < w); +- codingLine[codingI++] = w; ++ } + + // convert the run lengths to a bitmap line + i = 0; +- while (codingLine[i] < w) { ++ while (1) { + for (x = codingLine[i]; x < codingLine[i+1]; ++x) { + bitmap->setPixel(x, y); + } ++ if (codingLine[i+1] >= w || codingLine[i+2] >= w) { ++ break; ++ } + i += 2; + } + } +@@ -2712,7 +2962,9 @@ + ltp = !ltp; + } + if (ltp) { +- bitmap->duplicateRow(y, y-1); ++ if (y > 0) { ++ bitmap->duplicateRow(y, y-1); ++ } + continue; + } + } +@@ -2916,7 +3168,7 @@ + } + if (nRefSegs == 1) { + seg = findSegment(refSegs[0]); +- if (seg->getType() != jbig2SegBitmap) { ++ if (seg == NULL || seg->getType() != jbig2SegBitmap) { + error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); + return; + } +@@ -2965,8 +3217,16 @@ + JBIG2Bitmap *bitmap; + GBool ltp; + Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2; +- JBIG2BitmapPtr cxPtr0, cxPtr1, cxPtr2, cxPtr3, cxPtr4, cxPtr5, cxPtr6; +- JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; ++ JBIG2BitmapPtr cxPtr0 = {0}; ++ JBIG2BitmapPtr cxPtr1 = {0}; ++ JBIG2BitmapPtr cxPtr2 = {0}; ++ JBIG2BitmapPtr cxPtr3 = {0}; ++ JBIG2BitmapPtr cxPtr4 = {0}; ++ JBIG2BitmapPtr cxPtr5 = {0}; ++ JBIG2BitmapPtr cxPtr6 = {0}; ++ JBIG2BitmapPtr tpgrCXPtr0 = {0}; ++ JBIG2BitmapPtr tpgrCXPtr1 = {0}; ++ JBIG2BitmapPtr tpgrCXPtr2 = {0}; + int x, y, pix; + + if (w < 0 || h <= 0 || w >= INT_MAX / h) { +@@ -2975,6 +3235,11 @@ + } + + bitmap = new JBIG2Bitmap(0, w, h); ++ if (!bitmap->isOk()) ++ { ++ delete bitmap; ++ return NULL; ++ } + bitmap->clearToZero(); + + // set up the typical row context +@@ -3015,6 +3280,10 @@ + tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); ++ } else { ++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy ++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; ++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; + } + + for (x = 0; x < w; ++x) { +@@ -3086,6 +3355,10 @@ + tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); ++ } else { ++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy ++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; ++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; + } + + for (x = 0; x < w; ++x) { +@@ -3151,6 +3424,12 @@ + } + pageBitmap = new JBIG2Bitmap(0, pageW, curPageH); + ++ if (!pageBitmap->isOk()) { ++ delete pageBitmap; ++ pageBitmap = NULL; ++ return; ++ } ++ + // default pixel value + if (pageDefPixel) { + pageBitmap->clearToOne(); +@@ -3352,7 +3631,7 @@ + iardwStats->reset(); + iardhStats->reset(); + iariStats->reset(); +- if (iaidStats->getContextSize() == symCodeLen + 1) { ++ if (iaidStats->getContextSize() == 1 << (symCodeLen + 1)) { + iaidStats->reset(); + } else { + delete iaidStats; +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/poppler/JBIG2Stream.h poppler-0.5.1.new/poppler/JBIG2Stream.h +--- poppler-0.5.1/poppler/JBIG2Stream.h 2005-09-06 22:34:39.000000000 -0400 ++++ poppler-0.5.1.new/poppler/JBIG2Stream.h 2009-04-09 20:10:43.000000000 -0400 +@@ -75,6 +75,10 @@ + Guint *refSegs, Guint nRefSegs); + void readGenericRegionSeg(Guint segNum, GBool imm, + GBool lossless, Guint length); ++ void mmrAddPixels(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w); ++ void mmrAddPixelsNeg(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w); + JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h, + int templ, GBool tpgdOn, + GBool useSkip, JBIG2Bitmap *skip, +diff -Nur -x '*.orig' -x '*~' poppler-0.5.1/splash/SplashBitmap.cc poppler-0.5.1.new/splash/SplashBitmap.cc +--- poppler-0.5.1/splash/SplashBitmap.cc 2005-11-20 16:40:28.000000000 -0500 ++++ poppler-0.5.1.new/splash/SplashBitmap.cc 2009-04-09 20:10:43.000000000 -0400 +@@ -53,7 +53,7 @@ + } + rowSize += rowPad - 1; + rowSize -= rowSize % rowPad; +- data = (SplashColorPtr)gmalloc(rowSize * height); ++ data = (SplashColorPtr)gmallocn(rowSize, height); + if (!topDown) { + data += (height - 1) * rowSize; + rowSize = -rowSize; --- poppler-0.5.1.orig/debian/patches/100_streampredictor_overflow.patch +++ poppler-0.5.1/debian/patches/100_streampredictor_overflow.patch @@ -0,0 +1,33 @@ +diff -Nur poppler-0.5.1/poppler/Stream.cc poppler-0.5.1.new/poppler/Stream.cc +--- poppler-0.5.1/poppler/Stream.cc 2006-02-28 11:38:21.000000000 -0800 ++++ poppler-0.5.1.new/poppler/Stream.cc 2007-08-07 12:11:09.032013147 -0700 +@@ -421,22 +421,15 @@ + predLine = NULL; + ok = gFalse; + +- if (width <= 0 || nComps <= 0 || nBits <= 0 || +- nComps >= INT_MAX/nBits || +- width >= INT_MAX/nComps/nBits || +- nVals * nBits + 7 < 0) { +- return; +- } + nVals = width * nComps; +- totalBits = nVals * nBits; +- if (totalBits == 0 || +- (totalBits / nBits) / nComps != width || +- totalBits + 7 < 0) { +- return; +- } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((totalBits + 7) >> 3) + pixBytes; +- if (rowBytes < 0) { ++ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps > gfxColorMaxComps || ++ nBits > 16 || ++ nVals <= 0 || ++ nVals * nBits + 7 <= 0 || ++ rowBytes <= 0) { + return; + } + predLine = (Guchar *)gmalloc(rowBytes); --- poppler-0.5.1.orig/debian/libpoppler-glib-dev.install +++ poppler-0.5.1/debian/libpoppler-glib-dev.install @@ -0,0 +1,5 @@ +debian/tmp/usr/include/poppler/glib/ +debian/tmp/usr/lib/libpoppler-glib.la +debian/tmp/usr/lib/libpoppler-glib.a +debian/tmp/usr/lib/libpoppler-glib.so +debian/tmp/usr/lib/pkgconfig/poppler-glib.pc --- poppler-0.5.1.orig/debian/docs +++ poppler-0.5.1/debian/docs @@ -0,0 +1,5 @@ +AUTHORS +NEWS +README +README-XPDF +TODO --- poppler-0.5.1.orig/debian/rules +++ poppler-0.5.1/debian/rules @@ -0,0 +1,27 @@ +#!/usr/bin/make -f + +#export DH_VERBOSE = 1 + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/class/autotools.mk + +include /usr/share/gnome-pkg-tools/1/rules/uploaders.mk + +# a trick to fix xpdfrc location without modifying autotools stuff +DEB_CONFIGURE_SYSCONFDIR = /etc/xpdf + +# disable gtk stuff to minimize Build-Depends +DEB_CONFIGURE_EXTRA_FLAGS = \ + --enable-libjpeg \ + --enable-splash-output \ + --disable-cairo-output \ + --enable-poppler-glib \ + --enable-poppler-qt \ + --enable-a4-paper \ + --disable-gtk-test + +SHLIB_VERSION=0.5.1 +DEB_DH_MAKESHLIBS_ARGS_libpoppler1 := -V"libpoppler1 (>= $(SHLIB_VERSION))" +DEB_DH_MAKESHLIBS_ARGS_libpoppler1-glib := -V"libpoppler1-glib (>= $(SHLIB_VERSION))" +DEB_DH_MAKESHLIBS_ARGS_libpoppler1-qt := -V"libpoppler1-qt (>= $(SHLIB_VERSION))" --- poppler-0.5.1.orig/debian/libpoppler1-qt.install +++ poppler-0.5.1/debian/libpoppler1-qt.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler-qt.so.* --- poppler-0.5.1.orig/debian/poppler-utils.install +++ poppler-0.5.1/debian/poppler-utils.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin/* +debian/tmp/usr/share/man/man1/* --- poppler-0.5.1.orig/debian/libpoppler1-qt.dirs +++ poppler-0.5.1/debian/libpoppler1-qt.dirs @@ -0,0 +1 @@ +usr/lib --- poppler-0.5.1.orig/debian/libpoppler1.dirs +++ poppler-0.5.1/debian/libpoppler1.dirs @@ -0,0 +1 @@ +usr/lib --- poppler-0.5.1.orig/debian/libpoppler-dev.install +++ poppler-0.5.1/debian/libpoppler-dev.install @@ -0,0 +1,8 @@ +./poppler/*.h usr/include/poppler/ +./goo/*.h usr/include/poppler/goo/ +./splash/*.h usr/include/poppler/splash/ +debian/tmp/usr/lib/libpoppler.la +debian/tmp/usr/lib/libpoppler.a +debian/tmp/usr/lib/libpoppler.so +debian/tmp/usr/lib/pkgconfig/poppler.pc +debian/tmp/usr/lib/pkgconfig/poppler-splash.pc --- poppler-0.5.1.orig/debian/libpoppler1-glib.dirs +++ poppler-0.5.1/debian/libpoppler1-glib.dirs @@ -0,0 +1 @@ +usr/lib --- poppler-0.5.1.orig/debian/libpoppler1.install +++ poppler-0.5.1/debian/libpoppler1.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler.so.* --- poppler-0.5.1.orig/debian/libpoppler-qt-dev.install +++ poppler-0.5.1/debian/libpoppler-qt-dev.install @@ -0,0 +1,6 @@ +debian/tmp/usr/include/poppler/poppler-qt.h +debian/tmp/usr/include/poppler/poppler-page-transition.h +debian/tmp/usr/lib/libpoppler-qt.la +debian/tmp/usr/lib/libpoppler-qt.a +debian/tmp/usr/lib/libpoppler-qt.so +debian/tmp/usr/lib/pkgconfig/poppler-qt.pc --- poppler-0.5.1.orig/debian/changelog +++ poppler-0.5.1/debian/changelog @@ -0,0 +1,397 @@ +poppler (0.5.1-0ubuntu7.8) dapper-security; urgency=low + + * SECURITY UPDATE: possible arbitrary code execution via malformed PDF + - debian/patches/106_security_CVE-2010-3702.patch: properly initialize + parser in poppler/Gfx.cc. + - CVE-2010-3702 + * SECURITY UPDATE: possible arbitrary code execution via malformed PDF + - debian/patches/107_security_CVE-2010-3704.patch: make sure code isn't + < 0 in fofi/FoFiType1.cc. + - CVE-2010-3704 + + -- Marc Deslauriers Wed, 13 Oct 2010 16:45:03 -0400 + +poppler (0.5.1-0ubuntu7.7) dapper-security; urgency=low + + * SECURITY UPDATE: regression in poppler security update (LP: #457985) + - debian/patches/104_security_CVE-2009-3605.patch: update patch to + introduce gmallocn_checkoverflow in goo/gmem.{c,h} and use it in + splash/SplashFTFont.cc, as bitmap->h can be 0 and this could cause a + regression with certain applications. + - CVE-2009-3605 + + -- Marc Deslauriers Thu, 22 Oct 2009 10:33:57 -0400 + +poppler (0.5.1-0ubuntu7.6) dapper-security; urgency=low + + * SECURITY UPDATE: unsafe malloc usage + - debian/patches/104_security_CVE-2009-3605.patch: introduce gmallocn3 + and add additional allocation size checks in goo/gmem.{c,h}, replace + malloc calls with safe versions in glib/poppler-page.cc, + poppler/{ArthurOutputDev,CairoOutputDev,GfxState,JBIG2Stream, + PSOutputDev,SplashOutputDev}.cc, splash/{Splash,SplashFTFont}.cc. + - CVE-2009-3605 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in rowSize computation + - debian/patches/105_security_CVE-2009-360x.patch: make sure width + value is sane in splash/SplashBitmap.cc. + - CVE-2009-3603 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in pixel buffer size calculation + - debian/patches/105_security_CVE-2009-360x.patch: make sure yp value + is sane in splash/Splash.cc, splash/SplashErrorCodes.h. + - CVE-2009-3604 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in object stream handling + - debian/patches/105_security_CVE-2009-360x.patch: limit number of + nObjects in poppler/XRef.cc. + - CVE-2009-3608 + * SECURITY UPDATE: denial of service or arbitrary code execution via + integer overflow in ImageStream::ImageStream + - debian/patches/105_security_CVE-2009-360x.patch: check size of width + and nComps in poppler/Stream.cc. + - CVE-2009-3609 + + -- Marc Deslauriers Mon, 19 Oct 2009 19:27:20 -0400 + +poppler (0.5.1-0ubuntu7.5) dapper-security; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution from + multiple integer overflows, buffer overflows, and other issues with + JBIG2 decoding. + - debian/patches/103_security_jbig2.patch: prevent integer overflow in + poppler/CairoOutputDev.cc and splash/SplashBitmap.cc, add overflow + checking, improve error handling, and fix other issues in + poppler/JBIG2Stream.*. + - CVE-2009-0146 + - CVE-2009-0147 + - CVE-2009-0166 + - CVE-2009-0799 + - CVE-2009-0800 + - CVE-2009-1179 + - CVE-2009-1180 + - CVE-2009-1181 + - CVE-2009-1182 + - CVE-2009-1183 + + -- Marc Deslauriers Thu, 09 Apr 2009 13:31:40 -0400 + +poppler (0.5.1-0ubuntu7.4) dapper-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via malicious embedded fonts. + * debian/patches/102_embedded-font-fixes.patch: upstream fix and stronger + type-checking added. + * References + CVE-2008-1693 + + -- Kees Cook Tue, 15 Apr 2008 13:04:21 -0700 + +poppler (0.5.1-0ubuntu7.3) dapper-security; urgency=low + + * SECURITY UPDATE: out of bounds array access causes memory corruption via + a crafted PDF file + * fix for DCTStream::readScanInfo() in Stream.cc to properly check + boundaries + * SECURITY UPDATE: integer overflow resulting in heap-based overflow and + potential arbitrary code execution via crafted PDF file + * fix for DCTStream::reset() in Stream.cc to properly check width and height + * SECURITY UPDATE: boundary error in lookChar() resulting in heap-based + overflow and potential arbitrary code execution via crafted PDF file + * fixes for CCITTFaxStream::CCITTFaxStream and CCITTFaxStream::lookChar() in + Stream.cc to properly check boundary conditions. This also includes + upstream refactoring for easier maintenance. + * References + CVE-2007-4352 + CVE-2007-5392 + CVE-2007-5393 + + -- Jamie Strandboge Tue, 13 Nov 2007 10:07:37 -0500 + +poppler (0.5.1-0ubuntu7.2) dapper-security; urgency=low + + * SECURITY UPDATE: arbitrary code execution via crafted PDFs + * Add debian/patches/100_streampredictor_overflow.patch: upstream fixes. + * References + CVE-2007-3387 + + -- Kees Cook Tue, 07 Aug 2007 09:27:27 -0700 + +poppler (0.5.1-0ubuntu7.1) dapper-security; urgency=low + + * SECURITY UPDATE: Denial of Service. + * Add debian/patches/004_CVE-2007-0104.patch: + - Limit recursion depth of the parsing tree to 100 to avoid infinite loop + with crafted documents. + - Patch taken from koffice security update (which has a copy of xpdf + sources). + + -- Martin Pitt Tue, 16 Jan 2007 17:02:41 +0000 + +poppler (0.5.1-0ubuntu7) dapper; urgency=low + + * Add debian/patches/003_refcount.patch: Fix reference counting. Thanks to + Gary Coady for the patch! Closes: LP#24970 + + -- Martin Pitt Fri, 28 Apr 2006 16:13:29 +0200 + +poppler (0.5.1-0ubuntu6) dapper; urgency=low + + * Install poppler-page-transition into libpoppler-qt-dev (not + libpoppler-dev), since it comes from the Qt bindings. Closes: LP#32179 + + -- Martin Pitt Mon, 10 Apr 2006 12:20:46 +0200 + +poppler (0.5.1-0ubuntu5) dapper; urgency=low + + * debian/patches/000_incorrect_define_fix.patch: + - patch from the CVS, fix an incorrect boxes rendering (Ubuntu: #33239) + + -- Sebastien Bacher Thu, 23 Mar 2006 12:33:17 +0100 + +poppler (0.5.1-0ubuntu4) dapper; urgency=low + + * debian/control.in: libpoppler-dev needs to depend on libfontconfig1-dev, + because we directly include in GlobalParams.h + + -- Adam Conrad Thu, 16 Mar 2006 11:23:00 +1100 + +poppler (0.5.1-0ubuntu3) dapper; urgency=low + + * debian/control.in: Have poppler-utils Replace: xpdf-reader, since both + contain pdftoppm.1.gz. + + -- Martin Pitt Mon, 13 Mar 2006 09:10:12 +0100 + +poppler (0.5.1-0ubuntu2) dapper; urgency=low + + * debian/control.in: + - fix the libpoppler1 package description + + -- Sebastien Bacher Thu, 9 Mar 2006 09:43:15 +0000 + +poppler (0.5.1-0ubuntu1) dapper; urgency=low + + * New upstream version: + - Support for embedded files. + - Handle 0-width lines correctly. + - Avoid external file use when opening fonts. + - Only use vector fonts returned from fontconfig (#5758). + - Fix scaled 1x1 pixmaps use for drawing lines (#3387). + - drawSoftMaskedImage support in cairo backend. + - Misc bug fixes: #5922, #5946, #5749, #5952, #4030, #5420. + * debian/control.in, debian/libpoppler0c2.dirs, + debian/libpoppler0c2-glib.dirs, debian/libpoppler0c2-glib.install, + debian/libpoppler0c2.install, debian/libpoppler0c2-qt.dirs, + debian/libpoppler0c2-qt.install, debian/rules: + - updated for the soname change + * debian/patches/000_splash_build_fix.patch: + - fix build when using splash + * debian/patches/001_fixes_for_fonts_selection.patch: + - fix with the new version + + -- Sebastien Bacher Mon, 6 Mar 2006 18:42:44 +0000 + +poppler (0.5.0-0ubuntu5) dapper; urgency=low + + * debian/control.in, debian/rules: + - build without libcairo + + -- Sebastien Bacher Sun, 26 Feb 2006 20:05:10 +0100 + +poppler (0.5.0-0ubuntu4) dapper; urgency=low + + * debian/patches/001_fixes_for_fonts_selection.patch: + - change from the CVS, fix some renderings issues and fonts selection + + -- Sebastien Bacher Tue, 7 Feb 2006 13:38:04 +0100 + +poppler (0.5.0-0ubuntu3) dapper; urgency=low + + * SECURITY UPDATE: Buffer overflow. + * Add debian/patches/002_CVE-2006-0301.patch: + - splash/Splash.cc, Splash::drawPixel(), Splash::drawSpan(), + Splash::xorSpan(): Check coordinates for integer overflow. + * CVE-2006-0301 + + -- Martin Pitt Fri, 3 Feb 2006 18:13:30 +0000 + +poppler (0.5.0-0ubuntu2) dapper; urgency=low + + * debian/rules: Bump shlibs version to 0.5.0. + + -- Martin Pitt Fri, 20 Jan 2006 16:56:40 +0100 + +poppler (0.5.0-0ubuntu1) dapper; urgency=low + + * New upstream release 0.5.0, required for new evince 0.5. + * Merge with Debian. + * Remove patches adopted upstream: + - debian/patches/000_add-poppler-utils.patch + - debian/patches/002-selection-crash-bug.patch + * debian/libpoppler-dev.install: + - Install poppler-page-transition.h. + - Do not install poppler-config.h, it doesn't exist any more. + - Upstream doesn't install legacy xpdf includes any more, fix path to + install them into libpoppler-dev. + * Add debian/patches/001_jpxstream_int_crash.patch: + - poppler/JPXStream.h: Fix declaration of cbW to be signed. + JPXStream.cc, readCodeBlockData() negates the value, which results in an + invalid value on 64 bit platforms if using unsigned types. + - Thanks to Vladimir Nadvornik for pointing at this. + + -- Martin Pitt Thu, 19 Jan 2006 23:49:52 +0100 + +poppler (0.4.4-1) unstable; urgency=high + + * New upstream security release + - fixes CVE-2005-3624, CVE-2005-3625, CVE-2005-3627 + * Remove debian/patches/003-CVE-2005-3624_5_7.patch: + - Merged upstream + * Remove debian/patches/004-fix-CVE-2005-3192.patch: + - Merged upstream + * Remove debian/patches/001-relibtoolize.patch + - Upstream uses recent libtool + + -- Ondřej Surý Thu, 12 Jan 2006 20:40:27 +0100 + +poppler (0.4.3-3) unstable; urgency=low + + * Fix missing libcairo2-dev dependency (Closes: #346277) + + -- Ondřej Surý Fri, 6 Jan 2006 21:37:10 +0100 + +poppler (0.4.3-2) unstable; urgency=high + + [ Martin Pitt ] + * SECURITY UPDATE: Multiple integer/buffer overflows. + * Add debian/patches/003-CVE-2005-3624_5_7.patch: + - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream(): + + Check columns for negative or large values. + + CVE-2005-3624 + - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch: + + Reset numComps to 0 since it's a global variable that is used later. + + CVE-2005-3627 + - poppler/Stream.cc, DCTStream::readHuffmanTables(): + + Fix out of bounds array access in Huffman tables. + + CVE-2005-3627 + - poppler/Stream.cc, DCTStream::readMarker(): + + Check for EOF in while loop to prevent endless loops. + + CVE-2005-3625 + - poppler/JBIG2Stream.cc, JBIG2Bitmap::JBIG2Bitmap(), + JBIG2Bitmap::expand(), JBIG2Stream::readHalftoneRegionSeg(): + + Check user supplied width and height against invalid values. + + Allocate one extra byte to prevent out of bounds access in combine(). + * Add debian/patches/004-fix-CVE-2005-3192.patch: + - Fix nVals int overflow check in StreamPredictor::StreamPredictor(). + - Forwarded upstream to https://bugs.freedesktop.org/show_bug.cgi?id=5514. + + [ Ondřej Surý ] + * Merge changes from Ubuntu (Closes: #346076). + * Enable Cairo output again. + + -- Ondřej Surý Thu, 5 Jan 2006 14:54:44 +0100 + +poppler (0.4.3-1) unstable; urgency=high + + * New upstream release. + * New maintainer (Closes: #344738) + * CVE-2005-3191 and CAN-2005-2097 fixes merged upstream. + * Fixed some rendering bugs and disabled Cairo output + (Closes: #314556, #322964, #328211) + * Acknowledge NMU (Closes: #342288) + * Add 001-selection-crash-bug.patch (Closes: #330544) + * Add poppler-utils (merge patch from Ubuntu) + + -- Ondřej Surý Fri, 30 Dec 2005 11:34:07 +0100 + +poppler (0.4.2-1.1) unstable; urgency=high + + * SECURITY UPDATE: Multiple integer/buffer overflows. + + * NMU to fix RC security bug (closes: #342288) + * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu, + thanks to Martin Pitt: + * poppler/Stream.cc, DCTStream::readBaselineSOF(), + DCTStream::readProgressiveSOF(), DCTStream::readScanInfo(): + - Check numComps for invalid values. + - http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities + - CVE-2005-3191 + * poppler/Stream.cc, StreamPredictor::StreamPredictor(): + - Check rowBytes for invalid values. + - http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities + - CVE-2005-3192 + * poppler/JPXStream.cc, JPXStream::readCodestream(): + - Check img.nXTiles * img.nYTiles for integer overflow. + - http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities + - CVE-2005-3193 + + -- Frank Küster Fri, 23 Dec 2005 16:36:30 +0100 + +poppler (0.4.2-1) unstable; urgency=low + + * GNOME Team upload. + * New upstream version. + * debian/control.in: + - updated the Build-Depends on libqt (Closes: #326130). + * debian/rules: + - updated the shlibs. + + -- Sebastien Bacher Wed, 7 Sep 2005 12:41:48 +0200 + +poppler (0.4.0-1) unstable; urgency=low + + * GNOME Team Upload. + * Rebuild for the CPP transition. + * New upstream version (Closes: #311133): + - fix some crashers (Closes: #315590, #312261, #309410). + - fix some rendering defaults (Closes: #314441, #315383, #309697, #308785). + * debian/control.in, debian/rules: + - build with the current cairo version (Closes: #321368, #318293). + - update for the renamed the packages. + * debian/patches/01_CAN-2005-2097.patch: + - Patch from Ubuntu, thanks Martin Pitt. + - Check sanity of the TrueType "loca" table. Specially crafted broken + tables caused disk space exhaustion due to very large generated glyph + descriptions when attempting to fix the table. + - Upstream patch scheduled for xpdf 3.01. + - CAN-2005-2097 + * debian/watch: + - fixed, patch by Jerome Warnier (Closes: #310996). + + -- Sebastien Bacher Wed, 17 Aug 2005 21:54:07 +0200 + +poppler (0.3.1-1) unstable; urgency=low + + * New upstream release + * Upstream fixed the Qt build bug, so now I can enable Qt + build. (Closes:#307340) It leads two new binary packages + libpoppler0-qt and libpoppler-qt-dev. + * Excluded DEB_CONFIGURE_SYSCONFDIR setting, which is obsolete by the + upstream removal of xpdfrc config. + + -- Changwoo Ryu Wed, 4 May 2005 00:19:35 +0900 + +poppler (0.3.0-2) unstable; urgency=high + + * Added shlib version info for libpoppler0-glib. + * Corrected dependencies of libpoppler0-glib and libpoppler-glib-dev. + (Closes: #306897) + * Build-Depends on libgtk2.0-dev for -glib packages. (Closes: #306885) + * Corrected descriptions of -glib packages. + + -- Changwoo Ryu Thu, 28 Apr 2005 02:41:25 +0900 + +poppler (0.3.0-1) unstable; urgency=low + + * New upstream release (Closes: #306573) + * Added new binary packages libpoppler0-glib and libpoppler-glib-dev, + which are GLib-based interfaces. Qt interface build is termporarily + disabled, because of an upstream FTBFS. + + -- Changwoo Ryu Thu, 28 Apr 2005 02:07:23 +0900 + +poppler (0.1.2-1) unstable; urgency=low + + * Initial Release (Closes: #299518) + + -- Changwoo Ryu Tue, 15 Mar 2005 02:08:00 +0900 --- poppler-0.5.1.orig/debian/compat +++ poppler-0.5.1/debian/compat @@ -0,0 +1 @@ +4 --- poppler-0.5.1.orig/debian/control.in +++ poppler-0.5.1/debian/control.in @@ -0,0 +1,77 @@ +Source: poppler +Section: devel +Priority: optional +Maintainer: Ondřej Surý +Uploaders: @GNOME_TEAM@ +Build-Depends: cdbs, debhelper, gnome-pkg-tools, libgtk2.0-dev, libqt3-mt-dev (>= 3:3.3.4-4) +Standards-Version: 3.6.1.1 + +Package: libpoppler1 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: PDF rendering library + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the shared library. + +Package: libpoppler-dev +Architecture: any +Section: libdevel +Depends: libpoppler1 (= ${Source-Version}), libfontconfig1-dev +Description: PDF rendering library -- development files + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the headers and development libraries needed to + build applications using Poppler. + +Package: libpoppler1-glib +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, libpoppler1 (= ${Source-Version}), ${misc:Depends} +Description: PDF rendering library (GLib-based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the GLib-based shared library for applications + using the GLib interface to Poppler. + +Package: libpoppler-glib-dev +Architecture: any +Section: libdevel +Depends: libpoppler1-glib (= ${Source-Version}), libpoppler-dev (= ${Source-Version}), libglib2.0-dev +Description: PDF rendering library -- development files (GLib interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a GLib-style interface to Poppler. + +Package: libpoppler1-qt +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, libpoppler1 (= ${Source-Version}), ${misc:Depends} +Description: PDF rendering library (Qt-based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the Qt-based shared library for applications + using the Qt interface to Poppler. + +Package: libpoppler-qt-dev +Architecture: any +Section: libdevel +Depends: libpoppler1-qt (= ${Source-Version}), libpoppler-dev (=${Source-Version}), libqt3-mt-dev +Description: PDF rendering library -- development files (Qt interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a Qt-style interface to Poppler. + +Package: poppler-utils +Architecture: any +Section: utils +Depends: ${shlibs:Depends} +Conflicts: xpdf-utils, pdftohtml +Replaces: xpdf-utils, pdftohtml, xpdf-reader +Provides: xpdf-utils, pdftohtml +Description: PDF utilitites (based on libpoppler) + This package contains pdftops (PDF to PostScript converter), + pdfinfo (PDF document information extractor), pdfimages + (PDF image extractor), pdftotext (PDF to text converter), and + pdffonts (PDF font analyzer). --- poppler-0.5.1.orig/debian/copyright +++ poppler-0.5.1/debian/copyright @@ -0,0 +1,29 @@ +This package was debianized by Changwoo Ryu . + +It was downloaded from http://poppler.freedesktop.org + +Copyright: + + Copyright (C) 1996-2003 Glyph & Cog, LLC + +Upstream Author: + Kristian Høgsberg + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, + Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL'. --- poppler-0.5.1.orig/debian/watch +++ poppler-0.5.1/debian/watch @@ -0,0 +1,2 @@ +version=2 +http://poppler.freedesktop.org/ poppler-(.*)\.tar\.gz debian uupdate --- poppler-0.5.1.orig/debian/control +++ poppler-0.5.1/debian/control @@ -0,0 +1,77 @@ +Source: poppler +Section: devel +Priority: optional +Maintainer: Ondřej Surý +Uploaders: Debian GNOME Maintainers , Akira TAGOH , Andreas Rottmann , Andrew Lau , Carlos Perelló Marín , Clément Stenac , Ed Boraas , Edd Dumbill , Emil Soleyman-Zomalan , Guilherme de S. Pastore , Gustavo Noronha Silva , J.H.M. Dassen (Ray) , Joe Drew , Johannes Rohr , Jordi Mallach , Jose Carlos Garcia Sogo , Josselin Mouette , Loic Minier , Marc 'HE' Brockschmidt , Rob Bradford , Robert McQueen , Ross Burton , Sebastien Bacher , Sjoerd Simons , Takuo KITAME +Build-Depends: cdbs, debhelper, gnome-pkg-tools, libgtk2.0-dev, libqt3-mt-dev (>= 3:3.3.4-4) +Standards-Version: 3.6.1.1 + +Package: libpoppler1 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: PDF rendering library + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the shared library. + +Package: libpoppler-dev +Architecture: any +Section: libdevel +Depends: libpoppler1 (= ${Source-Version}), libfontconfig1-dev +Description: PDF rendering library -- development files + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the headers and development libraries needed to + build applications using Poppler. + +Package: libpoppler1-glib +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, libpoppler1 (= ${Source-Version}), ${misc:Depends} +Description: PDF rendering library (GLib-based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the GLib-based shared library for applications + using the GLib interface to Poppler. + +Package: libpoppler-glib-dev +Architecture: any +Section: libdevel +Depends: libpoppler1-glib (= ${Source-Version}), libpoppler-dev (= ${Source-Version}), libglib2.0-dev +Description: PDF rendering library -- development files (GLib interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a GLib-style interface to Poppler. + +Package: libpoppler1-qt +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, libpoppler1 (= ${Source-Version}), ${misc:Depends} +Description: PDF rendering library (Qt-based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the Qt-based shared library for applications + using the Qt interface to Poppler. + +Package: libpoppler-qt-dev +Architecture: any +Section: libdevel +Depends: libpoppler1-qt (= ${Source-Version}), libpoppler-dev (=${Source-Version}), libqt3-mt-dev +Description: PDF rendering library -- development files (Qt interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a Qt-style interface to Poppler. + +Package: poppler-utils +Architecture: any +Section: utils +Depends: ${shlibs:Depends} +Conflicts: xpdf-utils, pdftohtml +Replaces: xpdf-utils, pdftohtml, xpdf-reader +Provides: xpdf-utils, pdftohtml +Description: PDF utilitites (based on libpoppler) + This package contains pdftops (PDF to PostScript converter), + pdfinfo (PDF document information extractor), pdfimages + (PDF image extractor), pdftotext (PDF to text converter), and + pdffonts (PDF font analyzer). --- poppler-0.5.1.orig/debian/libpoppler-glib-dev.dirs +++ poppler-0.5.1/debian/libpoppler-glib-dev.dirs @@ -0,0 +1,3 @@ +usr/include/poppler +usr/lib +usr/lib/pkgconfig --- poppler-0.5.1.orig/debian/libpoppler1-glib.install +++ poppler-0.5.1/debian/libpoppler1-glib.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler-glib.so.*