diff --git a/poppler-0.73.0-overlapping-boxes.patch b/poppler-0.73.0-overlapping-boxes.patch new file mode 100644 index 0000000..4dcc101 --- /dev/null +++ b/poppler-0.73.0-overlapping-boxes.patch @@ -0,0 +1,135 @@ +From 6a1580e84f492b5671d23be98192267bb73de250 Mon Sep 17 00:00:00 2001 +From: Marek Kasik +Date: Mon, 13 May 2019 15:08:38 +0200 +Subject: Splash: Restrict filling of overlapping boxes + +Check whether area to fill in Splash::blitTransparent() +does not run out of allocated memory for source and for destination +and shrink it if needed. + +Fixes #750 + +diff --git a/splash/Splash.cc b/splash/Splash.cc +index 0a06f9c8..4ac163e4 100644 +--- a/splash/Splash.cc ++++ b/splash/Splash.cc +@@ -5851,7 +5851,7 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + int xDest, int yDest, int w, int h) { + SplashColorPtr p, sp; + unsigned char *q; +- int x, y, mask, srcMask; ++ int x, y, mask, srcMask, width = w, height = h; + + if (src->mode != bitmap->mode) { + return splashErrModeMismatch; +@@ -5861,14 +5861,32 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + return splashErrZeroImage; + } + ++ if (src->getWidth() - xSrc < width) ++ width = src->getWidth() - xSrc; ++ ++ if (src->getHeight() - ySrc < height) ++ height = src->getHeight() - ySrc; ++ ++ if (bitmap->getWidth() - xDest < width) ++ width = bitmap->getWidth() - xDest; ++ ++ if (bitmap->getHeight() - yDest < height) ++ height = bitmap->getHeight() - yDest; ++ ++ if (width < 0) ++ width = 0; ++ ++ if (height < 0) ++ height = 0; ++ + switch (bitmap->mode) { + case splashModeMono1: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + (xDest >> 3)]; + mask = 0x80 >> (xDest & 7); + sp = &src->data[(ySrc + y) * src->rowSize + (xSrc >> 3)]; + srcMask = 0x80 >> (xSrc & 7); +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + if (*sp & srcMask) { + *p |= mask; + } else { +@@ -5886,20 +5904,20 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + } + break; + case splashModeMono8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + xDest]; + sp = &src->data[(ySrc + y) * bitmap->rowSize + xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + } + } + break; + case splashModeRGB8: + case splashModeBGR8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 3 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 3 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5907,10 +5925,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + } + break; + case splashModeXBGR8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5921,10 +5939,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + break; + #ifdef SPLASH_CMYK + case splashModeCMYK8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + 4 * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + 4 * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + *p++ = *sp++; + *p++ = *sp++; + *p++ = *sp++; +@@ -5933,10 +5951,10 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + } + break; + case splashModeDeviceN8: +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + p = &bitmap->data[(yDest + y) * bitmap->rowSize + (SPOT_NCOMPS+4) * xDest]; + sp = &src->data[(ySrc + y) * src->rowSize + (SPOT_NCOMPS+4) * xSrc]; +- for (x = 0; x < w; ++x) { ++ for (x = 0; x < width; ++x) { + for (int cp=0; cp < SPOT_NCOMPS+4; cp++) + *p++ = *sp++; + } +@@ -5946,9 +5964,9 @@ SplashError Splash::blitTransparent(SplashBitmap *src, int xSrc, int ySrc, + } + + if (bitmap->alpha) { +- for (y = 0; y < h; ++y) { ++ for (y = 0; y < height; ++y) { + q = &bitmap->alpha[(yDest + y) * bitmap->width + xDest]; +- memset(q, 0x00, w); ++ memset(q, 0x00, width); + } + } + diff --git a/poppler.spec b/poppler.spec index b0740ed..75a31f2 100644 --- a/poppler.spec +++ b/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 0.73.0 -Release: 10%{?dist} +Release: 11%{?dist} License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -44,6 +44,9 @@ Patch14: poppler-0.73.0-scan-fonts.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1713582 Patch15: poppler-0.73.0-jpeg2000-component-size.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1696638 +Patch16: poppler-0.73.0-overlapping-boxes.patch + BuildRequires: cmake BuildRequires: gcc-c++ BuildRequires: gettext-devel @@ -274,6 +277,10 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Thu May 30 2019 Marek Kasik - 0.73.0-11 +- Restrict filling of overlapping boxes in Splash +- Resolves: #1696640 + * Wed May 29 2019 Marek Kasik - 0.73.0-10 - Fail gracefully if not all components of JPEG2000Stream - have the same size