rpms/poppler
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#1459067 CVE-2017-7515 CVE-2017-9775 CVE-2017-9776 CVE-2017-9865

Browse Source
This commit is contained in:
Caolán McNamara 2017-07-12 15:03:07 +01:00
parent 977eab5a70
commit 97a4a6a2eb
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
CVE-2017-9865.patch Normal file
View File

@ -0,0 +1,57 @@
From 559c95f3bf073eafff9b69219b3e8a12cb6b0d57 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm@redhat.com>
Date: Wed, 12 Jul 2017 14:12:46 +0100
Subject: [PATCH] CVE-2017-9865 (fdo#100774) avoid stack buffer overflow
in GfxImageColorMap:getGray
by passing first arg to getGray of maximum possibly required size
and similar in HtmlOutputDev::drawPngImage
---
utils/HtmlOutputDev.cc | 5 +++--
utils/ImageOutputDev.cc | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/utils/HtmlOutputDev.cc b/utils/HtmlOutputDev.cc
index 5f5dc9f..f418b3d 100644
--- a/utils/HtmlOutputDev.cc
+++ b/utils/HtmlOutputDev.cc
@@ -1433,8 +1433,9 @@ void HtmlOutputDev::drawPngImage(GfxState *state, Stream *str, int width, int he
int invert_bits = 0xff;
if (colorMap) {
GfxGray gray;
- Guchar zero = 0;
- colorMap->getGray(&zero, &gray);
+ Guchar zero[gfxColorMaxComps];
+ memset(zero, 0, sizeof(zero));
+ colorMap->getGray(zero, &gray);
if (colToByte(gray) == 0)
invert_bits = 0x00;
}
diff --git a/utils/ImageOutputDev.cc b/utils/ImageOutputDev.cc
index 069d821..bc34543 100644
--- a/utils/ImageOutputDev.cc
+++ b/utils/ImageOutputDev.cc
@@ -344,7 +344,7 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
GfxRGB rgb;
GfxCMYK cmyk;
GfxGray gray;
- Guchar zero = 0;
+ Guchar zero[gfxColorMaxComps];
int invert_bits;
if (writer) {
@@ -383,7 +383,8 @@ void ImageOutputDev::writeImageFile(ImgWriter *writer, ImageFormat format, const
// the mask we leave the data unchanged.
invert_bits = 0xff;
if (colorMap) {
- colorMap->getGray(&zero, &gray);
+ memset(zero, 0, sizeof(zero));
+ colorMap->getGray(zero, &gray);
if (colToByte(gray) == 0)
invert_bits = 0x00;
}
--
2.9.3

6
poppler.spec
View File

@ -4,7 +4,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.56.0
Release: 1%{?dist}
Release: 2%{?dist}
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
URL: http://poppler.freedesktop.org/
Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -13,6 +13,7 @@ Source1: %{name}-test-%{test_date}_%{test_sha}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1185007
Patch0: poppler-0.30.0-rotated-words-selection.patch
Patch1: CVE-2017-9865.patch
BuildRequires: gettext-devel
BuildRequires: pkgconfig(cairo)
@ -277,6 +278,9 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
%{_bindir}/poppler-glib-demo
%changelog
* Wed Jul 12 2017 Caolán McNamara <caolanm@redhat.com> - 0.56.0-2
- Resolves: rhbz#1459067 CVE-2017-7515 CVE-2017-9775 CVE-2017-9776 CVE-2017-9865
* Fri Jun 23 2017 David Tardon <dtardon@redhat.com> - 0.56.0-1
- new upstream release