Fix infinite recursion (CVE-2017-18267)

Resolves: #1578780
2018-05-28 15:33:06 +02:00 · 2018-05-28 15:33:06 +02:00 · 08a23d586e
commit 08a23d586e
parent e69944d799
2 changed files with 60 additions and 1 deletions
--- a/CVE-2017-18267.patch
+++ b/CVE-2017-18267.patch
@ -0,0 +1,52 @@
+From 60b4fe65bc9dc9b82bbadf0be2e3781be796a13d Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 1 May 2018 02:46:17 +0200
+Subject: FoFiType1C::cvtGlyph: Fix infinite recursion on malformed documents
+
+Bugs #104942, #103238
+---
+ fofi/FoFiType1C.cc | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc
+index 03e7799..b14561f 100644
+--- a/fofi/FoFiType1C.cc
+++ b/fofi/FoFiType1C.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2009, 2010, 2017 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2009, 2010, 2017, 2018 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2012 Thomas Freitag <Thomas.Freitag@alfa.de>
+ //
+ // To see a description of the changes please see the Changelog file that
+@@ -32,6 +32,7 @@
+ #include <math.h>
+ #include "goo/gmem.h"
+ #include "goo/gstrtod.h"
+#include "goo/GooLikely.h"
+ #include "goo/GooString.h"
+ #include "poppler/Error.h"
+ #include "FoFiEncodings.h"
+@@ -1361,7 +1362,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
+ 	  --nOps;
+ 	  ok = gTrue;
+ 	  getIndexVal(subrIdx, k, &val, &ok);
+-	  if (ok) {
+	  if (likely(ok && val.pos != offset)) {
+ 	    cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse);
+ 	  }
+ 	} else {
+@@ -1596,7 +1597,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
+ 	  --nOps;
+ 	  ok = gTrue;
+ 	  getIndexVal(&gsubrIdx, k, &val, &ok);
+-	  if (ok) {
+	  if (likely(ok && val.pos != offset)) {
+ 	    cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse);
+ 	  }
+ 	} else {
+-- 
+cgit v1.1
+
--- a/poppler.spec
+++ b/poppler.spec
@ -4,7 +4,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 0.63.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -15,6 +15,9 @@ Source1: %{name}-test-%{test_date}_%{test_sha}.tar.xz
 Patch0:  poppler-0.30.0-rotated-words-selection.patch
 Patch1:  0001-Revert-Remove-the-Qt4-frontend.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=1578780
+Patch3:  CVE-2017-18267.patch
+
 BuildRequires: cmake
 BuildRequires: gcc-c++
 BuildRequires: gettext-devel
@ -245,6 +248,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*

 %changelog
+* Mon May 28 2018 Marek Kasik <mkasik@redhat.com> - 0.63.0-2
+- Fix infinite recursion (CVE-2017-18267)
+- Resolves: #1578780
+
 * Fri Mar 23 2018 Marek Kasik <mkasik@redhat.com> - 0.63.0-1
 - Update to 0.63.0
 - Resolves: #1558001