From 39435a518554d4f62bec6cd359f2a387269891f5 Mon Sep 17 00:00:00 2001 From: Nathan Owens Date: Sat, 5 Jan 2019 06:38:16 -0600 Subject: [PATCH] poppler: fix CVE-2018-20551 CVE-2018-20650 --- srcpkgs/poppler/patches/CVE-2018-20551.patch | 54 ++++++++++++++++++++ srcpkgs/poppler/patches/CVE-2018-20650.patch | 38 ++++++++++++++ srcpkgs/poppler/template | 2 +- 3 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/poppler/patches/CVE-2018-20551.patch create mode 100644 srcpkgs/poppler/patches/CVE-2018-20650.patch diff --git a/srcpkgs/poppler/patches/CVE-2018-20551.patch b/srcpkgs/poppler/patches/CVE-2018-20551.patch new file mode 100644 index 00000000000..3475b1e650b --- /dev/null +++ b/srcpkgs/poppler/patches/CVE-2018-20551.patch @@ -0,0 +1,54 @@ +Source-url: +https://gitlab.freedesktop.org/poppler/poppler/commit/7f87dc10b6adccd6d1b977a28b064add254aa2da + +From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001 +From: Adam Reichold +Date: Thu, 27 Dec 2018 11:54:53 +0100 +Subject: [PATCH] Do not try to construct invalid rich media annotation assets. + Closes #703 + +--- + poppler/Annot.cc | 24 +++++++++++++----------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +diff --git poppler/Annot.cc poppler/Annot.cc +index 2e4770ab..1750dc70 100644 +--- poppler/Annot.cc ++++ poppler/Annot.cc +@@ -6418,20 +6418,22 @@ AnnotRichMedia::Content::Content(Dict *dict) { + if (obj1.isDict()) { + Object obj2 = obj1.getDict()->lookup("Names"); + if (obj2.isArray()) { +- nAssets = obj2.arrayGetLength() / 2; ++ const int length = obj2.arrayGetLength() / 2; + +- assets = (Asset **)gmallocn(nAssets, sizeof(Asset *)); ++ assets = (Asset **)gmallocn(length, sizeof(Asset *)); ++ for (int i = 0; i < length; ++i) { ++ Object objKey = obj2.arrayGet(2 * i); ++ Object objVal = obj2.arrayGet(2 * i + 1); + +- int counter = 0; +- for (int i = 0; i < nAssets; ++i) { +- assets[counter] = new AnnotRichMedia::Asset; +- +- Object objKey = obj2.arrayGet(i * 2); +- assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1); +- +- assets[counter]->name = std::make_unique( objKey.getString() ); +- ++counter; ++ if (!objKey.isString() || objVal.isNull()) { ++ error(errSyntaxError, -1, "Bad Annot Asset"); ++ continue; ++ } + ++ assets[nAssets] = new AnnotRichMedia::Asset; ++ assets[nAssets]->name = std::make_unique( objKey.getString() ); ++ assets[nAssets]->fileSpec = std::move(objVal); ++ ++nAssets; + } + } + } +-- +2.18.1 + diff --git a/srcpkgs/poppler/patches/CVE-2018-20650.patch b/srcpkgs/poppler/patches/CVE-2018-20650.patch new file mode 100644 index 00000000000..a68f61653f0 --- /dev/null +++ b/srcpkgs/poppler/patches/CVE-2018-20650.patch @@ -0,0 +1,38 @@ +Source-url: +https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7 + +From de0c0b8324e776f0b851485e0fc9622fc35695b7 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Sat, 29 Dec 2018 01:25:17 +0100 +Subject: [PATCH] FileSpec: Move the fileSpec.dictLookup call inside + fileSpec.isDict if + +Fixes #704 +--- + poppler/FileSpec.cc | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git poppler/FileSpec.cc poppler/FileSpec.cc +index 8a8b9e7e..7c12da63 100644 +--- poppler/FileSpec.cc ++++ poppler/FileSpec.cc +@@ -133,11 +133,12 @@ FileSpec::FileSpec(const Object *fileSpecA) + return; + } + } +- } + +- obj1 = fileSpec.dictLookup("Desc"); +- if (obj1.isString()) +- desc = obj1.getString()->copy(); ++ obj1 = fileSpec.dictLookup("Desc"); ++ if (obj1.isString()) { ++ desc = obj1.getString()->copy(); ++ } ++ } + } + + FileSpec::~FileSpec() +-- +2.18.1 + diff --git a/srcpkgs/poppler/template b/srcpkgs/poppler/template index 13ea6ba4265..ea942ab1b43 100644 --- a/srcpkgs/poppler/template +++ b/srcpkgs/poppler/template @@ -4,7 +4,7 @@ # pkgname=poppler version=0.72.0 -revision=1 +revision=2 build_style=cmake configure_args="-DENABLE_XPDF_HEADERS=on $(vopt_if gir -DENABLE_GLIB=on) -DENABLE_QT5=off"