diff options
Diffstat (limited to 'backport-CVE-2022-27337.patch')
| -rw-r--r-- | backport-CVE-2022-27337.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/backport-CVE-2022-27337.patch b/backport-CVE-2022-27337.patch new file mode 100644 index 0000000..bb22089 --- /dev/null +++ b/backport-CVE-2022-27337.patch @@ -0,0 +1,68 @@ +From 81044c64b9ed9a10ae82a28bac753060bdfdac74 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Tue, 15 Mar 2022 15:14:32 +0100 +Subject: [PATCH] Hints::readTables: bail out if we run out of file when + reading + +Fixes #1230 + +Reference:https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74 +Conflict:NA + +--- + poppler/Hints.cc | 28 +++++++++++++++++++++------- + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/poppler/Hints.cc b/poppler/Hints.cc +index 03e0f7e..90b8dee 100644 +--- a/poppler/Hints.cc ++++ b/poppler/Hints.cc +@@ -5,7 +5,7 @@ + // This file is licensed under the GPLv2 or later + // + // Copyright 2010, 2012 Hib Eris <hib@hiberis.nl> +-// Copyright 2010, 2011, 2013, 2014, 2016-2019 Albert Astals Cid <aacid@kde.org> ++// Copyright 2010, 2011, 2013, 2014, 2016-2019, 2021, 2022 Albert Astals Cid <aacid@kde.org> + // Copyright 2010, 2013 Pino Toscano <pino@kde.org> + // Copyright 2013 Adrian Johnson <ajohnson@redneon.com> + // Copyright 2014 Fabio D'Urso <fabiodurso@hotmail.it> +@@ -195,17 +195,31 @@ void Hints::readTables(BaseStream *str, Linearization *linearization, XRef *xref + char *p = &buf[0]; + + if (hintsOffset && hintsLength) { +- Stream *s = str->makeSubStream(hintsOffset, false, hintsLength, Object(objNull)); ++ std::unique_ptr<Stream> s(str->makeSubStream(hintsOffset, false, hintsLength, Object(objNull))); + s->reset(); +- for (unsigned int i=0; i < hintsLength; i++) { *p++ = s->getChar(); } +- delete s; ++ for (unsigned int i=0; i < hintsLength; i++) { ++ const int c = s->getChar(); ++ if (unlikely(c == EOF)) { ++ error(errSyntaxWarning, -1, "Found EOF while reading hints"); ++ ok = false; ++ return; ++ } ++ *p++ = c; ++ } + } + + if (hintsOffset2 && hintsLength2) { +- Stream *s = str->makeSubStream(hintsOffset2, false, hintsLength2, Object(objNull)); ++ std::unique_ptr<Stream> s(str->makeSubStream(hintsOffset2, false, hintsLength2, Object(objNull))); + s->reset(); +- for (unsigned int i=0; i < hintsLength2; i++) { *p++ = s->getChar(); } +- delete s; ++ for (unsigned int i=0; i < hintsLength2; i++) { ++ const int c = s->getChar(); ++ if (unlikely(c == EOF)) { ++ error(errSyntaxWarning, -1, "Found EOF while reading hints2"); ++ ok = false; ++ return; ++ } ++ *p++ = c; ++ } + } + + MemStream *memStream = new MemStream (&buf[0], 0, bufLength, Object(objNull)); +-- +2.27.0 |