Package: libpoppler3
Version: 0.8.7-1
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for poppler.
CVE-2009-0756[0]:
| The JBIG2Stream::readSymbolDictSeg function in Poppler before 0.10.4
| allows remote attackers to cause a denial of service (crash) via a PDF
| file that triggers a parsing error, which is not properly handled by
| JBIG2SymbolDict::~JBIG2SymbolDict and triggers an invalid memory
| dereference.
CVE-2009-0755[1]:
| The FormWidgetChoice::loadDefaults function in Poppler before 0.10.4
| allows remote attackers to cause a denial of service (crash) via a PDF
| file with an invalid Form Opt entry.
I don't see any arbitrary code execution happening here, so the impact
is certainly not critical. I've taken the two patches for the CVEs from
upstream's changelog. I also included another patch, which claims to
fix a crash, maybe you want to have a look at it.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0756
http://security-tracker.debian.net/tracker/CVE-2009-0756
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0755
http://security-tracker.debian.net/tracker/CVE-2009-0755
Author: Albert Astals Cid <aa...@kde.org> 2009-01-29 08:53:43
Committer: Albert Astals Cid <aa...@kde.org> 2009-01-29 08:53:43
Parent: b1d4efb082ac3dadd7752a557e5aeb6651e17471 (PostScriptFunction::transform
optimization)
Child: 2df6d530cd9acd8648a6196031218ef10e7b3891 (Add line that for some reason
was not imported from xpdf file)
Branches: master, remotes/origin/master
Follows: poppler-0.10.0
Precedes:
Fix crash on unexepcted Form Opt value
Fixes crash on bug 19790
------------------------------- poppler/Form.cc -------------------------------
index be58180..89e18a3 100644
@@ -449,7 +449,9 @@ void FormWidgetChoice::loadDefaults ()
obj3.free();
obj4.free();
} else {
- error(-1, "FormWidgetChoice:: invalid Opt entry\n");
+ error(-1, "FormWidgetChoice:: invalid %d Opt entry\n", i);
+ parent->_setChoiceExportVal(i, new GooString(""));
+ parent->_setChoiceOptionName(i, new GooString(""));
}
obj2.free();
}
Author: Albert Astals Cid <aa...@kde.org> 2009-01-24 09:08:46
Committer: Albert Astals Cid <aa...@kde.org> 2009-01-24 09:11:26
Parent: 3990c9e52da7b17215506857c792c90a37ebac79 (Fix a problem in cairo backend when using a CMYK Profile)
Child: 90f95127d8d89cfcadeb7d701437ab07ce4a8a61 (Cache last 5 GfxICCBasedColorSpace)
Branches: master, remotes/origin/master
Follows: poppler-0.10.0
Precedes:
Do not crash in some PDF we don't parse correctly
Fixes bug 19702
---------------------------- poppler/JBIG2Stream.cc ----------------------------
index 74b5ab8..5642c20 100644
@@ -15,7 +15,7 @@
//
// Copyright (C) 2006 Raj Kumar <rku...@archive.org>
// Copyright (C) 2006 Paul Walmsley <p...@booyaka.com>
-// Copyright (C) 2006-2008 Albert Astals Cid <aa...@kde.org>
+// Copyright (C) 2006-2009 Albert Astals Cid <aa...@kde.org>
//
// To see a description of the changes please see the Changelog file that
// came with your tarball or type make ChangeLog if you are building from git
@@ -1787,6 +1787,11 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length,
}
ex = !ex;
}
+ for ( ; j < numExSyms; ++j) {
+ // this should never happen but happens on PDF we don't parse
+ // correctly like bug #19702
+ symbolDict->setBitmap(j, NULL);
+ }
for (i = 0; i < numNewSyms; ++i) {
delete bitmaps[numInputSyms + i];
Author: Albert Astals Cid <aa...@kde.org> 2009-02-26 08:40:24
Committer: Albert Astals Cid <aa...@kde.org> 2009-02-26 08:40:24
Parent: 26a8217160c1eaeeadb92023b27e68f402e38dd0 (Check if cairo_shape is not NULL before using it.)
Child: f7c88148fdb671736d81dd5f01a3fb68f944510c (Fix cache shifting)
Branches: master, remotes/origin/master
Follows: poppler-0.10.0
Precedes:
Make JBIG2Stream not crash in 2009-41414141.pdf
---------------------------- poppler/JBIG2Stream.cc ----------------------------
index 5642c20..938927e 100644
@@ -684,6 +684,7 @@ public:
void combine(JBIG2Bitmap *bitmap, int x, int y, Guint combOp);
Guchar *getDataPtr() { return data; }
int getDataSize() { return h * line; }
+ GBool isOk() { return data != NULL; }
private:
@@ -2074,18 +2075,20 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBool imm,
gfree(syms);
- // combine the region bitmap into the page bitmap
- if (imm) {
- if (pageH == 0xffffffff && y + h > curPageH) {
- pageBitmap->expand(y + h, pageDefPixel);
- }
- pageBitmap->combine(bitmap, x, y, extCombOp);
- delete bitmap;
+ if (bitmap) {
+ // combine the region bitmap into the page bitmap
+ if (imm) {
+ if (pageH == 0xffffffff && y + h > curPageH) {
+ pageBitmap->expand(y + h, pageDefPixel);
+ }
+ pageBitmap->combine(bitmap, x, y, extCombOp);
+ delete bitmap;
- // store the region bitmap
- } else {
- bitmap->setSegNum(segNum);
- segments->append(bitmap);
+ // store the region bitmap
+ } else {
+ bitmap->setSegNum(segNum);
+ segments->append(bitmap);
+ }
}
// clean up the Huffman decoder
@@ -2207,73 +2210,84 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
ri = 0;
}
if (ri) {
+ GBool decodeSuccess;
if (huff) {
- huffDecoder->decodeInt(&rdw, huffRDWTable);
- huffDecoder->decodeInt(&rdh, huffRDHTable);
- huffDecoder->decodeInt(&rdx, huffRDXTable);
- huffDecoder->decodeInt(&rdy, huffRDYTable);
- huffDecoder->decodeInt(&bmSize, huffRSizeTable);
+ decodeSuccess = huffDecoder->decodeInt(&rdw, huffRDWTable);
+ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdh, huffRDHTable);
+ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdx, huffRDXTable);
+ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&rdy, huffRDYTable);
+ decodeSuccess = decodeSuccess && huffDecoder->decodeInt(&bmSize, huffRSizeTable);
huffDecoder->reset();
arithDecoder->start();
} else {
- arithDecoder->decodeInt(&rdw, iardwStats);
- arithDecoder->decodeInt(&rdh, iardhStats);
- arithDecoder->decodeInt(&rdx, iardxStats);
- arithDecoder->decodeInt(&rdy, iardyStats);
+ decodeSuccess = arithDecoder->decodeInt(&rdw, iardwStats);
+ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdh, iardhStats);
+ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdx, iardxStats);
+ decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats);
+ }
+
+ if (decodeSuccess)
+ {
+ refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx;
+ refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy;
+
+ symbolBitmap =
+ readGenericRefinementRegion(rdw + syms[symID]->getWidth(),
+ rdh + syms[symID]->getHeight(),
+ templ, gFalse, syms[symID],
+ refDX, refDY, atx, aty);
}
- refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx;
- refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy;
-
- symbolBitmap =
- readGenericRefinementRegion(rdw + syms[symID]->getWidth(),
- rdh + syms[symID]->getHeight(),
- templ, gFalse, syms[symID],
- refDX, refDY, atx, aty);
//~ do we need to use the bmSize value here (in Huffman mode)?
} else {
symbolBitmap = syms[symID];
}
- // combine the symbol bitmap into the region bitmap
- //~ something is wrong here - refCorner shouldn't degenerate into
- //~ two cases
- bw = symbolBitmap->getWidth() - 1;
- bh = symbolBitmap->getHeight() - 1;
- if (transposed) {
- switch (refCorner) {
- case 0: // bottom left
- bitmap->combine(symbolBitmap, tt, s, combOp);
- break;
- case 1: // top left
- bitmap->combine(symbolBitmap, tt, s, combOp);
- break;
- case 2: // bottom right
- bitmap->combine(symbolBitmap, tt - bw, s, combOp);
- break;
- case 3: // top right
- bitmap->combine(symbolBitmap, tt - bw, s, combOp);
- break;
+ if (symbolBitmap) {
+ // combine the symbol bitmap into the region bitmap
+ //~ something is wrong here - refCorner shouldn't degenerate into
+ //~ two cases
+ bw = symbolBitmap->getWidth() - 1;
+ bh = symbolBitmap->getHeight() - 1;
+ if (transposed) {
+ switch (refCorner) {
+ case 0: // bottom left
+ bitmap->combine(symbolBitmap, tt, s, combOp);
+ break;
+ case 1: // top left
+ bitmap->combine(symbolBitmap, tt, s, combOp);
+ break;
+ case 2: // bottom right
+ bitmap->combine(symbolBitmap, tt - bw, s, combOp);
+ break;
+ case 3: // top right
+ bitmap->combine(symbolBitmap, tt - bw, s, combOp);
+ break;
+ }
+ s += bh;
+ } else {
+ switch (refCorner) {
+ case 0: // bottom left
+ bitmap->combine(symbolBitmap, s, tt - bh, combOp);
+ break;
+ case 1: // top left
+ bitmap->combine(symbolBitmap, s, tt, combOp);
+ break;
+ case 2: // bottom right
+ bitmap->combine(symbolBitmap, s, tt - bh, combOp);
+ break;
+ case 3: // top right
+ bitmap->combine(symbolBitmap, s, tt, combOp);
+ break;
+ }
+ s += bw;
}
- s += bh;
- } else {
- switch (refCorner) {
- case 0: // bottom left
- bitmap->combine(symbolBitmap, s, tt - bh, combOp);
- break;
- case 1: // top left
- bitmap->combine(symbolBitmap, s, tt, combOp);
- break;
- case 2: // bottom right
- bitmap->combine(symbolBitmap, s, tt - bh, combOp);
- break;
- case 3: // top right
- bitmap->combine(symbolBitmap, s, tt, combOp);
- break;
+ if (ri) {
+ delete symbolBitmap;
}
- s += bw;
- }
- if (ri) {
- delete symbolBitmap;
+ } else {
+ // NULL symbolBitmap only happens on error
+ delete bitmap;
+ return NULL;
}
}
@@ -3052,6 +3066,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
int x, y, pix;
bitmap = new JBIG2Bitmap(0, w, h);
+ if (!bitmap->isOk())
+ {
+ delete bitmap;
+ return NULL;
+ }
bitmap->clearToZero();
// set up the typical row context
