From 7d52843d6ecaab0bf7fccf6a2d7e35916845079d Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Tue, 22 Jan 2019 10:46:15 +0100
Subject: [PATCH] Do not try to parse into unallocated XRef entry

Resolves: #1665268
---
 poppler-0.67.0-dummy-xref-entry.patch | 63 +++++++++++++++++++++++++++
 poppler.spec                          |  9 +++-
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 poppler-0.67.0-dummy-xref-entry.patch

diff --git a/poppler-0.67.0-dummy-xref-entry.patch b/poppler-0.67.0-dummy-xref-entry.patch
new file mode 100644
index 0000000..bc1f5a1
--- /dev/null
+++ b/poppler-0.67.0-dummy-xref-entry.patch
@@ -0,0 +1,63 @@
+From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001
+From: Adam Reichold <adam.reichold@t-online.de>
+Date: Mon, 24 Dec 2018 15:40:38 +0100
+Subject: [PATCH] Do not try to parse into unallocated XRef entry and return
+ pointer to dummy entry instead. Closes #692 and oss-fuzz/12330
+
+---
+ poppler/XRef.cc | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/poppler/XRef.cc b/poppler/XRef.cc
+index 0ec66944..d042d1f4 100644
+--- a/poppler/XRef.cc
++++ b/poppler/XRef.cc
+@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
+   }
+ }
+ 
++namespace {
++
++struct DummyXRefEntry : XRefEntry {
++  DummyXRefEntry() {
++    offset = 0;
++    gen = -1;
++    type = xrefEntryNone;
++    flags = 0;
++  }
++};
++
++DummyXRefEntry dummyXRefEntry;
++
++}
++
+ XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
+ {
+   if (i >= size || entries[i].type == xrefEntryNone) {
+ 
+     if ((!xRefStream) && mainXRefEntriesOffset) {
++      if (unlikely(i >= capacity)) {
++	error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
++	return &dummyXRefEntry;
++      }
++
+       if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
+         error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
+       }
+@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
+       // We might have reconstructed the xref
+       // Check again i is in bounds
+       if (unlikely(i >= size)) {
+-        static XRefEntry dummy;
+-        dummy.offset = 0;
+-        dummy.gen = -1;
+-        dummy.type = xrefEntryNone;
+-        dummy.flags = 0;
+-        return &dummy;
++	return &dummyXRefEntry;
+       }
+ 
+       if (entries[i].type == xrefEntryNone) {
+-- 
+2.20.1
+
diff --git a/poppler.spec b/poppler.spec
index c50444f..50d1ef7 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -4,7 +4,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 0.67.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@@ -43,6 +43,9 @@ Patch13:  poppler-0.67.0-rich-media-annotation.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1665263
 Patch14:  poppler-0.67.0-filespec.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1665266
+Patch15:  poppler-0.67.0-dummy-xref-entry.patch
+
 BuildRequires: cmake
 BuildRequires: gcc-c++
 BuildRequires: gettext-devel
@@ -273,6 +276,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*
 
 %changelog
+* Mon Jan 21 2019 Marek Kasik <mkasik@redhat.com> - 0.67.0-9
+- Do not try to parse into unallocated XRef entry
+- Resolves: #1665268
+
 * Mon Jan 21 2019 Marek Kasik <mkasik@redhat.com> - 0.67.0-8
 - Move the fileSpec.dictLookup call inside fileSpec.isDict if
 - Resolves: #1665264