From 08a23d586ef25cd1a3235f1233c77a1e9b21917e Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Mon, 28 May 2018 15:33:06 +0200 Subject: [PATCH] Fix infinite recursion (CVE-2017-18267) Resolves: #1578780 --- CVE-2017-18267.patch | 52 ++++++++++++++++++++++++++++++++++++++++++++ poppler.spec | 9 +++++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 CVE-2017-18267.patch diff --git a/CVE-2017-18267.patch b/CVE-2017-18267.patch new file mode 100644 index 0000000..75a9105 --- /dev/null +++ b/CVE-2017-18267.patch @@ -0,0 +1,52 @@ +From 60b4fe65bc9dc9b82bbadf0be2e3781be796a13d Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 1 May 2018 02:46:17 +0200 +Subject: FoFiType1C::cvtGlyph: Fix infinite recursion on malformed documents + +Bugs #104942, #103238 +--- + fofi/FoFiType1C.cc | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc +index 03e7799..b14561f 100644 +--- a/fofi/FoFiType1C.cc ++++ b/fofi/FoFiType1C.cc +@@ -13,7 +13,7 @@ + // All changes made under the Poppler project to this file are licensed + // under GPL version 2 or later + // +-// Copyright (C) 2009, 2010, 2017 Albert Astals Cid ++// Copyright (C) 2009, 2010, 2017, 2018 Albert Astals Cid + // Copyright (C) 2012 Thomas Freitag + // + // To see a description of the changes please see the Changelog file that +@@ -32,6 +32,7 @@ + #include + #include "goo/gmem.h" + #include "goo/gstrtod.h" ++#include "goo/GooLikely.h" + #include "goo/GooString.h" + #include "poppler/Error.h" + #include "FoFiEncodings.h" +@@ -1361,7 +1362,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + --nOps; + ok = gTrue; + getIndexVal(subrIdx, k, &val, &ok); +- if (ok) { ++ if (likely(ok && val.pos != offset)) { + cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse); + } + } else { +@@ -1596,7 +1597,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + --nOps; + ok = gTrue; + getIndexVal(&gsubrIdx, k, &val, &ok); +- if (ok) { ++ if (likely(ok && val.pos != offset)) { + cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse); + } + } else { +-- +cgit v1.1 + diff --git a/poppler.spec b/poppler.spec index caccc89..788a713 100644 --- a/poppler.spec +++ b/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 0.63.0 -Release: 1%{?dist} +Release: 2%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -15,6 +15,9 @@ Source1: %{name}-test-%{test_date}_%{test_sha}.tar.xz Patch0: poppler-0.30.0-rotated-words-selection.patch Patch1: 0001-Revert-Remove-the-Qt4-frontend.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1578780 +Patch3: CVE-2017-18267.patch + BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: gettext-devel @@ -245,6 +248,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Mon May 28 2018 Marek Kasik - 0.63.0-2 +- Fix infinite recursion (CVE-2017-18267) +- Resolves: #1578780 + * Fri Mar 23 2018 Marek Kasik - 0.63.0-1 - Update to 0.63.0 - Resolves: #1558001