From b99c78bb0fdd34d1ef12be40871b3c9d8e8755a9 Mon Sep 17 00:00:00 2001
From: Marek Kasik <mkasik@redhat.com>
Date: Thu, 7 Oct 2010 14:58:41 +0200
Subject: [PATCH] Security bugfixes

Add poppler-0.15.0-CVE-2010-3702.patch
  (Properly initialize parser)
Add poppler-0.15.0-CVE-2010-3703.patch
  (Properly initialize stack)
Add poppler-0.15.0-CVE-2010-3704.patch
  (Fix crash in broken pdf (code < 0))
Resolves: #639861
---
 poppler-0.15.0-CVE-2010-3702.patch | 18 ++++++++++++++++++
 poppler-0.15.0-CVE-2010-3703.patch | 10 ++++++++++
 poppler-0.15.0-CVE-2010-3704.patch | 28 ++++++++++++++++++++++++++++
 poppler.spec                       | 27 ++++++++++++++++++++++++---
 4 files changed, 80 insertions(+), 3 deletions(-)
 create mode 100644 poppler-0.15.0-CVE-2010-3702.patch
 create mode 100644 poppler-0.15.0-CVE-2010-3703.patch
 create mode 100644 poppler-0.15.0-CVE-2010-3704.patch

diff --git a/poppler-0.15.0-CVE-2010-3702.patch b/poppler-0.15.0-CVE-2010-3702.patch
new file mode 100644
index 0000000..e5f7ec9
--- /dev/null
+++ b/poppler-0.15.0-CVE-2010-3702.patch
@@ -0,0 +1,18 @@
+--- poppler-0.15.0/poppler/Gfx.cc	2010-09-12 23:44:11.000000000 +0200
++++ poppler-0.15.0/poppler/Gfx.cc	2010-10-07 12:44:51.000000000 +0200
+@@ -536,6 +536,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, i
+   drawText = gFalse;
+   maskHaveCSPattern = gFalse;
+   mcStack = NULL;
++  parser = NULL;
+ 
+   // start the resource stack
+   res = new GfxResources(xref, resDict, NULL);
+@@ -590,6 +591,7 @@ Gfx::Gfx(XRef *xrefA, OutputDev *outA, D
+   drawText = gFalse;
+   maskHaveCSPattern = gFalse;
+   mcStack = NULL;
++  parser = NULL;
+ 
+   // start the resource stack
+   res = new GfxResources(xref, resDict, NULL);
diff --git a/poppler-0.15.0-CVE-2010-3703.patch b/poppler-0.15.0-CVE-2010-3703.patch
new file mode 100644
index 0000000..0304a7a
--- /dev/null
+++ b/poppler-0.15.0-CVE-2010-3703.patch
@@ -0,0 +1,10 @@
+--- poppler-0.15.0/poppler/Function.cc	2010-07-24 01:18:28.000000000 +0200
++++ poppler-0.15.0/poppler/Function.cc	2010-10-07 12:44:51.000000000 +0200
+@@ -1108,6 +1108,7 @@ PostScriptFunction::PostScriptFunction(O
+   code = NULL;
+   codeString = NULL;
+   codeSize = 0;
++  stack = NULL;
+   ok = gFalse;
+   cache = new PopplerCache(5);
+ 
diff --git a/poppler-0.15.0-CVE-2010-3704.patch b/poppler-0.15.0-CVE-2010-3704.patch
new file mode 100644
index 0000000..a44f854
--- /dev/null
+++ b/poppler-0.15.0-CVE-2010-3704.patch
@@ -0,0 +1,28 @@
+--- poppler-0.15.0/fofi/FoFiType1.cc	2010-07-24 01:18:27.000000000 +0200
++++ poppler-0.15.0/fofi/FoFiType1.cc	2010-10-07 12:44:51.000000000 +0200
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2005, 2008 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2005, 2008, 2010 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2005 Kristian Høgsberg <krh@redhat.com>
+ // Copyright (C) 2010 Jakub Wilk <ubanus@users.sf.net>
+ //
+@@ -31,6 +31,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include "goo/gmem.h"
++#include "goo/GooLikely.h"
+ #include "FoFiEncodings.h"
+ #include "FoFiType1.h"
+ #include "poppler/Error.h"
+@@ -243,7 +244,7 @@ void FoFiType1::parse() {
+ 		code = code * 8 + (*p2 - '0');
+ 	      }
+ 	    }
+-	    if (code < 256) {
++	    if (likely(code < 256 && code >= 0)) {
+ 	      for (p = p2; *p == ' ' || *p == '\t'; ++p) ;
+ 	      if (*p == '/') {
+ 		++p;
diff --git a/poppler.spec b/poppler.spec
index c9bbc6e..b57a990 100644
--- a/poppler.spec
+++ b/poppler.spec
@@ -2,7 +2,7 @@
 Summary: PDF rendering library
 Name: poppler
 Version: 0.15.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2
 Group: Development/Libraries
 URL:     http://poppler.freedesktop.org/
@@ -10,9 +10,18 @@ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.gz
 
 ## upstreamable patches
 # http://bugzilla.redhat.com/show_bug.cgi?id=480868
-Patch104: poppler-0.12.4-annot-appearance.patch
+Patch1: poppler-0.12.4-annot-appearance.patch
 
 ## upstream patches
+# https://bugzilla.redhat.com/show_bug.cgi?id=595245
+Patch100: poppler-0.15.0-CVE-2010-3702.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=639356
+Patch101: poppler-0.15.0-CVE-2010-3703.patch
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=638960
+Patch102: poppler-0.15.0-CVE-2010-3704.patch
+
 
 Requires: poppler-data >= 0.4.0
 BuildRequires: automake libtool
@@ -135,7 +144,10 @@ converting PDF files to a number of other formats.
 %prep
 %setup -q
 
-%patch104 -p1 -b .annot
+%patch1 -p1 -b .annot
+%patch100 -p1 -b .CVE-2010-3702
+%patch101 -p1 -b .CVE-2010-3703
+%patch102 -p1 -b .CVE-2010-3704
 
 chmod -x goo/GooTimer.h
 
@@ -249,6 +261,15 @@ rm -fv $RPM_BUILD_ROOT%{_libdir}/lib*.la
 
 
 %changelog
+* Thu Oct  7 2010 Marek Kasik <mkasik@redhat.com> - 0.15.0-5
+- Add poppler-0.15.0-CVE-2010-3702.patch
+    (Properly initialize parser)
+- Add poppler-0.15.0-CVE-2010-3703.patch
+    (Properly initialize stack)
+- Add poppler-0.15.0-CVE-2010-3704.patch
+    (Fix crash in broken pdf (code < 0))
+- Resolves: #639861
+
 * Wed Sep 29 2010 jkeating - 0.15.0-4
 - Rebuilt for gcc bug 634757