Overview

File poppler-CVE-2019-14292.patch of Package poppler.34110

From aa03a71c3a1127cffd19bb0f596c4b361a7f2269 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Sun, 21 May 2017 22:37:23 +0200
Subject: [PATCH] Fix abort in files with broken Decode arrays

Fixes KDE bug #379835
---
 poppler/GfxState.cc | 18 ++++++++++++------
 poppler/Object.h    |  7 +++++++
 2 files changed, 19 insertions(+), 6 deletions(-)

Index: poppler-0.43.0/poppler/GfxState.cc
===================================================================
--- poppler-0.43.0.orig/poppler/GfxState.cc
+++ poppler-0.43.0/poppler/GfxState.cc
@@ -5316,24 +5316,30 @@ GfxPatchMeshShading *GfxPatchMeshShading
   obj1.free();
   if (dict->lookup("Decode", &obj1)->isArray() &&
       obj1.arrayGetLength() >= 6) {
-    xMin = obj1.arrayGet(0, &obj2)->getNum();
+    bool decodeOk = true;
+    xMin = obj1.arrayGet(0, &obj2)->getNum(&decodeOk);
     obj2.free();
-    xMax = obj1.arrayGet(1, &obj2)->getNum();
+    xMax = obj1.arrayGet(1, &obj2)->getNum(&decodeOk);
     obj2.free();
     xMul = (xMax - xMin) / (pow(2.0, coordBits) - 1);
-    yMin = obj1.arrayGet(2, &obj2)->getNum();
+    yMin = obj1.arrayGet(2, &obj2)->getNum(&decodeOk);
     obj2.free();
-    yMax = obj1.arrayGet(3, &obj2)->getNum();
+    yMax = obj1.arrayGet(3, &obj2)->getNum(&decodeOk);
     obj2.free();
     yMul = (yMax - yMin) / (pow(2.0, coordBits) - 1);
     for (i = 0; 5 + 2*i < obj1.arrayGetLength() && i < gfxColorMaxComps; ++i) {
-      cMin[i] = obj1.arrayGet(4 + 2*i, &obj2)->getNum();
+      cMin[i] = obj1.arrayGet(4 + 2*i, &obj2)->getNum(&decodeOk);
       obj2.free();
-      cMax[i] = obj1.arrayGet(5 + 2*i, &obj2)->getNum();
+      cMax[i] = obj1.arrayGet(5 + 2*i, &obj2)->getNum(&decodeOk);
       obj2.free();
       cMul[i] = (cMax[i] - cMin[i]) / (double)((1 << compBits) - 1);
     }
     nComps = i;
+
+    if (!decodeOk) {
+      error(errSyntaxWarning, -1, "Missing or invalid Decode array in shading dictionary");
+      goto err2;
+    }
   } else {
     error(errSyntaxWarning, -1, "Missing or invalid Decode array in shading dictionary");
     goto err2;
Index: poppler-0.43.0/poppler/Object.h
===================================================================
--- poppler-0.43.0.orig/poppler/Object.h
+++ poppler-0.43.0/poppler/Object.h
@@ -207,6 +207,13 @@ public:
   // Where the exact value of integers up to 2^63 is required, use isInt64()/getInt64().
   double getNum() { OBJECT_3TYPES_CHECK(objInt, objInt64, objReal);
     return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real; }
+  double getNum(bool *ok) {
+    if (unlikely(type != objInt && type != objInt64 && type != objReal)) {
+      *ok = false;
+      return 0.;
+    }
+    return type == objInt ? (double)intg : type == objInt64 ? (double)int64g : real;
+  }
   GooString *getString() { OBJECT_TYPE_CHECK(objString); return string; }
   // After takeString() the only method that should be called for the object is free()
   // because the object it's not expected to have a NULL string.
openSUSE Build Service is sponsored by
Places