Package: libpoppler3 Version: 0.8.7-1 Severity: important Tags: patch, security
Hi, the following CVE (Common Vulnerabilities & Exposures) ids were published for poppler. CVE-2009-0756[0]: | The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4 | allows remote attackers to cause a denial of service (crash) via a PDF | file that triggers a parsing error, which is not properly handled by | JBIG2SymbolDict::~JBIG2SymbolDict and triggers an invalid memory | dereference. CVE-2009-0755[1]: | The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4 | allows remote attackers to cause a denial of service (crash) via a PDF | file with an invalid Form Opt entry. I don't see any arbitrary code execution happening here, so the impact is certainly not critical. I've taken the two patches for the CVEs from upstream's changelog. I also included another patch, which claims to fix a crash, maybe you want to have a look at it. If you fix the vulnerabilities please also make sure to include the CVE ids in your changelog entry. Cheers Steffen For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0756 http://security-tracker.debian.net/tracker/CVE-2009-0756 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0755 http://security-tracker.debian.net/tracker/CVE-2009-0755
Author: Albert Astals Cid <aa...@kde.org> 2009-01-29 08:53:43 Committer: Albert Astals Cid <aa...@kde.org> 2009-01-29 08:53:43 Parent: b1d4efb082ac3dadd7752a557e5aeb6651e17471 (PostScriptFunction::transform optimization) Child: 2df6d530cd9acd8648a6196031218ef10e7b3891 (Add line that for some reason was not imported from xpdf file) Branches: master, remotes/origin/master Follows: poppler-0.10.0 Precedes: Fix crash on unexepcted Form Opt value Fixes crash on bug 19790 ------------------------------- poppler/Form.cc ------------------------------- index be58180..89e18a3 100644 @@ -449,7 +449,9 @@ void FormWidgetChoice::loadDefaults () obj3.free(); obj4.free(); } else { - error(-1, "FormWidgetChoice:: invalid Opt entry\n"); + error(-1, "FormWidgetChoice:: invalid %d Opt entry\n", i); + parent->_setChoiceExportVal(i, new GooString("")); + parent->_setChoiceOptionName(i, new GooString("")); } obj2.free(); }
Author: Albert Astals Cid <aa...@kde.org> 2009-01-24 09:08:46 Committer: Albert Astals Cid <aa...@kde.org> 2009-01-24 09:11:26 Parent: 3990c9e52da7b17215506857c792c90a37ebac79 (Fix a problem in cairo backend when using a CMYK Profile) Child: 90f95127d8d89cfcadeb7d701437ab07ce4a8a61 (Cache last 5 GfxICCBasedColorSpace) Branches: master, remotes/origin/master Follows: poppler-0.10.0 Precedes: Do not crash in some PDF we don't parse correctly Fixes bug 19702 ---------------------------- poppler/JBIG2Stream.cc ---------------------------- index 74b5ab8..5642c20 100644 @@ -15,7 +15,7 @@ // // Copyright (C) 2006 Raj Kumar <rku...@archive.org> // Copyright (C) 2006 Paul Walmsley <p...@booyaka.com> -// Copyright (C) 2006-2008 Albert Astals Cid <aa...@kde.org> +// Copyright (C) 2006-2009 Albert Astals Cid <aa...@kde.org> // // To see a description of the changes please see the Changelog file that // came with your tarball or type make ChangeLog if you are building from git @@ -1787,6 +1787,11 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length, } ex = !ex; } + for ( ; j < numExSyms; ++j) { + // this should never happen but happens on PDF we don't parse + // correctly like bug #19702 + symbolDict->setBitmap(j, NULL); + } for (i = 0; i < numNewSyms; ++i) { delete bitmaps[numInputSyms + i];
Author: Albert Astals Cid <aa...@kde.org> 2009-02-26 08:40:24 Committer: Albert Astals Cid <aa...@kde.org> 2009-02-26 08:40:24 Parent: 26a8217160c1eaeeadb92023b27e68f402e38dd0 (Check if cairo_shape is not NULL before using it.) Child: f7c88148fdb671736d81dd5f01a3fb68f944510c (Fix cache shifting) Branches: master, remotes/origin/master Follows: poppler-0.10.0 Precedes: Make JBIG2Stream not crash in 2009-41414141.pdf ---------------------------- poppler/JBIG2Stream.cc ---------------------------- index 5642c20..938927e 100644 @@ -684,6 +684,7 @@ public: void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp); Guchar *getDataPtr() { return data; } int getDataSize() { return h * line; } + GBool isOk() { return data != NULL; } private: @@ -2074,18 +2075,20 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm, gfree(syms); - // combine the region bitmap into the page bitmap - if (imm) { - if (pageH == 0xffffffff && y + h > curPageH) { - pageBitmap->expand(y + h, pageDefPixel); - } - pageBitmap->combine(bitmap, x, y, extCombOp); - delete bitmap; + if (bitmap) { + // combine the region bitmap into the page bitmap + if (imm) { + if (pageH == 0xffffffff && y + h > curPageH) { + pageBitmap->expand(y + h, pageDefPixel); + } + pageBitmap->combine(bitmap, x, y, extCombOp); + delete bitmap; - // store the region bitmap - } else { - bitmap->setSegNum(segNum); - segments->append(bitmap); + // store the region bitmap + } else { + bitmap->setSegNum(segNum); + segments->append(bitmap); + } } // clean up the Huffman decoder @@ -2207,73 +2210,84 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, ri = 0; } if (ri) { + GBool decodeSuccess; if (huff) { - huffDecoder->decodeInt(&rdw, huffRDWTable); - huffDecoder->decodeInt(&rdh, huffRDHTable); - huffDecoder->decodeInt(&rdx, huffRDXTable); - huffDecoder->decodeInt(&rdy, huffRDYTable); - huffDecoder->decodeInt(&bmSize, huffRSizeTable); + decodeSuccess = huffDecoder->decodeInt(&rdw, huffRDWTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdh, huffRDHTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdx, huffRDXTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdy, huffRDYTable); + decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&bmSize, huffRSizeTable); huffDecoder->reset(); arithDecoder->start(); } else { - arithDecoder->decodeInt(&rdw, iardwStats); - arithDecoder->decodeInt(&rdh, iardhStats); - arithDecoder->decodeInt(&rdx, iardxStats); - arithDecoder->decodeInt(&rdy, iardyStats); + decodeSuccess = arithDecoder->decodeInt(&rdw, iardwStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdh, iardhStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdx, iardxStats); + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats); + } + + if (decodeSuccess) + { + refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; + refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; + + symbolBitmap = + readGenericRefinementRegion(rdw + syms[symID]->getWidth(), + rdh + syms[symID]->getHeight(), + templ, gFalse, syms[symID], + refDX, refDY, atx, aty); } - refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; - refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; - - symbolBitmap = - readGenericRefinementRegion(rdw + syms[symID]->getWidth(), - rdh + syms[symID]->getHeight(), - templ, gFalse, syms[symID], - refDX, refDY, atx, aty); //~ do we need to use the bmSize value here (in Huffman mode)? } else { symbolBitmap = syms[symID]; } - // combine the symbol bitmap into the region bitmap - //~ something is wrong here - refCorner shouldn't degenerate into - //~ two cases - bw = symbolBitmap->getWidth() - 1; - bh = symbolBitmap->getHeight() - 1; - if (transposed) { - switch (refCorner) { - case 0: // bottom left - bitmap->combine(symbolBitmap, tt, s, combOp); - break; - case 1: // top left - bitmap->combine(symbolBitmap, tt, s, combOp); - break; - case 2: // bottom right - bitmap->combine(symbolBitmap, tt - bw, s, combOp); - break; - case 3: // top right - bitmap->combine(symbolBitmap, tt - bw, s, combOp); - break; + if (symbolBitmap) { + // combine the symbol bitmap into the region bitmap + //~ something is wrong here - refCorner shouldn't degenerate into + //~ two cases + bw = symbolBitmap->getWidth() - 1; + bh = symbolBitmap->getHeight() - 1; + if (transposed) { + switch (refCorner) { + case 0: // bottom left + bitmap->combine(symbolBitmap, tt, s, combOp); + break; + case 1: // top left + bitmap->combine(symbolBitmap, tt, s, combOp); + break; + case 2: // bottom right + bitmap->combine(symbolBitmap, tt - bw, s, combOp); + break; + case 3: // top right + bitmap->combine(symbolBitmap, tt - bw, s, combOp); + break; + } + s += bh; + } else { + switch (refCorner) { + case 0: // bottom left + bitmap->combine(symbolBitmap, s, tt - bh, combOp); + break; + case 1: // top left + bitmap->combine(symbolBitmap, s, tt, combOp); + break; + case 2: // bottom right + bitmap->combine(symbolBitmap, s, tt - bh, combOp); + break; + case 3: // top right + bitmap->combine(symbolBitmap, s, tt, combOp); + break; + } + s += bw; } - s += bh; - } else { - switch (refCorner) { - case 0: // bottom left - bitmap->combine(symbolBitmap, s, tt - bh, combOp); - break; - case 1: // top left - bitmap->combine(symbolBitmap, s, tt, combOp); - break; - case 2: // bottom right - bitmap->combine(symbolBitmap, s, tt - bh, combOp); - break; - case 3: // top right - bitmap->combine(symbolBitmap, s, tt, combOp); - break; + if (ri) { + delete symbolBitmap; } - s += bw; - } - if (ri) { - delete symbolBitmap; + } else { + // NULL symbolBitmap only happens on error + delete bitmap; + return NULL; } } @@ -3052,6 +3066,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h, int x, y, pix; bitmap = new JBIG2Bitmap(0, w, h); + if (!bitmap->isOk()) + { + delete bitmap; + return NULL; + } bitmap->clearToZero(); // set up the typical row context