rpms/poppler/F-9 poppler-0.8.1-AnnotQuadrilaterals.diff, NONE, 1.1 poppler-0.8.1-CVE-2008-2950.diff, NONE, 1.1 poppler-0.8.1-static-ft-lib.diff, NONE, 1.1 poppler.spec, 1.71, 1.72

Tomas Hoger (thoger) fedora-extras-commits at redhat.com
Fri Aug 1 09:49:12 UTC 2008


Author: thoger

Update of /cvs/extras/rpms/poppler/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23475

Modified Files:
	poppler.spec 
Added Files:
	poppler-0.8.1-AnnotQuadrilaterals.diff 
	poppler-0.8.1-CVE-2008-2950.diff 
	poppler-0.8.1-static-ft-lib.diff 
Log Message:
Security fix for CVE-2008-2950 / oCERT-2008-007
Apply upstream fixes for crasher bugs reported in BZ - #456867, #448516


poppler-0.8.1-AnnotQuadrilaterals.diff:

--- NEW FILE poppler-0.8.1-AnnotQuadrilaterals.diff ---
Fix crash when reading QuadPoints:
https://bugzilla.redhat.com/show_bug.cgi?id=448516
https://bugs.freedesktop.org/show_bug.cgi?id=16104

Upstream commits:
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=7924625e620b5e75b27d7ab935c9aae6ebf02663
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=6b9dd84db02bd162aa3c01d453ddc93a657017bb

--- poppler-0.8.1/poppler-0.8.1/poppler/Annot.cc.orig	2008-03-26 20:38:52.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/Annot.cc	2008-07-30 19:01:41.000000000 +0200
@@ -30,6 +30,7 @@
 #include "Page.h"
 #include "XRef.h"
 #include "Movie.h"
+#include <string.h>
 
 #define annotFlagHidden    0x0002
 #define annotFlagPrint     0x0004
@@ -170,7 +171,7 @@ AnnotQuadrilaterals::AnnotQuadrilaterals
   GBool correct = gTrue;
   int quadsLength = 0;
   AnnotQuadrilateral **quads;
-  double *quadArray;
+  double quadArray[8];
 
   // default values
   quadrilaterals = NULL;
@@ -182,19 +183,24 @@ AnnotQuadrilaterals::AnnotQuadrilaterals
     quadsLength = arrayLength / 8;
     quads = (AnnotQuadrilateral **) gmallocn
         ((quadsLength), sizeof(AnnotQuadrilateral *));
-    quadArray = (double *) gmallocn (8, sizeof(double));
+    memset(quads, 0, quadsLength * sizeof(AnnotQuadrilateral *));
 
     while (i < (quadsLength) && correct) {
       for (int j = 0; j < 8 && correct; j++) {
         Object obj;
         if (array->get(i * 8 + j, &obj)->isNum()) {
           quadArray[j] = obj.getNum();
-          if (quadArray[j] < rect->x1 || quadArray[j] > rect->x2 ||
-              quadArray[j] < rect->y1 || quadArray[j] < rect->y2)
-            correct = gFalse;
+          if (j % 2 == 1) {
+              if (quadArray[j] < rect->y1 || quadArray[j] > rect->y2)
+                  correct = gFalse;
+          } else {
+              if (quadArray[j] < rect->x1 || quadArray[j] > rect->x2)
+                  correct = gFalse;
+          }
         } else {
             correct = gFalse;
         }
+        obj.free();
       }
 
       if (correct)
@@ -205,8 +211,6 @@ AnnotQuadrilaterals::AnnotQuadrilaterals
       i++;
     }
 
-    gfree (quadArray);
-
     if (correct) {
       quadrilateralsLength = quadsLength;
       quadrilaterals = quads;

poppler-0.8.1-CVE-2008-2950.diff:

--- NEW FILE poppler-0.8.1-CVE-2008-2950.diff ---
Upstream patch for CVE-2008-2950 / oCERT-2008-007: make sure pageWidgets is
initialized, do not call free for an uninitialized pointer

References:
http://www.ocert.org/advisories/ocert-2008-007.html
http://marc.info/?l=full-disclosure&m=121556059918963&w=4

Upstream commit:
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=fd0bf8b05cb155e2f29df31fa01964b12e710b89

--- poppler-0.8.1/poppler-0.8.1/poppler/Page.cc.orig	2007-11-05 00:11:04.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/Page.cc	2008-07-30 16:34:06.000000000 +0200
@@ -235,6 +235,7 @@ Page::Page(XRef *xrefA, int numA, Dict *
   xref = xrefA;
   num = numA;
   duration = -1;
+  pageWidgets = NULL;
 
   // get attributes
   attrs = attrsA;

poppler-0.8.1-static-ft-lib.diff:

--- NEW FILE poppler-0.8.1-static-ft-lib.diff ---
commit 9134b3200fa3573c6940f4b321a71317dfc00e79
Author: Michael Vrable <mvrable at cs.ucsd.edu>
Date:   Fri Jun 20 21:42:34 2008 -0700

    Use a single global FT_Library in CairoOutputDev

    Cairo may internally keep references to the FreeType fonts loaded in
    CairoFontEngine even after poppler is done with them.  Commit 42db4890e829
    ("Do not call FT_Done_Face on a live cairo_font_face_t") introduced a fix
    for one use-after-free bug, by delaying deleting an FT_Face objects until
    cairo is done with it.

    That fix doesn't correct all the bugs.  An FT_Library object is created for
    each CairoOutputDev object, and deleted when the CairoOutputDev goes away.
    But the FT_Library object should not be deleted while fonts loaded using it
    are still in use.  And cairo can keep references to fonts around more or
    less indefinitely.

    To more fully fix the problem, we can either:
     1. Keep a count of not-yet-deleted fonts associated with each FT_Library,
        and wait to call FT_Done_FreeType until it drops to zero.
     2. Never call FT_Done_FreeType.

    The second option is the simplest.  To avoid leaking memory FT_Library
    objects, use a single global FT_Library instead of a per-CairoOutputDev
    copy.

Related bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=456867
http://bugzilla.gnome.org/show_bug.cgi?id=536482
http://bugs.freedesktop.org/show_bug.cgi?id=16529

Upstream commit:
http://cgit.freedesktop.org/poppler/poppler/commit/?h=poppler-0.8&id=9134b3200fa3573c6940f4b321a71317dfc00e79

diff -pruN poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.cc poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.cc
--- poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.cc	2008-03-26 20:38:52.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.cc	2008-07-31 17:20:16.000000000 +0200
@@ -74,10 +74,23 @@ void CairoImage::setImage (cairo_surface
 // CairoOutputDev
 //------------------------------------------------------------------------
 
+// We cannot tie the lifetime of an FT_Library object to that of
+// CairoOutputDev, since any FT_Faces created with it may end up with a
+// reference by Cairo which can be held long after the CairoOutputDev is
+// deleted.  The simplest way to avoid problems is to never tear down the
+// FT_Library instance; to avoid leaks, just use a single global instance
+// initialized the first time it is needed.
+FT_Library CairoOutputDev::ft_lib;
+GBool CairoOutputDev::ft_lib_initialized = gFalse;
+
 CairoOutputDev::CairoOutputDev() {
   xref = NULL;
 
-  FT_Init_FreeType(&ft_lib);
+  if (!ft_lib_initialized) {
+    FT_Init_FreeType(&ft_lib);
+    ft_lib_initialized = gTrue;
+  }
+
   fontEngine = NULL;
   glyphs = NULL;
   fill_pattern = NULL;
@@ -102,8 +115,7 @@ CairoOutputDev::~CairoOutputDev() {
   if (fontEngine) {
     delete fontEngine;
   }
-  FT_Done_FreeType(ft_lib);
-  
+
   if (cairo)
     cairo_destroy (cairo);
   cairo_pattern_destroy (stroke_pattern);
diff -pruN poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.h poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.h
--- poppler-0.8.1/poppler-0.8.1/poppler.orig/CairoOutputDev.h	2008-03-26 20:38:52.000000000 +0100
+++ poppler-0.8.1/poppler-0.8.1/poppler/CairoOutputDev.h	2008-07-31 17:20:16.000000000 +0200
@@ -206,7 +206,9 @@ protected:
   
   XRef *xref;			// xref table for current document
 
-  FT_Library ft_lib;
+  static FT_Library ft_lib;
+  static GBool ft_lib_initialized;
+
   CairoFontEngine *fontEngine;
   cairo_t *cairo;
   cairo_matrix_t orig_matrix;


Index: poppler.spec
===================================================================
RCS file: /cvs/extras/rpms/poppler/F-9/poppler.spec,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- poppler.spec	28 Apr 2008 23:10:27 -0000	1.71
+++ poppler.spec	1 Aug 2008 09:48:42 -0000	1.72
@@ -3,7 +3,7 @@
 Summary: PDF rendering library
 Name: poppler
 Version: 0.8.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2 and Redistributable, no modification permitted
 # the code is GPLv2
 # the charmap data in /usr/share/poppler is redistributable
@@ -14,6 +14,9 @@
 Patch0: poppler-ObjStream.patch
 Patch1: fix-qt4-build.patch
 Patch2: poppler-0.8.0-ocg-crash.patch
+Patch3: poppler-0.8.1-CVE-2008-2950.diff
+Patch4: poppler-0.8.1-AnnotQuadrilaterals.diff
+Patch5: poppler-0.8.1-static-ft-lib.diff
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 
 BuildRequires: gtk2-devel
@@ -115,6 +118,9 @@
 %patch0 -p1 -b .objstream
 %patch1 -p1 -b .fix-qt4-build
 %patch2 -p1 -b .ocg
+%patch3 -p1 -b .CVE-2008-2950
+%patch4 -p1 -b .QuadPoints
+%patch5 -p1 -b .static-ft
 
 %build
 pushd %{name}-%{version}
@@ -201,6 +207,15 @@
 %{_mandir}/man1/*
 
 %changelog
+* Thu Jul 31 2008 Tomas Hoger <thoger at redhat.com> - 0.8.1-2
+- Security update:
+  Add upstream patch for CVE-2008-2950 / oCERT-2008-007 - use of
+  an uninitilized pointer to call free() in Page::~Page (#454277)
+- Bug fixes:
+  Fix crash when reading QuadPoints (#448516)
+  Use static FT_Library in CairoOutputDev, as dynamic may trigger
+  use-after-free and crash e.g. evince (#456867) 
+
 * Mon Apr 28 2008 Matthias Clasen <mclasen at redhat.com> - 0.8.1-1
 - Update to 0.8.1
 




More information about the fedora-extras-commits mailing list