diff --git a/0001-pdfunite-Fix-crash-with-broken-documents.patch b/0001-pdfunite-Fix-crash-with-broken-documents.patch new file mode 100644 index 0000000..8dafa2c --- /dev/null +++ b/0001-pdfunite-Fix-crash-with-broken-documents.patch @@ -0,0 +1,60 @@ +From 5c9b08a875b07853be6c44e43ff5f7f059df666a Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 27 May 2017 00:09:17 +0200 +Subject: [PATCH] pdfunite: Fix crash with broken documents + +Sometimes we can't parse pages so check before accessing them + +Thanks to Jiaqi Peng for the report + +Fixes bugs #101153 and #101149 +--- + utils/pdfunite.cc | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc +index dfe48bf..c32e201 100644 +--- a/utils/pdfunite.cc ++++ b/utils/pdfunite.cc +@@ -7,7 +7,7 @@ + // Copyright (C) 2011-2015, 2017 Thomas Freitag + // Copyright (C) 2012 Arseny Solokha + // Copyright (C) 2012 Fabio D'Urso +-// Copyright (C) 2012, 2014 Albert Astals Cid ++// Copyright (C) 2012, 2014, 2017 Albert Astals Cid + // Copyright (C) 2013 Adrian Johnson + // Copyright (C) 2013 Hib Eris + // Copyright (C) 2015 Arthur Stavisky +@@ -268,15 +268,15 @@ int main (int argc, char *argv[]) + catDict->lookup("OutputIntents", &intents); + catDict->lookupNF("AcroForm", &afObj); + Ref *refPage = docs[0]->getCatalog()->getPageRef(1); +- if (!afObj.isNull()) { ++ if (!afObj.isNull() && refPage) { + docs[0]->markAcroForm(&afObj, yRef, countRef, 0, refPage->num, refPage->num); + } + catDict->lookupNF("OCProperties", &ocObj); +- if (!ocObj.isNull() && ocObj.isDict()) { ++ if (!ocObj.isNull() && ocObj.isDict() && refPage) { + docs[0]->markPageObjects(ocObj.getDict(), yRef, countRef, 0, refPage->num, refPage->num); + } + catDict->lookup("Names", &names); +- if (!names.isNull() && names.isDict()) { ++ if (!names.isNull() && names.isDict() && refPage) { + docs[0]->markPageObjects(names.getDict(), yRef, countRef, 0, refPage->num, refPage->num); + } + if (intents.isArray() && intents.arrayGetLength() > 0) { +@@ -353,6 +353,10 @@ int main (int argc, char *argv[]) + + for (i = 0; i < (int) docs.size(); i++) { + for (j = 1; j <= docs[i]->getNumPages(); j++) { ++ if (!docs[i]->getCatalog()->getPage(j)) { ++ continue; ++ } ++ + PDFRectangle *cropBox = NULL; + if (docs[i]->getCatalog()->getPage(j)->isCropped()) + cropBox = docs[i]->getCatalog()->getPage(j)->getCropBox(); +-- +2.9.3 + diff --git a/poppler.spec b/poppler.spec index 799cd5d..9f9fd8d 100644 --- a/poppler.spec +++ b/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 0.55.0 -Release: 1%{?dist} +Release: 2%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -13,6 +13,7 @@ Source1: %{name}-test-%{test_date}_%{test_sha}.tar.xz # https://bugzilla.redhat.com/show_bug.cgi?id=1185007 Patch0: poppler-0.30.0-rotated-words-selection.patch +Patch1: 0001-pdfunite-Fix-crash-with-broken-documents.patch BuildRequires: gettext-devel BuildRequires: pkgconfig(cairo) @@ -277,6 +278,9 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_bindir}/poppler-glib-demo %changelog +* Tue May 30 2017 Caolán McNamara - 0.51.0-2 +- Resolves: rhbz#1456828 CVE-2017-7511 Null pointer deference + * Tue May 23 2017 David Tardon - 0.55.0-1 - new upstream release