Restrict filling of overlapping boxes in Splash

Resolves: #1696640
2019-05-30 15:47:55 +02:00 · 2019-05-30 15:47:55 +02:00 · bf9d454415
commit bf9d454415
parent 59361ebf61
2 changed files with 143 additions and 1 deletions
--- a/poppler-0.73.0-overlapping-boxes.patch
+++ b/poppler-0.73.0-overlapping-boxes.patch
@ -0,0 +1,135 @@
+From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Mon, 13 May 2019 15:08:38 +0200
+Subject: Splash: Restrict filling of overlapping boxes
+
+Check whether area to fill in Splash::blitTransparent()
+does not run out of allocated memory for source and for destination
+and shrink it if needed.
+
+Fixes #750
+
+diff --git a/splash/Splash.cc b/splash/Splash.cc
+index 0a06f9c8..4ac163e4 100644
+--- a/splash/Splash.cc
+++ b/splash/Splash.cc
+@@ -5851,7 +5851,7 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+ 				    int xDest, int yDest, int w, int h) {
+   SplashColorPtr p, sp;
+   unsigned char *q;
+-  int x, y, mask, srcMask;
+  int x, y, mask, srcMask, width = w, height = h;
+ 
+   if (src->mode != bitmap->mode) {
+     return splashErrModeMismatch;
+@@ -5861,14 +5861,32 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+     return splashErrZeroImage;
+   }
+ 
+  if (src->getWidth() - xSrc < width)
+    width = src->getWidth() - xSrc;
+
+  if (src->getHeight() - ySrc < height)
+    height = src->getHeight() - ySrc;
+
+  if (bitmap->getWidth() - xDest < width)
+    width = bitmap->getWidth() - xDest;
+
+  if (bitmap->getHeight() - yDest < height)
+    height = bitmap->getHeight() - yDest;
+
+  if (width < 0)
+    width = 0;
+
+  if (height < 0)
+    height = 0;
+
+   switch (bitmap->mode) {
+   case splashModeMono1:
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)];
+       mask = 0x80 >> (xDest & 7);
+       sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)];
+       srcMask = 0x80 >> (xSrc & 7);
+-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
+ 	if (*sp & srcMask) {
+ 	  *p |= mask;
+ 	} else {
+@@ -5886,20 +5904,20 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+     }
+     break;
+   case splashModeMono8:
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest];
+       sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc];
+-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+       }
+     }
+     break;
+   case splashModeRGB8:
+   case splashModeBGR8:
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc];
+-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+@@ -5907,10 +5925,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+     }
+     break;
+   case splashModeXBGR8:
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
+-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+@@ -5921,10 +5939,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+     break;
+ #ifdef SPLASH_CMYK
+   case splashModeCMYK8:
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc];
+-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+ 	*p++ = *sp++;
+@@ -5933,10 +5951,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+     }
+     break;
+   case splashModeDeviceN8:
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest];
+       sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc];
+-      for (x = 0; x < w; ++x) {
+      for (x = 0; x < width; ++x) {
+         for (int cp=0; cp < SPOT_NCOMPS+4; cp++)
+           *p++ = *sp++;
+       }
+@@ -5946,9 +5964,9 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc,
+   }
+ 
+   if (bitmap->alpha) {
+-    for (y = 0; y < h; ++y) {
+    for (y = 0; y < height; ++y) {
+       q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest];
+-      memset(q, 0x00, w);
+      memset(q, 0x00, width);
+     }
+   }
+ 
--- a/poppler.spec
+++ b/poppler.spec
@ -4,7 +4,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 0.73.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -44,6 +44,9 @@ Patch14: poppler-0.73.0-scan-fonts.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1713582
 Patch15: poppler-0.73.0-jpeg2000-component-size.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=1696638
+Patch16: poppler-0.73.0-overlapping-boxes.patch
+
 BuildRequires: cmake
 BuildRequires: gcc-c++
 BuildRequires: gettext-devel
@ -274,6 +277,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}"
 %{_mandir}/man1/*

 %changelog
+* Thu May 30 2019 Marek Kasik <mkasik@redhat.com> - 0.73.0-11
+- Restrict filling of overlapping boxes in Splash
+- Resolves: #1696640
+
 * Wed May 29 2019 Marek Kasik <mkasik@redhat.com> - 0.73.0-10
 - Fail gracefully if not all components of JPEG2000Stream
 - have the same size