diff --git a/SOURCES/poppler-20.11.0-XRef-check-isDict.patch b/SOURCES/poppler-20.11.0-XRef-check-isDict.patch new file mode 100644 index 0000000..0f0cca5 --- /dev/null +++ b/SOURCES/poppler-20.11.0-XRef-check-isDict.patch @@ -0,0 +1,21 @@ +From dcd5bd8238ea448addd102ff045badd0aca1b990 Mon Sep 17 00:00:00 2001 +From: crt +Date: Wed, 27 Jul 2022 08:40:02 +0000 +Subject: pdfseparate: Check XRef's Catalog for being a Dict + + +diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc +index 351140af..c26a41c4 100644 +--- a/poppler/PDFDoc.cc ++++ b/poppler/PDFDoc.cc +@@ -886,6 +886,10 @@ int PDFDoc::savePageAs(const GooString &name, int pageNo) + + // get and mark output intents etc. + Object catObj = getXRef()->getCatalog(); ++ if (!catObj.isDict()) { ++ error(errSyntaxError, -1, "XRef's Catelog is not a dictionary"); ++ return errOpenFile; ++ } + Dict *catDict = catObj.getDict(); + Object pagesObj = catDict->lookup("Pages"); + Object afObj = catDict->lookupNF("AcroForm").copy(); diff --git a/SOURCES/poppler-20.11.0-check-isDict.patch b/SOURCES/poppler-20.11.0-check-isDict.patch new file mode 100644 index 0000000..22c4090 --- /dev/null +++ b/SOURCES/poppler-20.11.0-check-isDict.patch @@ -0,0 +1,34 @@ +--- a/poppler/PDFDoc.cc ++++ b/poppler/PDFDoc.cc +@@ -1757,6 +1757,9 @@ void PDFDoc::replacePageDict(int pageNo, + { + Ref *refPage = getCatalog()->getPageRef(pageNo); + Object page = getXRef()->fetch(*refPage); ++ if (!page.isDict()) { ++ return; ++ } + Dict *pageDict = page.getDict(); + pageDict->remove("MediaBoxssdf"); + pageDict->remove("MediaBox"); +--- a/utils/pdfunite.cc ++++ b/utils/pdfunite.cc +@@ -293,9 +293,18 @@ int main(int argc, char *argv[]) + const PDFRectangle *cropBox = nullptr; + if (docs[i]->getCatalog()->getPage(j)->isCropped()) + cropBox = docs[i]->getCatalog()->getPage(j)->getCropBox(); +- docs[i]->replacePageDict(j, docs[i]->getCatalog()->getPage(j)->getRotate(), docs[i]->getCatalog()->getPage(j)->getMediaBox(), cropBox); + Ref *refPage = docs[i]->getCatalog()->getPageRef(j); + Object page = docs[i]->getXRef()->fetch(*refPage); ++ if (!page.isDict()) { ++ fclose(f); ++ delete yRef; ++ delete countRef; ++ delete outStr; ++ error(errSyntaxError, -1, "PDFDoc::replacePageDict failed."); ++ return -1; ++ } else { ++ docs[i]->replacePageDict(j, docs[i]->getCatalog()->getPage(j)->getRotate(), docs[i]->getCatalog()->getPage(j)->getMediaBox(), cropBox); ++ } + Dict *pageDict = page.getDict(); + Object *resDict = docs[i]->getCatalog()->getPage(j)->getResourceDictObject(); + if (resDict->isDict()) { diff --git a/SOURCES/poppler-20.11.0-pdfunite-broken-document.patch b/SOURCES/poppler-20.11.0-pdfunite-broken-document.patch new file mode 100644 index 0000000..11e4004 --- /dev/null +++ b/SOURCES/poppler-20.11.0-pdfunite-broken-document.patch @@ -0,0 +1,48 @@ +From efb68686784f0c58668b7ced990fd173e09346db Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Thu, 18 Aug 2022 23:41:24 +0200 +Subject: pdfunite: Don't crash in broken documents + + +diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc +index 86e75555..a154f40d 100644 +--- a/utils/pdfunite.cc ++++ b/utils/pdfunite.cc +@@ -106,16 +106,21 @@ static void doMergeNameDict(PDFDoc *doc, XRef *srcXRef, XRef *countRef, int oldR + } + } + +-static void doMergeFormDict(Dict *srcFormDict, Dict *mergeFormDict, int numOffset) ++static bool doMergeFormDict(Dict *srcFormDict, Dict *mergeFormDict, int numOffset) + { + Object srcFields = srcFormDict->lookup("Fields"); + Object mergeFields = mergeFormDict->lookup("Fields"); + if (srcFields.isArray() && mergeFields.isArray()) { + for (int i = 0; i < mergeFields.arrayGetLength(); i++) { + const Object &value = mergeFields.arrayGetNF(i); ++ if (!value.isRef()) { ++ error(errSyntaxError, -1, "Fields object is not a Ref."); ++ return false; ++ } + srcFields.arrayAdd(Object({ value.getRef().num + numOffset, value.getRef().gen })); + } + } ++ return true; + } + + /////////////////////////////////////////////////////////////////////////// +@@ -332,7 +337,13 @@ int main(int argc, char *argv[]) + if (afObj.isNull()) { + afObj = pageCatDict->lookupNF("AcroForm").copy(); + } else if (afObj.isDict()) { +- doMergeFormDict(afObj.getDict(), pageForm.getDict(), numOffset); ++ if (!doMergeFormDict(afObj.getDict(), pageForm.getDict(), numOffset)) { ++ fclose(f); ++ delete yRef; ++ delete countRef; ++ delete outStr; ++ return -1; ++ } + } + } + objectsCount += docs[i]->writePageObjects(outStr, yRef, numOffset, true); diff --git a/SOURCES/poppler-20.11.0-pdfunite-check-isDict.patch b/SOURCES/poppler-20.11.0-pdfunite-check-isDict.patch new file mode 100644 index 0000000..2ffdf72 --- /dev/null +++ b/SOURCES/poppler-20.11.0-pdfunite-check-isDict.patch @@ -0,0 +1,41 @@ +From 4631115647c1e4f0482ffe0491c2f38d2231337b Mon Sep 17 00:00:00 2001 +From: crt +Date: Fri, 29 Jul 2022 20:51:11 +0000 +Subject: Check isDict before calling getDict + +Issue #1276 + +diff --git a/utils/pdfunite.cc b/utils/pdfunite.cc +index b96b0378..050927d3 100644 +--- a/utils/pdfunite.cc ++++ b/utils/pdfunite.cc +@@ -197,6 +197,14 @@ int main(int argc, char *argv[]) + Object ocObj; + if (docs.size() >= 1) { + Object catObj = docs[0]->getXRef()->getCatalog(); ++ if(!catObj.isDict()){ ++ fclose(f); ++ delete yRef; ++ delete countRef; ++ delete outStr; ++ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary."); ++ return -1; ++ } + Dict *catDict = catObj.getDict(); + intents = catDict->lookup("OutputIntents"); + afObj = catDict->lookupNF("AcroForm").copy(); +@@ -295,6 +303,14 @@ int main(int argc, char *argv[]) + } + } + Object pageCatObj = docs[i]->getXRef()->getCatalog(); ++ if(!pageCatObj.isDict()){ ++ fclose(f); ++ delete yRef; ++ delete countRef; ++ delete outStr; ++ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary."); ++ return -1; ++ } + Dict *pageCatDict = pageCatObj.getDict(); + Object pageNames = pageCatDict->lookup("Names"); + if (!pageNames.isNull() && pageNames.isDict()) { diff --git a/SPECS/poppler.spec b/SPECS/poppler.spec index f371dcc..599a92a 100644 --- a/SPECS/poppler.spec +++ b/SPECS/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 20.11.0 -Release: 6%{?dist} +Release: 10%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -33,6 +33,18 @@ Patch24: poppler-20.11.0-hints.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2124527 Patch25: poppler-20.11.0-jbig-symbol-overflow.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2189815 +Patch26: poppler-20.11.0-pdfunite-broken-document.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=2189811 +Patch27: poppler-20.11.0-pdfunite-check-isDict.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=2189814 +Patch28: poppler-20.11.0-check-isDict.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=2189810 +Patch29: poppler-20.11.0-XRef-check-isDict.patch + BuildRequires: cmake BuildRequires: gettext-devel BuildRequires: pkgconfig(cairo) @@ -237,6 +249,22 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Fri Jun 9 2023 Marek Kasik - 21.01.0-10 +- Check XRef's Catalog for being a Dict +- Resolves: #2189816 + +* Fri Jun 9 2023 Marek Kasik - 20.11.0-9 +- Check isDict before calling getDict 2 +- Resolves: #2189837 + +* Fri Jun 9 2023 Marek Kasik - 20.11.0-8 +- Check isDict before calling getDict +- Resolves: #2189823 + +* Fri Jun 9 2023 Marek Kasik - 20.11.0-7 +- Don't crash in broken documents +- Resolves: #2189844 + * Tue Sep 20 2022 Marek Kasik - 20.11.0-6 - Check for overflow when computing number of symbols - in JBIG2 text region