rpms
/
poppler
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import poppler-0.66.0-11.el8_0.12

This commit is contained in:
CentOS Sources 2019-09-10 06:40:26 -04:00 committed by Andrew Lukoshko
parent 4b7ced872a
commit 9c037f21e6
15 changed files with 1035 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
SOURCES/poppler-0.66.0-JPXStream-length.patch Normal file
View File

@ -0,0 +1,26 @@
From 68ef84e5968a4249c2162b839ca6d7975048a557 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Mon, 15 Jul 2019 23:24:22 +0200
Subject: [PATCH] JPXStream::init: ignore dict Length if clearly broken
Fixes issue #805
---
poppler/JPEG2000Stream.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
index 0eea3a2d..8e6902f4 100644
--- a/poppler/JPEG2000Stream.cc
+++ b/poppler/JPEG2000Stream.cc
@@ -219,7 +219,7 @@ void JPXStream::init()
}
int bufSize = BUFFER_INITIAL_SIZE;
- if (oLen.isInt()) bufSize = oLen.getInt();
+ if (oLen.isInt() && oLen.getInt() > 0) bufSize = oLen.getInt();
GBool indexed = gFalse;
if (cspace.isArray() && cspace.arrayGetLength() > 0) {
--
2.21.0

372
SOURCES/poppler-0.66.0-PSOutputDev-rgb.patch Normal file
View File

@ -0,0 +1,372 @@
From 64aa150a92ccb082db6a3383fa734a6ac91cf1bf Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Tue, 30 Apr 2019 18:47:44 +0200
Subject: [PATCH] PSOutputDev: Don't read outside of image buffer
Check whether input image is RGB or BGR to not treat
it as CMYK in those cases in PSOutputDev::checkPageSlice().
Fixes #751
---
poppler/PSOutputDev.cc | 248 ++++++++++++++++++++++++++++++++---------
1 file changed, 196 insertions(+), 52 deletions(-)
diff --git a/poppler/PSOutputDev.cc b/poppler/PSOutputDev.cc
index 0d201835..155a8cbe 100644
--- a/poppler/PSOutputDev.cc
+++ b/poppler/PSOutputDev.cc
@@ -3385,13 +3385,21 @@ GBool PSOutputDev::checkPageSlice(Page *
}
break;
case psLevel1Sep:
+ GfxColor inputColor;
+ GfxCMYK cmyk;
+ unsigned char cmykColor[4];
+ GfxDeviceRGBColorSpace *rgbCS;
+ SplashColorMode colorMode;
+
+ colorMode = bitmap->getMode();
+
p = bitmap->getDataPtr();
// Check for an all gray image
if (getOptimizeColorSpace()) {
isGray = gTrue;
for (y = 0; y < h; ++y) {
for (x = 0; x < w; ++x) {
- if (p[4*x] != p[4*x + 1] || p[4*x] != p[4*x + 2]) {
+ if (p[numComps*x] != p[numComps*x + 1] || p[numComps*x] != p[numComps*x + 2]) {
isGray = gFalse;
y = h;
break;
@@ -3411,7 +3419,9 @@ GBool PSOutputDev::checkPageSlice(Page *
col[0] = col[1] = col[2] = col[3] = 0;
if (isGray) {
int g;
- if ((psProcessBlack & processColors) == 0) {
+ if ((psProcessBlack & processColors) == 0 &&
+ colorMode != splashModeRGB8 &&
+ colorMode != splashModeBGR8) {
// Check if the image uses black
for (y = 0; y < h; ++y) {
for (x = 0; x < w; ++x) {
@@ -3425,59 +3435,23 @@ GBool PSOutputDev::checkPageSlice(Page *
}
p = bitmap->getDataPtr() + (h - 1) * bitmap->getRowSize();
}
- for (y = 0; y < h; ++y) {
- if (useBinary) {
- // Binary gray image
- for (x = 0; x < w; ++x) {
- g = p[4*x] + p[4*x + 3];
- g = 255 - g;
- if (g < 0) g = 0;
- hexBuf[i++] = (Guchar) g;
- if (i >= 64) {
- writePSBuf(hexBuf, i);
- i = 0;
- }
- }
- } else {
- // Hex gray image
- for (x = 0; x < w; ++x) {
- g = p[4*x] + p[4*x + 3];
- g = 255 - g;
- if (g < 0) g = 0;
- digit = g / 16;
- hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
- digit = g % 16;
- hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
- if (i >= 64) {
- hexBuf[i++] = '\n';
- writePSBuf(hexBuf, i);
- i = 0;
- }
- }
- }
- p -= bitmap->getRowSize();
- }
- } else if (((psProcessCyan | psProcessMagenta | psProcessYellow | psProcessBlack) & ~processColors) != 0) {
- // Color image, need to check color flags for each dot
- for (y = 0; y < h; ++y) {
- for (comp = 0; comp < 4; ++comp) {
+ if (colorMode == splashModeRGB8 || colorMode != splashModeBGR8) {
+ for (y = 0; y < h; ++y) {
if (useBinary) {
- // Binary color image
+ // Binary gray image
for (x = 0; x < w; ++x) {
- col[comp] |= p[4*x + comp];
- hexBuf[i++] = p[4*x + comp];
+ hexBuf[i++] = (Guchar) p[3*x];
if (i >= 64) {
writePSBuf(hexBuf, i);
i = 0;
}
}
} else {
- // Gray color image
+ // Hex gray image
for (x = 0; x < w; ++x) {
- col[comp] |= p[4*x + comp];
- digit = p[4*x + comp] / 16;
+ digit = p[3*x] / 16;
hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
- digit = p[4*x + comp] % 16;
+ digit = p[3*x] % 16;
hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
if (i >= 64) {
hexBuf[i++] = '\n';
@@ -3485,29 +3459,31 @@ GBool PSOutputDev::checkPageSlice(Page *
i = 0;
}
}
- }
+ }
}
- p -= bitmap->getRowSize();
- }
- } else {
- // Color image, do not need to check color flags
- for (y = 0; y < h; ++y) {
- for (comp = 0; comp < 4; ++comp) {
+ } else {
+ for (y = 0; y < h; ++y) {
if (useBinary) {
- // Binary color image
+ // Binary gray image
for (x = 0; x < w; ++x) {
- hexBuf[i++] = p[4*x + comp];
+ g = p[4*x] + p[4*x + 3];
+ g = 255 - g;
+ if (g < 0) g = 0;
+ hexBuf[i++] = (Guchar) g;
if (i >= 64) {
writePSBuf(hexBuf, i);
i = 0;
}
}
} else {
- // Hex color image
+ // Hex gray image
for (x = 0; x < w; ++x) {
- digit = p[4*x + comp] / 16;
+ g = p[4*x] + p[4*x + 3];
+ g = 255 - g;
+ if (g < 0) g = 0;
+ digit = g / 16;
hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
- digit = p[4*x + comp] % 16;
+ digit = g % 16;
hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
if (i >= 64) {
hexBuf[i++] = '\n';
@@ -3515,9 +3491,207 @@ GBool PSOutputDev::checkPageSlice(Page *
i = 0;
}
}
- }
+ }
}
- p -= bitmap->getRowSize();
+ }
+ p -= bitmap->getRowSize();
+ } else if (((psProcessCyan | psProcessMagenta | psProcessYellow | psProcessBlack) & ~processColors) != 0) {
+ // Color image, need to check color flags for each dot
+ switch (colorMode) {
+ case splashModeRGB8:
+ case splashModeBGR8:
+ rgbCS = new GfxDeviceRGBColorSpace();
+ for (y = 0; y < h; ++y) {
+ for (comp = 0; comp < 4; ++comp) {
+ if (useBinary) {
+ // Binary color image
+ for (x = 0; x < w; ++x) {
+ if (likely(colorMode == splashModeRGB8)) {
+ inputColor.c[0] = byteToCol(p[3*x + 0]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 2]);
+ } else {
+ inputColor.c[0] = byteToCol(p[3*x + 2]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 0]);
+ }
+ rgbCS->getCMYK(&inputColor, &cmyk);
+ cmykColor[0] = colToByte(cmyk.c);
+ cmykColor[1] = colToByte(cmyk.m);
+ cmykColor[2] = colToByte(cmyk.y);
+ cmykColor[3] = colToByte(cmyk.k);
+
+ col[comp] |= cmykColor[comp];
+ hexBuf[i++] = cmykColor[comp];
+ if (i >= 64) {
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ } else {
+ // Gray color image
+ for (x = 0; x < w; ++x) {
+ if (likely(colorMode == splashModeRGB8)) {
+ inputColor.c[0] = byteToCol(p[3*x + 0]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 2]);
+ } else {
+ inputColor.c[0] = byteToCol(p[3*x + 2]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 0]);
+ }
+ rgbCS->getCMYK(&inputColor, &cmyk);
+ cmykColor[0] = colToByte(cmyk.c);
+ cmykColor[1] = colToByte(cmyk.m);
+ cmykColor[2] = colToByte(cmyk.y);
+ cmykColor[3] = colToByte(cmyk.k);
+
+ col[comp] |= cmykColor[comp];
+ digit = cmykColor[comp] / 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ digit = cmykColor[comp] % 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ if (i >= 64) {
+ hexBuf[i++] = '\n';
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ }
+ }
+ p -= bitmap->getRowSize();
+ }
+ delete rgbCS;
+ break;
+ default:
+ for (y = 0; y < h; ++y) {
+ for (comp = 0; comp < 4; ++comp) {
+ if (useBinary) {
+ // Binary color image
+ for (x = 0; x < w; ++x) {
+ col[comp] |= p[4*x + comp];
+ hexBuf[i++] = p[4*x + comp];
+ if (i >= 64) {
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ } else {
+ // Gray color image
+ for (x = 0; x < w; ++x) {
+ col[comp] |= p[4*x + comp];
+ digit = p[4*x + comp] / 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ digit = p[4*x + comp] % 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ if (i >= 64) {
+ hexBuf[i++] = '\n';
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ }
+ }
+ p -= bitmap->getRowSize();
+ }
+ break;
+ }
+ } else {
+ // Color image, do not need to check color flags
+ switch (colorMode) {
+ case splashModeRGB8:
+ case splashModeBGR8:
+ rgbCS = new GfxDeviceRGBColorSpace();
+ for (y = 0; y < h; ++y) {
+ for (comp = 0; comp < 4; ++comp) {
+ if (useBinary) {
+ // Binary color image
+ for (x = 0; x < w; ++x) {
+ if (likely(colorMode == splashModeRGB8)) {
+ inputColor.c[0] = byteToCol(p[3*x + 0]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 2]);
+ } else {
+ inputColor.c[0] = byteToCol(p[3*x + 2]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 0]);
+ }
+ rgbCS->getCMYK(&inputColor, &cmyk);
+ cmykColor[0] = colToByte(cmyk.c);
+ cmykColor[1] = colToByte(cmyk.m);
+ cmykColor[2] = colToByte(cmyk.y);
+ cmykColor[3] = colToByte(cmyk.k);
+
+ hexBuf[i++] = cmykColor[comp];
+ if (i >= 64) {
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ } else {
+ // Hex color image
+ for (x = 0; x < w; ++x) {
+ if (likely(colorMode == splashModeRGB8)) {
+ inputColor.c[0] = byteToCol(p[3*x + 0]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 2]);
+ } else {
+ inputColor.c[0] = byteToCol(p[3*x + 2]);
+ inputColor.c[1] = byteToCol(p[3*x + 1]);
+ inputColor.c[2] = byteToCol(p[3*x + 0]);
+ }
+ rgbCS->getCMYK(&inputColor, &cmyk);
+ cmykColor[0] = colToByte(cmyk.c);
+ cmykColor[1] = colToByte(cmyk.m);
+ cmykColor[2] = colToByte(cmyk.y);
+ cmykColor[3] = colToByte(cmyk.k);
+
+ digit = cmykColor[comp] / 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ digit = cmykColor[comp] % 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ if (i >= 64) {
+ hexBuf[i++] = '\n';
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ }
+ }
+ p -= bitmap->getRowSize();
+ }
+ delete rgbCS;
+ break;
+ default:
+ for (y = 0; y < h; ++y) {
+ for (comp = 0; comp < 4; ++comp) {
+ if (useBinary) {
+ // Binary color image
+ for (x = 0; x < w; ++x) {
+ hexBuf[i++] = p[4*x + comp];
+ if (i >= 64) {
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ } else {
+ // Hex color image
+ for (x = 0; x < w; ++x) {
+ digit = p[4*x + comp] / 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ digit = p[4*x + comp] % 16;
+ hexBuf[i++] = digit + ((digit >= 10)? 'a' - 10: '0');
+ if (i >= 64) {
+ hexBuf[i++] = '\n';
+ writePSBuf(hexBuf, i);
+ i = 0;
+ }
+ }
+ }
+ }
+ p -= bitmap->getRowSize();
+ }
+ break;
}
}
if (i != 0) {

29
SOURCES/poppler-0.66.0-check-catalog-is-dict.patch Normal file
View File

@ -0,0 +1,29 @@
--- a/utils/pdfunite.cc
+++ b/utils/pdfunite.cc
@@ -165,7 +165,9 @@ int main (int argc, char *argv[])
for (i = 1; i < argc - 1; i++) {
GooString *gfileName = new GooString(argv[i]);
PDFDoc *doc = new PDFDoc(gfileName, nullptr, nullptr, nullptr);
- if (doc->isOk() && !doc->isEncrypted()) {
+ if (doc->isOk() && !doc->isEncrypted() &&
+ (doc->getCatalog()->getPageRef(1) || gTrue) &&
+ doc->getXRef()->getCatalog().isDict()) {
docs.push_back(doc);
if (doc->getPDFMajorVersion() > majorVersion) {
majorVersion = doc->getPDFMajorVersion();
@@ -176,8 +177,13 @@ int main (int argc, char *argv[])
}
}
} else if (doc->isOk()) {
- error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]);
- return -1;
+ if (doc->isEncrypted()) {
+ error(errUnimplemented, -1, "Could not merge encrypted files ('{0:s}')", argv[i]);
+ return -1;
+ } else if (!doc->getXRef()->getCatalog().isDict()) {
+ error(errSyntaxError, -1, "XRef's Catalog is not a dictionary ('{0:s}')", argv[i]);
+ return -1;
+ }
} else {
error(errSyntaxError, -1, "Could not merge damaged documents ('{0:s}')", argv[i]);
return -1;

35
SOURCES/poppler-0.66.0-coverage-values.patch Normal file
View File

@ -0,0 +1,35 @@
From d716e636231c8d636bf2139896d817b66fe6d510 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Thu, 21 Mar 2019 13:15:37 +0100
Subject: [PATCH 1/2] cairo: Compute correct coverage values for box filter
Use double precision for computation of coverage
of the left most pixel in the box filter.
Issue #736
---
poppler/CairoRescaleBox.cc | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc
index b8371a5b..d7615010 100644
--- a/poppler/CairoRescaleBox.cc
+++ b/poppler/CairoRescaleBox.cc
@@ -226,10 +227,10 @@ static int compute_coverage (int coverage[], int src_length, int dest_length)
/* I have a proof of this, which this margin is too narrow to contain */
for (i=0; i<dest_length; i++)
{
- float left_side = i*scale;
- float right_side = (i+1)*scale;
- float right_fract = right_side - floor (right_side);
- float left_fract = ceil (left_side) - left_side;
+ double left_side = i*scale;
+ double right_side = (i+1)*scale;
+ double right_fract = right_side - floor (right_side);
+ double left_fract = ceil (left_side) - left_side;
int overage;
/* find out how many source pixels will be used to fill the box */
int count = floor (right_side) - ceil (left_side);
--
2.20.1

63
SOURCES/poppler-0.66.0-display-profile.patch Normal file
View File

@ -0,0 +1,63 @@
From e07c8b4784234383cb5ddcf1133ea91a772506e2 Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Tue, 1 Jan 2019 10:54:40 +0100
Subject: [PATCH] Avoid global display profile state becoming an uncontrolled
memory leak by enforcing single initialization. Closes #654
---
poppler/GfxState.cc | 9 +++++++++
qt5/src/poppler-qt5.h | 4 ++++
2 files changed, 13 insertions(+)
diff --git a/poppler/GfxState.cc b/poppler/GfxState.cc
index 87b7ce03..4e3ccbfd 100644
--- a/poppler/GfxState.cc
+++ b/poppler/GfxState.cc
@@ -226,6 +226,10 @@ static unsigned int getCMSNChannels(cmsColorSpaceSignature cs);
static cmsHPROFILE loadColorProfile(const char *fileName);
void GfxColorSpace::setDisplayProfile(void *displayProfileA) {
+ if (displayProfile != nullptr) {
+ error(errInternal, -1, "The display color profile can only be set once before any rendering is done.");
+ return;
+ }
displayProfile = displayProfileA;
if (displayProfile != nullptr) {
cmsHTRANSFORM transform;
@@ -249,6 +253,11 @@ void GfxColorSpace::setDisplayProfile(void *displayProfileA) {
}
void GfxColorSpace::setDisplayProfileName(GooString *name) {
+ if (displayProfile != nullptr) {
+ error(errInternal, -1, "The display color profile can only be set before any rendering is done.");
+ return;
+ }
+ delete displayProfileName;
displayProfileName = name->copy();
}
diff --git a/qt5/src/poppler-qt5.h b/qt5/src/poppler-qt5.h
index 4f06c47e..ddac7dfb 100644
--- a/qt5/src/poppler-qt5.h
+++ b/qt5/src/poppler-qt5.h
@@ -1102,6 +1102,8 @@ delete it;
\param outputProfileA is a \c cmsHPROFILE of the LCMS library.
+ \note This should be called before any rendering happens and only once during the lifetime of the current process.
+
\since 0.12
*/
void setColorDisplayProfile(void *outputProfileA);
@@ -1110,6 +1112,8 @@ delete it;
\param name is the name of the display profile to set.
+ \note This should be called before any rendering happens.
+
\since 0.12
*/
void setColorDisplayProfileName(const QString &name);
--
2.20.1

63
SOURCES/poppler-0.66.0-dummy-xref-entry.patch Normal file
View File

@ -0,0 +1,63 @@
From 39a251b1b3a3343400a08e2f03c5518a26624626 Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Mon, 24 Dec 2018 15:40:38 +0100
Subject: [PATCH] Do not try to parse into unallocated XRef entry and return
pointer to dummy entry instead. Closes #692 and oss-fuzz/12330
---
poppler/XRef.cc | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index 0ec66944..d042d1f4 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -1548,11 +1548,31 @@ void XRef::readXRefUntil(int untilEntryNum, std::vector<int> *xrefStreamObjsNum)
}
}
+namespace {
+
+struct DummyXRefEntry : XRefEntry {
+ DummyXRefEntry() {
+ offset = 0;
+ gen = -1;
+ type = xrefEntryNone;
+ flags = 0;
+ }
+};
+
+DummyXRefEntry dummyXRefEntry;
+
+}
+
XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
{
if (i >= size || entries[i].type == xrefEntryNone) {
if ((!xRefStream) && mainXRefEntriesOffset) {
+ if (unlikely(i >= capacity)) {
+ error(errInternal, -1, "Request for out-of-bounds XRef entry [{0:d}]", i);
+ return &dummyXRefEntry;
+ }
+
if (!parseEntry(mainXRefEntriesOffset + 20*i, &entries[i])) {
error(errSyntaxError, -1, "Failed to parse XRef entry [{0:d}].", i);
}
@@ -1563,12 +1583,7 @@ XRefEntry *XRef::getEntry(int i, bool complainIfMissing)
// We might have reconstructed the xref
// Check again i is in bounds
if (unlikely(i >= size)) {
- static XRefEntry dummy;
- dummy.offset = 0;
- dummy.gen = -1;
- dummy.type = xrefEntryNone;
- dummy.flags = 0;
- return &dummy;
+ return &dummyXRefEntry;
}
if (entries[i].type == xrefEntryNone) {
--
2.20.1

35
SOURCES/poppler-0.66.0-filespec.patch Normal file
View File

@ -0,0 +1,35 @@
From de0c0b8324e776f0b851485e0fc9622fc35695b7 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sat, 29 Dec 2018 01:25:17 +0100
Subject: [PATCH] FileSpec: Move the fileSpec.dictLookup call inside
fileSpec.isDict if
Fixes #704
---
poppler/FileSpec.cc | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/poppler/FileSpec.cc b/poppler/FileSpec.cc
index 8a8b9e7e..7c12da63 100644
--- a/poppler/FileSpec.cc
+++ b/poppler/FileSpec.cc
@@ -133,11 +133,12 @@ FileSpec::FileSpec(const Object *fileSpecA)
return;
}
}
- }
- obj1 = fileSpec.dictLookup("Desc");
- if (obj1.isString())
- desc = obj1.getString()->copy();
+ obj1 = fileSpec.dictLookup("Desc");
+ if (obj1.isString()) {
+ desc = obj1.getString()->copy();
+ }
+ }
}
FileSpec::~FileSpec()
--
2.20.1

27
SOURCES/poppler-0.66.0-image-stream-getline.patch Normal file
View File

@ -0,0 +1,27 @@
From f4136a6353162db249f63ddb0f20611622ab61b4 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Wed, 27 Feb 2019 19:43:22 +0100
Subject: [PATCH] ImageStream::getLine: fix crash on broken files
Fixes #728
---
poppler/Stream.cc | 3 +++
1 file changed, 3 insertions(+)
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index 33537b0e..a41435ab 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -496,6 +496,9 @@ unsigned char *ImageStream::getLine() {
}
int readChars = str->doGetChars(inputLineSize, inputLine);
+ if (unlikely(readChars == -1)) {
+ readChars = 0;
+ }
for ( ; readChars < inputLineSize; readChars++) inputLine[readChars] = EOF;
if (nBits == 1) {
p = inputLine;
--
2.20.1

41
SOURCES/poppler-0.66.0-jpeg2000-component-size.patch Normal file
View File

@ -0,0 +1,41 @@
From 89a5367d49b2556a2635dbb6d48d6a6b182a2c6c Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Thu, 23 May 2019 00:54:29 +0200
Subject: [PATCH] JPEG2000Stream: fail gracefully if not all components have
the same WxH
I think this is just a mistake, or at least the only file we have with
this scenario is a fuzzed one
---
poppler/JPEG2000Stream.cc | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/poppler/JPEG2000Stream.cc b/poppler/JPEG2000Stream.cc
index 15bbcae4..0eea3a2d 100644
--- a/poppler/JPEG2000Stream.cc
+++ b/poppler/JPEG2000Stream.cc
@@ -4,7 +4,7 @@
//
// A JPX stream decoder using OpenJPEG
//
-// Copyright 2008-2010, 2012, 2017, 2018 Albert Astals Cid <aacid@kde.org>
+// Copyright 2008-2010, 2012, 2017-2019 Albert Astals Cid <aacid@kde.org>
// Copyright 2011 Daniel Glöckner <daniel-gl@gmx.net>
// Copyright 2014, 2016 Thomas Freitag <Thomas.Freitag@alfa.de>
// Copyright 2013, 2014 Adrian Johnson <ajohnson@redneon.com>
@@ -253,6 +253,12 @@ void JPXStream::init()
close();
break;
}
+ const int componentPixels = priv->image->comps[component].w * priv->image->comps[component].h;
+ if (componentPixels != priv->npixels) {
+ error(errSyntaxWarning, -1, "Component {0:d} has different WxH than component 0", component);
+ close();
+ break;
+ }
unsigned char *cdata = (unsigned char *)priv->image->comps[component].data;
int adjust = 0;
int depth = priv->image->comps[component].prec;
--
2.21.0

29
SOURCES/poppler-0.66.0-negative-xref-indices.patch Normal file
View File

@ -0,0 +1,29 @@
From b54e1fc3e0d2600621a28d50f9f085b9e38619c2 Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Fri, 1 Feb 2019 08:42:27 +0100
Subject: [PATCH] Also defend against requests for negative XRef indices.
oss-fuzz/12797
---
poppler/XRef.cc | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/poppler/XRef.cc b/poppler/XRef.cc
index d042d1f4..ac2cd0ce 100644
--- a/poppler/XRef.cc
+++ b/poppler/XRef.cc
@@ -1565,6 +1565,11 @@ DummyXRefEntry dummyXRefEntry;
XRefEntry *XRef::getEntry(int i, GBool complainIfMissing)
{
+ if (unlikely(i < 0)) {
+ error(errInternal, -1, "Request for invalid XRef entry [{0:d}]", i);
+ return &dummyXRefEntry;
+ }
+
if (i >= size || entries[i].type == xrefEntryNone) {
if ((!xRefStream) && mainXRefEntriesOffset) {
--
2.20.1

100
SOURCES/poppler-0.66.0-rescale-filter.patch Normal file
View File

@ -0,0 +1,100 @@
From 8122f6d6d409b53151a20c5578fc525ee97315e8 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Thu, 21 Mar 2019 13:47:51 +0100
Subject: [PATCH 2/2] cairo: Constrain number of cycles in rescale filter
Pass address of the first byte after end of the source buffer
to downsample_row_box_filter() so that we can check
that we don't run out of it.
Fixes issue #736
---
poppler/CairoRescaleBox.cc | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/poppler/CairoRescaleBox.cc b/poppler/CairoRescaleBox.cc
index d7615010..7fd07041 100644
--- a/poppler/CairoRescaleBox.cc
+++ b/poppler/CairoRescaleBox.cc
@@ -62,7 +62,7 @@
static void downsample_row_box_filter (
int start, int width,
- uint32_t *src, uint32_t *dest,
+ uint32_t *src, uint32_t *src_limit, uint32_t *dest,
int coverage[], int pixel_coverage)
{
/* we need an array of the pixel contribution of each destination pixel on the boundaries.
@@ -90,13 +90,13 @@ static void downsample_row_box_filter (
/* skip to start */
/* XXX: it might be possible to do this directly instead of iteratively, however
* the iterative solution is simple */
- while (x < start)
+ while (x < start && src < src_limit)
{
int box = 1 << FIXED_SHIFT;
int start_coverage = coverage[x];
box -= start_coverage;
src++;
- while (box >= pixel_coverage)
+ while (box >= pixel_coverage && src < src_limit)
{
src++;
box -= pixel_coverage;
@@ -104,7 +104,7 @@ static void downsample_row_box_filter (
x++;
}
- while (x < start + width)
+ while (x < start + width && src < src_limit)
{
uint32_t a = 0;
uint32_t r = 0;
@@ -121,7 +121,7 @@ static void downsample_row_box_filter (
x++;
box -= start_coverage;
- while (box >= pixel_coverage)
+ while (box >= pixel_coverage && src < src_limit)
{
a += ((*src >> 24) & 0xff) * pixel_coverage;
r += ((*src >> 16) & 0xff) * pixel_coverage;
@@ -135,7 +135,7 @@ static void downsample_row_box_filter (
/* multiply by whatever is leftover
* this ensures that we don't bias down.
* i.e. start_coverage + n*pixel_coverage + box == 1 << 24 */
- if (box > 0)
+ if (box > 0 && src < src_limit)
{
a += ((*src >> 24) & 0xff) * box;
r += ((*src >> 16) & 0xff) * box;
@@ -337,7 +337,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
int start_coverage_y = y_coverage[dest_y];
getRow(src_y, scanline);
- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
columns++;
src_y++;
box -= start_coverage_y;
@@ -345,7 +345,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
while (box >= pixel_coverage_y)
{
getRow(src_y, scanline);
- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
columns++;
src_y++;
box -= pixel_coverage_y;
@@ -355,7 +355,7 @@ bool CairoRescaleBox::downScaleImage(unsigned orig_width, unsigned orig_height,
if (box > 0)
{
getRow(src_y, scanline);
- downsample_row_box_filter (start_column, width, scanline, temp_buf + width * columns, x_coverage, pixel_coverage_x);
+ downsample_row_box_filter (start_column, width, scanline, scanline + orig_width, temp_buf + width * columns, x_coverage, pixel_coverage_x);
columns++;
}
--
2.20.1

51
SOURCES/poppler-0.66.0-rich-media-annotation.patch Normal file
View File

@ -0,0 +1,51 @@
From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Thu, 27 Dec 2018 11:54:53 +0100
Subject: [PATCH] Do not try to construct invalid rich media annotation assets.
Closes #703
---
poppler/Annot.cc | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/poppler/Annot.cc b/poppler/Annot.cc
index 2e4770ab..1750dc70 100644
--- a/poppler/Annot.cc
+++ b/poppler/Annot.cc
@@ -6418,20 +6418,22 @@ AnnotRichMedia::Content::Content(Dict *dict) {
if (obj1.isDict()) {
Object obj2 = obj1.getDict()->lookup("Names");
if (obj2.isArray()) {
- nAssets = obj2.arrayGetLength() / 2;
+ const int length = obj2.arrayGetLength() / 2;
- assets = (Asset **)gmallocn(nAssets, sizeof(Asset *));
+ assets = (Asset **)gmallocn(length, sizeof(Asset *));
+ for (int i = 0; i < length; ++i) {
+ Object objKey = obj2.arrayGet(2 * i);
+ Object objVal = obj2.arrayGet(2 * i + 1);
- int counter = 0;
- for (int i = 0; i < nAssets; ++i) {
- assets[counter] = new AnnotRichMedia::Asset;
-
- Object objKey = obj2.arrayGet(i * 2);
- assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1);
-
- assets[counter]->name = new GooString( objKey.getString() );
- ++counter;
+ if (!objKey.isString() || objVal.isNull()) {
+ error(errSyntaxError, -1, "Bad Annot Asset");
+ continue;
+ }
+ assets[nAssets] = new AnnotRichMedia::Asset;
+ assets[nAssets]->name = new GooString( objKey.getString() );
+ assets[nAssets]->fileSpec = std::move(objVal);
+ ++nAssets;
}
}
}
--
2.20.1

20
SOURCES/poppler-0.66.0-stack-overflow.patch Normal file
View File

@ -0,0 +1,20 @@
From fada09a2ccc11a3a1d308e810f1336d8df6011fd Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Mon, 18 Mar 2019 00:50:00 +0100
Subject: pdfunite: Fix stack overflow on broken file
Fixes issue #741
diff --git a/poppler/PDFDoc.cc b/poppler/PDFDoc.cc
index 26842f84..ab4abcad 100644
--- a/poppler/PDFDoc.cc
+++ b/poppler/PDFDoc.cc
@@ -1703,7 +1703,7 @@ void PDFDoc::markObject (Object* obj, XRef *xRef, XRef *countRef, unsigned int n
array = obj->getArray();
for (int i=0; i<array->getLength(); i++) {
Object obj1 = array->getNF(i);
- markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum);
+ markObject(&obj1, xRef, countRef, numOffset, oldRefNum, newRefNum, alreadyMarkedDicts);
}
break;
case objDict:

47
SOURCES/poppler-0.66.0-tiling-patterns.patch Normal file
View File

@ -0,0 +1,47 @@
From 718d428984e3a84fda521c0f5e6d975c7390af2b Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Fri, 6 Apr 2018 15:06:46 +0200
Subject: [PATCH] cairo: Fix tiling patterns when pattern cell is too far
Rendering of tiling pattern which has pattern matrix moving pattern cell
far away can fail on allocation of memory. This commit solves the issue by
modifying of cairo pattern matrix so that its offset is closer to the path
filled by the pattern.
https://bugs.freedesktop.org/show_bug.cgi?id=105905
---
poppler/CairoOutputDev.cc | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/poppler/CairoOutputDev.cc b/poppler/CairoOutputDev.cc
index 631ab27b..b2e730bf 100644
--- a/poppler/CairoOutputDev.cc
+++ b/poppler/CairoOutputDev.cc
@@ -915,6 +915,8 @@ GBool CairoOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat
StrokePathClip *strokePathTmp;
GBool adjusted_stroke_width_tmp;
cairo_pattern_t *maskTmp;
+ double xoffset, yoffset;
+ double det;
width = bbox[2] - bbox[0];
height = bbox[3] - bbox[1];
@@ -976,6 +978,15 @@ GBool CairoOutputDev::tilingPatternFill(GfxState *state, Gfx *gfxA, Catalog *cat
if (cairo_pattern_status (pattern))
return gFalse;
+ det = pmat[0] * pmat[3] - pmat[1] * pmat[2];
+ if (fabs(det) < 0.000001)
+ return gFalse;
+
+ xoffset = round ((pmat[3] * pmat[4] - pmat[2] * pmat[5]) / (xStep * det));
+ yoffset = - round ((pmat[1] * pmat[4] - pmat[0] * pmat[5]) / (yStep * det));
+ pattern_matrix.x0 -= xoffset * pattern_matrix.xx * xStep + yoffset * pattern_matrix.xy * yStep;
+ pattern_matrix.y0 -= xoffset * pattern_matrix.yx * xStep + yoffset * pattern_matrix.yy * yStep;
+
state->getUserClipBBox(&xMin, &yMin, &xMax, &yMax);
cairo_rectangle (cairo, xMin, yMin, xMax - xMin, yMax - yMin);
--
2.14.3

98
SPECS/poppler.spec
View File

@ -4,7 +4,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.66.0
Release: 10%{?dist}
Release: 11%{?dist}.12
License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
URL: http://poppler.freedesktop.org/
Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -39,6 +39,46 @@ Patch8: poppler-0.66.0-valid-embedded-file.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1649450
Patch9: poppler-0.66.0-valid-embedded-file-name.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1644094
Patch10: poppler-0.66.0-tiling-patterns.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1665259
Patch11: poppler-0.66.0-rich-media-annotation.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1665273
Patch12: poppler-0.66.0-check-catalog-is-dict.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1646546
Patch13: poppler-0.66.0-display-profile.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1665266
Patch14: poppler-0.66.0-dummy-xref-entry.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1672419
Patch15: poppler-0.66.0-negative-xref-indices.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1665263
Patch16: poppler-0.66.0-filespec.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1683632
Patch17: poppler-0.66.0-image-stream-getline.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1686802
Patch18: poppler-0.66.0-coverage-values.patch
Patch19: poppler-0.66.0-rescale-filter.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1691724
Patch20: poppler-0.66.0-stack-overflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1713582
Patch21: poppler-0.66.0-jpeg2000-component-size.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1696636
Patch22: poppler-0.66.0-PSOutputDev-rgb.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1732340
Patch23: poppler-0.66.0-JPXStream-length.patch
BuildRequires: cmake
BuildRequires: gettext-devel
BuildRequires: pkgconfig(cairo)
@ -240,6 +280,62 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
%{_mandir}/man1/*
%changelog
* Wed Aug 14 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.12
- Ignore dict Length if it is broken
- Resolves: #1741146
* Wed Aug 14 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.11
- Check whether input is RGB in PSOutputDev::checkPageSlice()
- (also when using "-optimizecolorspace" flag)
- Resolves: #1741145
* Wed Aug 14 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.10
- Fail gracefully if not all components of JPEG2000Stream
- have the same size
- Resolves: #1740612
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.9
- Fix stack overflow on broken file
- Resolves: #1717867
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.8
- Constrain number of cycles in rescale filter
- Compute correct coverage values for box filter
- Resolves: #1717866
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.7
- Fix possible crash on broken files in ImageStream::getLine()
- Resolves: #1717803
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.6
- Move the fileSpec.dictLookup call inside fileSpec.isDict if
- Resolves: #1717788
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.5
- Defend against requests for negative XRef indices
- Resolves: #1717779
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.4
- Do not try to parse into unallocated XRef entry
- Resolves: #1717790
* Wed Jul 31 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.3
- Avoid global display profile state becoming an uncontrolled
- memory leak
- Resolves: #1717776
* Wed May 15 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.2
- Check Catalog from XRef for being a Dict
- Resolves: #1690480
* Wed May 15 2019 Marek Kasik <mkasik@redhat.com> - 0.66.0-11.el8_0.1
- Do not try to construct invalid rich media annotation assets
- Resolves: #1690478
* Fri Dec 14 2018 Marek Kasik <mkasik@redhat.com> - 0.66.0-11
- Fix tiling patterns when pattern cell is too far
- Resolves: #1644094
* Fri Nov 16 2018 Marek Kasik <mkasik@redhat.com> - 0.66.0-10
- Check for valid file name of embedded file
- Resolves: #1649453