rpms/poppler/F-9 poppler-0.8.1-AnnotQuadrilaterals.diff, NONE, 1.1 poppler-0.8.1-CVE-2008-2950.diff, NONE, 1.1 poppler-0.8.1-static-ft-lib.diff, NONE, 1.1 poppler.spec, 1.71, 1.72
Tomas Hoger (thoger)
fedora-extras-commits at redhat.com
Fri Aug 1 09:49:12 UTC 2008
Author: thoger
Update of /cvs/extras/rpms/poppler/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23475
Modified Files:
poppler.spec
Added Files:
poppler-0.8.1-AnnotQuadrilaterals.diff
poppler-0.8.1-CVE-2008-2950.diff
poppler-0.8.1-static-ft-lib.diff
Log Message:
Security fix for CVE-2008-2950 / oCERT-2008-007
Apply upstream fixes for crasher bugs reported in BZ - #456867, #448516
poppler-0.8.1-AnnotQuadrilaterals.diff:
--- NEW FILE poppler-0.8.1-AnnotQuadrilaterals.diff ---
Fix crash when reading QuadPoints:
https://bugzilla.redhat.com/show_bug.cgi?id=448516
https://bugs.freedesktop.org/show_bug.cgi?id=16104
Upstream commits:
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=7924625e620b5e75b27d7ab935c9aae6ebf02663
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=6b9dd84db02bd162aa3c01d453ddc93a657017bb
--- poppler-0.8.1/poppler-0.8.1/poppler/Annot.cc.orig 2008-03-26 20:38:52.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/Annot.cc 2008-07-30 19:01:41.000000000 +0200
@@ -30,6 +30,7 @@
#include "Page.h"
#include "XRef.h"
#include "Movie.h"
+#include <string.h>
#define annotFlagHidden 0x0002
#define annotFlagPrint 0x0004
@@ -170,7 +171,7 @@ AnnotQuadrilaterals::AnnotQuadrilaterals
GBool correct = gTrue;
int quadsLength = 0;
AnnotQuadrilateral **quads;
- double *quadArray;
+ double quadArray[8];
// default values
quadrilaterals = NULL;
@@ -182,19 +183,24 @@ AnnotQuadrilaterals::AnnotQuadrilaterals
quadsLength = arrayLength / 8;
quads = (AnnotQuadrilateral **) gmallocn
((quadsLength), sizeof(AnnotQuadrilateral *));
- quadArray = (double *) gmallocn (8, sizeof(double));
+ memset(quads, 0, quadsLength * sizeof(AnnotQuadrilateral *));
while (i < (quadsLength) && correct) {
for (int j = 0; j < 8 && correct; j++) {
Object obj;
if (array->get(i * 8 + j, &obj)->isNum()) {
quadArray[j] = obj.getNum();
- if (quadArray[j] < rect->x1 || quadArray[j] > rect->x2 ||
- quadArray[j] < rect->y1 || quadArray[j] < rect->y2)
- correct = gFalse;
+ if (j % 2 == 1) {
+ if (quadArray[j] < rect->y1 || quadArray[j] > rect->y2)
+ correct = gFalse;
+ } else {
+ if (quadArray[j] < rect->x1 || quadArray[j] > rect->x2)
+ correct = gFalse;
+ }
} else {
correct = gFalse;
}
+ obj.free();
}
if (correct)
@@ -205,8 +211,6 @@ AnnotQuadrilaterals::AnnotQuadrilaterals
i++;
}
- gfree (quadArray);
-
if (correct) {
quadrilateralsLength = quadsLength;
quadrilaterals = quads;
poppler-0.8.1-CVE-2008-2950.diff:
--- NEW FILE poppler-0.8.1-CVE-2008-2950.diff ---
Upstream patch for CVE-2008-2950 / oCERT-2008-007: make sure pageWidgets is
initialized, do not call free for an uninitialized pointer
References:
http://www.ocert.org/advisories/ocert-2008-007.html
http://marc.info/?l=full-disclosure&m=121556059918963&w=4
Upstream commit:
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=fd0bf8b05cb155e2f29df31fa01964b12e710b89
--- poppler-0.8.1/poppler-0.8.1/poppler/Page.cc.orig 2007-11-05 00:11:04.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/Page.cc 2008-07-30 16:34:06.000000000 +0200
@@ -235,6 +235,7 @@ Page::Page(XRef *xrefA, int numA, Dict *
xref = xrefA;
num = numA;
duration = -1;
+ pageWidgets = NULL;
// get attributes
attrs = attrsA;
poppler-0.8.1-static-ft-lib.diff:
--- NEW FILE poppler-0.8.1-static-ft-lib.diff ---
commit 9134b3200fa3573c6940f4b321a71317dfc00e79
Author: Michael Vrable <mvrable at cs.ucsd.edu>
Date: Fri Jun 20 21:42:34 2008 -0700
Use a single global FT_Library in CairoOutputDev
Cairo may internally keep references to the FreeType fonts loaded in
CairoFontEngine even after poppler is done with them. Commit 42db4890e829
("Do not call FT_Done_Face on a live cairo_font_face_t") introduced a fix
for one use-after-free bug, by delaying deleting an FT_Face objects until
cairo is done with it.
That fix doesn't correct all the bugs. An FT_Library object is created for
each CairoOutputDev object, and deleted when the CairoOutputDev goes away.
But the FT_Library object should not be deleted while fonts loaded using it
are still in use. And cairo can keep references to fonts around more or
less indefinitely.
To more fully fix the problem, we can either:
1. Keep a count of not-yet-deleted fonts associated with each FT_Library,
and wait to call FT_Done_FreeType until it drops to zero.
2. Never call FT_Done_FreeType.
The second option is the simplest. To avoid leaking memory FT_Library
objects, use a single global FT_Library instead of a per-CairoOutputDev
copy.
Related bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=456867
http://bugzilla.gnome.org/show_bug.cgi?id=536482
http://bugs.freedesktop.org/show_bug.cgi?id=16529
Upstream commit:
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=9134b3200fa3573c6940f4b321a71317dfc00e79
diff -pruN poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.cc poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.cc
--- poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.cc 2008-03-26 20:38:52.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.cc 2008-07-31 17:20:16.000000000 +0200
@@ -74,10 +74,23 @@ void CairoImage::setImage (cairo_surface
// CairoOutputDev
//------------------------------------------------------------------------
+// We cannot tie the lifetime of an FT_Library object to that of
+// CairoOutputDev, since any FT_Faces created with it may end up with a
+// reference by Cairo which can be held long after the CairoOutputDev is
+// deleted. The simplest way to avoid problems is to never tear down the
+// FT_Library instance; to avoid leaks, just use a single global instance
+// initialized the first time it is needed.
+FT_Library CairoOutputDev::ft_lib;
+GBool CairoOutputDev::ft_lib_initialized = gFalse;
+
CairoOutputDev::CairoOutputDev() {
xref = NULL;
- FT_Init_FreeType(&ft_lib);
+ if (!ft_lib_initialized) {
+ FT_Init_FreeType(&ft_lib);
+ ft_lib_initialized = gTrue;
+ }
+
fontEngine = NULL;
glyphs = NULL;
fill_pattern = NULL;
@@ -102,8 +115,7 @@ CairoOutputDev::~CairoOutputDev() {
if (fontEngine) {
delete fontEngine;
}
- FT_Done_FreeType(ft_lib);
-
+
if (cairo)
cairo_destroy (cairo);
cairo_pattern_destroy (stroke_pattern);
diff -pruN poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.h poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.h
--- poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.h 2008-03-26 20:38:52.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.h 2008-07-31 17:20:16.000000000 +0200
@@ -206,7 +206,9 @@ protected:
XRef *xref; // xref table for current document
- FT_Library ft_lib;
+ static FT_Library ft_lib;
+ static GBool ft_lib_initialized;
+
CairoFontEngine *fontEngine;
cairo_t *cairo;
cairo_matrix_t orig_matrix;
Index: poppler.spec
===================================================================
RCS file: /cvs/extras/rpms/poppler/F-9/poppler.spec,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- poppler.spec 28 Apr 2008 23:10:27 -0000 1.71
+++ poppler.spec 1 Aug 2008 09:48:42 -0000 1.72
@@ -3,7 +3,7 @@
Summary: PDF rendering library
Name: poppler
Version: 0.8.1
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2 and Redistributable, no modification permitted
# the code is GPLv2
# the charmap data in /usr/share/poppler is redistributable
@@ -14,6 +14,9 @@
Patch0: poppler-ObjStream.patch
Patch1: fix-qt4-build.patch
Patch2: poppler-0.8.0-ocg-crash.patch
+Patch3: poppler-0.8.1-CVE-2008-2950.diff
+Patch4: poppler-0.8.1-AnnotQuadrilaterals.diff
+Patch5: poppler-0.8.1-static-ft-lib.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: gtk2-devel
@@ -115,6 +118,9 @@
%patch0 -p1 -b .objstream
%patch1 -p1 -b .fix-qt4-build
%patch2 -p1 -b .ocg
+%patch3 -p1 -b .CVE-2008-2950
+%patch4 -p1 -b .QuadPoints
+%patch5 -p1 -b .static-ft
%build
pushd %{name}-%{version}
@@ -201,6 +207,15 @@
%{_mandir}/man1/*
%changelog
+* Thu Jul 31 2008 Tomas Hoger <thoger at redhat.com> - 0.8.1-2
+- Security update:
+ Add upstream patch for CVE-2008-2950 / oCERT-2008-007 - use of
+ an uninitilized pointer to call free() in Page::~Page (#454277)
+- Bug fixes:
+ Fix crash when reading QuadPoints (#448516)
+ Use static FT_Library in CairoOutputDev, as dynamic may trigger
+ use-after-free and crash e.g. evince (#456867)
+
* Mon Apr 28 2008 Matthias Clasen <mclasen at redhat.com> - 0.8.1-1
- Update to 0.8.1
More information about the fedora-extras-commits
mailing list