Fix crash when Object has negative number

This fixes CVE-2018-13988.

Resolves: #1607461

poppler-0.63.0-negative-object-number.patch

@@ -0,0 +1,25 @@
+From 004e3c10df0abda214f0c293f9e269fdd979c5ee Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Wed, 18 Jul 2018 20:31:27 +0200
+Subject: Fix crash when Object has negative number
+
+Spec says object number has to be > 0 and gen has to be >= 0
+
+Reported by email
+
+diff --git a/poppler/Parser.cc b/poppler/Parser.cc
+index 39c9a967..8b0093e3 100644
+--- a/poppler/Parser.cc
++++ b/poppler/Parser.cc
+@@ -154,6 +154,11 @@ Object Parser::getObj(GBool simpleOnly,
+       const int gen = buf1.getInt();
+       shift();
+       shift();
++
++      if (unlikely(num <= 0 || gen < 0)) {
++          return Object();
++      }
++
+       return Object(num, gen);
+     } else {
+       return Object(num);

poppler.spec

@@ -4,7 +4,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 0.63.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@@ -20,6 +20,9 @@ Patch3:  CVE-2017-18267.patch
 
 Patch4:  poppler-0.63.0-python3.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1602838
+Patch5:  poppler-0.63.0-negative-object-number.patch
+
 BuildRequires: cmake
 BuildRequires: gcc-c++
 BuildRequires: gettext-devel
@@ -250,6 +253,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Thu Jul 26 2018 Marek Kasik <mkasik@redhat.com> - 0.63.0-5
+- Fix crash when Object has negative number (CVE-2018-13988)
+- Resolves: #1607461
+
 * Mon Jul 23 2018 Marek Kasik <mkasik@redhat.com> - 0.63.0-4
 - Use /usr/bin/python3 explicitly
 - https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3#Transition_Steps