File poppler-CVE-2020-36023.patch of Package poppler

Overview Repositories Revisions Requests Users Attributes Meta

File poppler-CVE-2020-36023.patch of Package poppler

From 238dc045beeeb1eb619f3fb6cb699ba36813222d Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Mon, 21 Dec 2020 22:57:44 +0100
Subject: [PATCH] Fix infinite looping in cvtGlyph with broken files

---
 fofi/FoFiType1C.cc | 20 +++++++++++++++-----
 fofi/FoFiType1C.h  |  4 +++-
 2 files changed, 18 insertions(+), 6 deletions(-)

Index: poppler-0.62.0/fofi/FoFiType1C.cc
===================================================================
--- poppler-0.62.0.orig/fofi/FoFiType1C.cc
+++ poppler-0.62.0/fofi/FoFiType1C.cc
@@ -551,8 +551,9 @@ void FoFiType1C::convertToCIDType0(char
 	if (!ok) {
 	  subrIdx.pos = -1;
 	}
+	std::set<int> offsetBeingParsed;
 	cvtGlyph(val.pos, val.len, charStrings,
-		 &subrIdx, &privateDicts[fdSelect ? fdSelect[gid] : 0], gTrue);
+		 &subrIdx, &privateDicts[fdSelect ? fdSelect[gid] : 0], gTrue, offsetBeingParsed);
       }
     }
   }
@@ -1183,7 +1184,8 @@ void FoFiType1C::eexecCvtGlyph(Type1CEex
 
   // generate the charstring
   charBuf = new GooString();
-  cvtGlyph(offset, nBytes, charBuf, subrIdx, pDict, gTrue);
+  std::set<int> offsetBeingParsed;
+  cvtGlyph(offset, nBytes, charBuf, subrIdx, pDict, gTrue, offsetBeingParsed);
 
   buf = GooString::format("/{0:s} {1:d} RD ", glyphName, charBuf->getLength());
   eexecWrite(eb, buf->getCString());
@@ -1197,7 +1199,7 @@ void FoFiType1C::eexecCvtGlyph(Type1CEex
 
 void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf,
 			  Type1CIndex *subrIdx, Type1CPrivateDict *pDict,
-			  GBool top) {
+			  GBool top,  std::set<int> &offsetBeingParsed) {
   Type1CIndexVal val;
   GBool ok, dFP;
   double d, dx, dy;
@@ -1205,6 +1207,12 @@ void FoFiType1C::cvtGlyph(int offset, in
   Guchar byte;
   int pos, subrBias, start, i, k;
 
+  if (offsetBeingParsed.find(offset) != offsetBeingParsed.end()) {
+     return;
+  }
+
+  auto offsetEmplaceResult = offsetBeingParsed.emplace(offset);
+
   start = charBuf->getLength();
   if (top) {
     charBuf->append((char)73);
@@ -1362,7 +1370,7 @@ void FoFiType1C::cvtGlyph(int offset, in
 	  ok = gTrue;
 	  getIndexVal(subrIdx, k, &val, &ok);
 	  if (likely(ok && val.pos != offset)) {
-	    cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse);
+	    cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse, offsetBeingParsed);
 	  }
 	} else {
 	  //~ error(-1, "Too few args to Type 2 callsubr");
@@ -1597,7 +1605,7 @@ void FoFiType1C::cvtGlyph(int offset, in
 	  ok = gTrue;
 	  getIndexVal(&gsubrIdx, k, &val, &ok);
 	  if (likely(ok && val.pos != offset)) {
-	    cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse);
+	    cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, gFalse, offsetBeingParsed);
 	  }
 	} else {
 	  //~ error(-1, "Too few args to Type 2 callgsubr");
@@ -1825,6 +1833,8 @@ void FoFiType1C::cvtGlyph(int offset, in
       r2 = (byte + r2) * 52845 + 22719;
     }
   }
+
+  offsetBeingParsed.erase(offsetEmplaceResult.first);
 }
 
 void FoFiType1C::cvtGlyphWidth(GBool useOp, GooString *charBuf,
Index: poppler-0.62.0/fofi/FoFiType1C.h
===================================================================
--- poppler-0.62.0.orig/fofi/FoFiType1C.h
+++ poppler-0.62.0/fofi/FoFiType1C.h
@@ -31,6 +31,8 @@
 #include "goo/gtypes.h"
 #include "FoFiBase.h"
 
+#include <set>
+
 class GooString;
 
 //------------------------------------------------------------------------
@@ -214,7 +216,7 @@ private:
 		     Type1CPrivateDict *pDict);
   void cvtGlyph(int offset, int nBytes, GooString *charBuf,
 		Type1CIndex *subrIdx, Type1CPrivateDict *pDict,
-		GBool top);
+		GBool top, std::set<int> &offsetBeingParsed);
   void cvtGlyphWidth(GBool useOp, GooString *charBuf,
 		     Type1CPrivateDict *pDict);
   void cvtNum(double x, GBool isFP, GooString *charBuf);

Places

File poppler-CVE-2020-36023.patch of Package poppler

Places