From 117c19cf2fb4f58442e72c4f13c9678f9dd90f05 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Mon, 1 Apr 2019 13:28:03 +0200
Subject: [PATCH] Constrain number of cycles in rescale filter

and compute correct coverage values for box filter.

Resolves: #1686803
---
 poppler-0.73.0-coverage-values.patch |  35 ++++++++++
 poppler-0.73.0-rescale-filter.patch  | 100 +++++++++++++++++++++++++++
 poppler.spec                         |  11 ++-
 3 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100644 poppler-0.73.0-coverage-values.patch
 create mode 100644 poppler-0.73.0-rescale-filter.patch

diff --git a/poppler-0.73.0-coverage-values.patch b/poppler-0.73.0-coverage-values.patch
new file mode 100644
index 0000000..74cb731
--- /dev/null
+++ b/poppler-0.73.0-coverage-values.patch
@@ -0,0 +1,35 @@
+From d716e636231c8d636bf2139896d817b66fe6d510 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Thu, 21 Mar 2019 13:15:37 +0100
+Subject: [PATCH 1/2] cairo: Compute correct coverage values for box filter
+
+Use double precision for computation of coverage
+of the left most pixel in the box filter.
+
+Issue #736
+---
+ poppler/CairoRescaleBox.cc | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc
+index b8371a5b..d7615010 100644
+--- a/poppler/CairoRescaleBox.cc
++++ b/poppler/CairoRescaleBox.cc
+@@ -226,10 +227,10 @@ static int compute_coverage (int coverage[], int src_length, int dest_length)
+     /* I have a proof of this, which this margin is too narrow to contain */
+     for (i=0; i<dest_length; i++)
+     {
+-        float left_side = i*scale;
+-        float right_side = (i+1)*scale;
+-        float right_fract = right_side - floor (right_side);
+-        float left_fract = ceil (left_side) - left_side;
++        double left_side = i*scale;
++        double right_side = (i+1)*scale;
++        double right_fract = right_side - floor (right_side);
++        double left_fract = ceil (left_side) - left_side;
+         int overage;
+         /* find out how many source pixels will be used to fill the box */
+         int count = floor (right_side) - ceil (left_side);
+-- 
+2.20.1
+
diff --git a/poppler-0.73.0-rescale-filter.patch b/poppler-0.73.0-rescale-filter.patch
new file mode 100644
index 0000000..3dbad5c
--- /dev/null
+++ b/poppler-0.73.0-rescale-filter.patch
@@ -0,0 +1,100 @@
+From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Thu, 21 Mar 2019 13:47:51 +0100
+Subject: [PATCH 2/2] cairo: Constrain number of cycles in rescale filter
+
+Pass address of the first byte after end of the source buffer
+to downsample_row_box_filter() so that we can check
+that we don't run out of it.
+
+Fixes issue #736
+---
+ poppler/CairoRescaleBox.cc | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc
+index d7615010..7fd07041 100644
+--- a/poppler/CairoRescaleBox.cc
++++ b/poppler/CairoRescaleBox.cc
+@@ -62,7 +62,7 @@
+ 
+ static void downsample_row_box_filter (
+         int start, int width,
+-        uint32_t *src, uint32_t *dest,
++        uint32_t *src, uint32_t *src_limit, uint32_t *dest,
+         int coverage[], int pixel_coverage)
+ {
+     /* we need an array of the pixel contribution of each destination pixel on the boundaries.
+@@ -90,13 +90,13 @@ static void downsample_row_box_filter (
+     /* skip to start */
+     /* XXX: it might be possible to do this directly instead of iteratively, however
+      * the iterative solution is simple */
+-    while (x < start)
++    while (x < start && src < src_limit)
+     {
+         int box = 1 << FIXED_SHIFT;
+         int start_coverage = coverage[x];
+         box -= start_coverage;
+         src++;
+-        while (box >= pixel_coverage)
++        while (box >= pixel_coverage && src < src_limit)
+         {
+             src++;
+             box -= pixel_coverage;
+@@ -104,7 +104,7 @@ static void downsample_row_box_filter (
+         x++;
+     }
+ 
+-    while (x < start + width)
++    while (x < start + width && src < src_limit)
+     {
+         uint32_t a = 0;
+         uint32_t r = 0;
+@@ -121,7 +121,7 @@ static void downsample_row_box_filter (
+         x++;
+         box -= start_coverage;
+ 
+-        while (box >= pixel_coverage)
++        while (box >= pixel_coverage && src < src_limit)
+         {
+             a += ((*src >> 24) & 0xff) * pixel_coverage;
+             r += ((*src >> 16) & 0xff) * pixel_coverage;
+@@ -135,7 +135,7 @@ static void downsample_row_box_filter (
+         /* multiply by whatever is leftover
+          * this ensures that we don't bias down.
+          * i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */
+-        if (box > 0)
++        if (box > 0 && src < src_limit)
+         {
+             a += ((*src >> 24) & 0xff) * box;
+             r += ((*src >> 16) & 0xff) * box;
+@@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+     int start_coverage_y = y_coverage[dest_y];
+ 
+     getRow(src_y, scanline);
+-    downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++    downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+     columns++;
+     src_y++;
+     box -= start_coverage_y;
+@@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+     while (box >= pixel_coverage_y)
+     {
+       getRow(src_y, scanline);
+-      downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++      downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+       columns++;
+       src_y++;
+       box -= pixel_coverage_y;
+@@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
+     if (box > 0)
+     {
+       getRow(src_y, scanline);
+-      downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
++      downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+       columns++;
+     }
+ 
+-- 
+2.20.1
+
diff --git a/poppler.spec b/poppler.spec
index 22478b6..c9b7c53 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -4,7 +4,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 0.73.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@@ -34,6 +34,10 @@ Patch10:  poppler-0.73.0-image-stream-getline.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1691724
 Patch11:  poppler-0.73.0-stack-overflow.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1686802
+Patch12: poppler-0.73.0-coverage-values.patch
+Patch13: poppler-0.73.0-rescale-filter.patch
+
 BuildRequires: cmake
 BuildRequires: gcc-c++
 BuildRequires: gettext-devel
@@ -264,6 +268,11 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Mon Apr 1 2019 Marek Kasik <mkasik@redhat.com> - 0.73.0-8
+- Constrain number of cycles in rescale filter
+- Compute correct coverage values for box filter
+- Resolves: #1686803
+
 * Mon Apr 1 2019 Marek Kasik <mkasik@redhat.com> - 0.73.0-7
 - Fix stack overflow on broken file
 - Resolves: #1691725