Overview

File CVE-2019-1010006.patch of Package evince.12084

From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001
From: Jason Crain <jcrain@src.gnome.org>
Date: Sat, 2 Dec 2017 20:24:33 -0600
Subject: [PATCH] Fix overflow checks in tiff backend

The overflow checks in tiff_document_render and
tiff_document_get_thumbnail don't work when optimizations are enabled.
Change the checks so they don't rely on undefined behavior.

https://bugzilla.gnome.org/show_bug.cgi?id=788980
---
 backend/tiff/tiff-document.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
index 8f40934e..7bf95c2b 100644
--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
@@ -284,12 +284,12 @@ tiff_document_render (EvDocument      *document,
 		return NULL;                
 	}
 	
-	bytes = height * rowstride;
-	if (bytes / rowstride != height) {
+	if (height >= INT_MAX / rowstride) {
 		g_warning("Overflow while rendering document.");
 		/* overflow */
 		return NULL;
 	}
+	bytes = height * rowstride;
 	
 	pixels = g_try_malloc (bytes);
 	if (!pixels) {
@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument      *document,
 	if (width <= 0 || height <= 0)
 		return NULL;                
 
-	rowstride = width * 4;
-	if (rowstride / 4 != width)
+	if (width >= INT_MAX / 4)
 		/* overflow */
 		return NULL;                
+	rowstride = width * 4;
         
-	bytes = height * rowstride;
-	if (bytes / rowstride != height)
+	if (height >= INT_MAX / rowstride)
 		/* overflow */
 		return NULL;                
+	bytes = height * rowstride;
 	
 	pixels = g_try_malloc (bytes);
 	if (!pixels)
-- 
2.16.4

From e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce Mon Sep 17 00:00:00 2001
From: Jason Crain <jcrain@src.gnome.org>
Date: Sat, 2 Dec 2017 20:24:45 -0600
Subject: [PATCH] Remove unused configure check for
 cairo_format_stride_for_width

This function was introduced in cairo version 1.6.  We already require
version 1.10 so this function will always be available.

https://bugzilla.gnome.org/show_bug.cgi?id=788980
---
 backend/tiff/tiff-document.c | 4 ----
 configure.ac                 | 6 ------
 2 files changed, 10 deletions(-)

diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c
index 7bf95c2b..7715031b 100644
--- a/backend/tiff/tiff-document.c
+++ b/backend/tiff/tiff-document.c
@@ -273,11 +273,7 @@ tiff_document_render (EvDocument      *document,
 		return NULL;
 	}
 
-#ifdef HAVE_CAIRO_FORMAT_STRIDE_FOR_WIDTH
 	rowstride = cairo_format_stride_for_width (CAIRO_FORMAT_RGB24, width);
-#else
-	rowstride = width * 4;
-#endif
 	if (rowstride / 4 != width) {
 		g_warning("Overflow while rendering document.");
 		/* overflow, or cairo was changed in an unsupported way */
diff --git a/configure.ac b/configure.ac
index 1c2a960a..923c6586 100644
--- a/configure.ac
+++ b/configure.ac
@@ -247,12 +247,6 @@ fi
 BACKEND_LIBTOOL_FLAGS="-module -avoid-version -no-undefined -export-symbols \$(top_srcdir)/backend/backend.symbols"
 AC_SUBST(BACKEND_LIBTOOL_FLAGS)
 
-dnl ===== Check special functions
-evince_save_LIBS=$LIBS
-LIBS="$LIBS $BACKEND_LIBS"
-AC_CHECK_FUNCS(cairo_format_stride_for_width)
-LIBS=$evince_save_LIBS
-
 # ******************
 # GKT+ Unix Printing
 # ******************
-- 
2.16.4
openSUSE Build Service is sponsored by
Places