main/poppler: security fix (CVE-2013-1788,CVE-2013-1790)

fixes #1784

3 files changed, 115 insertions, 3 deletions

diff --git a/main/poppler/APKBUILD b/main/poppler/APKBUILD
index 9c47ff21c..9eab7bee6 100644
--- a/main/poppler/APKBUILD
+++ b/main/poppler/APKBUILD
@@ -5,7 +5,7 @@
 # So we build gtk support in poppler-gtk
 pkgname=poppler
 pkgver=0.18.4
-pkgrel=0
+pkgrel=1
 pkgdesc="PDF rendering library based on xpdf 3.0"
 url="http://poppler.freedesktop.org/"
 arch="all"
@@ -14,7 +14,19 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
 makedepends="jpeg-dev cairo-dev libxml2-dev fontconfig-dev pkgconfig libiconv-dev"
 depends=
 depends_dev="cairo-dev"
-source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz"
+source="http://$pkgname.freedesktop.org/$pkgname-$pkgver.tar.gz
+	CVE-2013-1788.patch
+	CVE-2013-1790.patch
+	"
+
+prepare() {
+	cd "$srcdir"/$pkgname-$pkgver
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
 
 build() {
 	cd "$srcdir"/$pkgname-$pkgver
@@ -44,4 +56,6 @@ utils() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="12658f3308597e57f3faff538cc73baf  poppler-0.18.4.tar.gz"
+md5sums="12658f3308597e57f3faff538cc73baf  poppler-0.18.4.tar.gz
+3f16bcc4fc0364fbb790260c07269685  CVE-2013-1788.patch
+9d402082df4eae246008cd29dda9412e  CVE-2013-1790.patch"
diff --git a/main/poppler/CVE-2013-1788.patch b/main/poppler/CVE-2013-1788.patch
new file mode 100644
index 000000000..4691d3de9
--- /dev/null
+++ b/main/poppler/CVE-2013-1788.patch
@@ -0,0 +1,75 @@
+--- poppler-0.18.4/poppler/Function.cc
++++ poppler-0.18.4/poppler/Function.cc
+@@ -13,7 +13,7 @@
+ // All changes made under the Poppler project to this file are licensed
+ // under GPL version 2 or later
+ //
+-// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006, 2008-2010, 2013 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2006 Jeff Muizelaar <jeff@infidigm.net>
+ // Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+ // Copyright (C) 2011 Andrea Canciani <ranma42@gmail.com>
+@@ -1002,6 +1002,10 @@ void PSStack::copy(int n) {
+     error(-1, "Stack underflow in PostScript function");
+     return;
+   }
++  if (unlikely(sp - n > psStackSize)) {
++    error(-1, "Stack underflow in PostScript function");
++    return;
++  }
+   if (!checkOverflow(n)) {
+     return;
+   }
+--- poppler-0.18.4/poppler/Stream.cc
++++ poppler-0.18.4/poppler/Stream.cc
+@@ -2132,7 +2133,8 @@ GBool CCITTFaxStream::isBinary(GBool las
+ 
+ // clip [-256,511] --> [0,255]
+ #define dctClipOffset 256
+-static Guchar dctClip[768];
++#define dctClipLength 768
++static Guchar dctClip[dctClipLength];
+ static int dctClipInit = 0;
+ 
+ // zig zag decode map
+@@ -3078,7 +3080,12 @@ void DCTStream::transformDataUnit(Gushor
+ 
+   // convert to 8-bit integers
+   for (i = 0; i < 64; ++i) {
+-    dataOut[i] = dctClip[dctClipOffset + 128 + ((dataIn[i] + 8) >> 4)];
++    const int ix = dctClipOffset + 128 + ((dataIn[i] + 8) >> 4);
++    if (unlikely(ix < 0 || ix >= dctClipLength)) {
++      dataOut[i] = 0;
++    } else {
++      dataOut[i] = dctClip[ix];
++    }
+   }
+ }
+ 
+--- poppler-0.18.4/splash/Splash.cc
++++ poppler-0.18.4/splash/Splash.cc
+@@ -14,7 +14,7 @@
+ // Copyright (C) 2005-2011 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2005 Marco Pesenti Gritti <mpg@redhat.com>
+ // Copyright (C) 2010, 2011 Thomas Freitag <Thomas.Freitag@alfa.de>
+-// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
++// Copyright (C) 2010 Christian Feuersänger <cfeuersaenger@googlemail.com>
+ // Copyright (C) 2011 William Bader <williambader@hotmail.com>
+ //
+ // To see a description of the changes please see the Changelog file that
+@@ -1521,11 +1521,14 @@ SplashPath *Splash::makeDashedPath(Splas
+   lineDashStartPhase -= (SplashCoord)i * lineDashTotal;
+   lineDashStartOn = gTrue;
+   lineDashStartIdx = 0;
+-  while (lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
++  while (lineDashStartIdx < state->lineDashLength && lineDashStartPhase >= state->lineDash[lineDashStartIdx]) {
+     lineDashStartOn = !lineDashStartOn;
+     lineDashStartPhase -= state->lineDash[lineDashStartIdx];
+     ++lineDashStartIdx;
+   }
++  if (unlikely(lineDashStartIdx == state->lineDashLength)) {
++    return new SplashPath();
++  }
+ 
+   dPath = new SplashPath();
+ 
diff --git a/main/poppler/CVE-2013-1790.patch b/main/poppler/CVE-2013-1790.patch
new file mode 100644
index 000000000..00f8b3865
--- /dev/null
+++ b/main/poppler/CVE-2013-1790.patch
@@ -0,0 +1,23 @@
+--- poppler-0.18.4/poppler/Stream.cc
++++ poppler-0.18.4/poppler/Stream.cc
+@@ -14,7 +14,7 @@
+ // under GPL version 2 or later
+ //
+ // Copyright (C) 2005 Jeff Muizelaar <jeff@infidigm.net>
+-// Copyright (C) 2006-2010 Albert Astals Cid <aacid@kde.org>
++// Copyright (C) 2006-2010, 2012, 2013 Albert Astals Cid <aacid@kde.org>
+ // Copyright (C) 2007 Krzysztof Kowalczyk <kkowalczyk@gmail.com>
+ // Copyright (C) 2008 Julien Rebetez <julien@fhtagn.net>
+ // Copyright (C) 2009 Carlos Garcia Campos <carlosgc@gnome.org>
+@@ -1595,8 +1595,9 @@ int CCITTFaxStream::lookChar() {
+       for (i = 0; codingLine[i] < columns; ++i) {
+ 	refLine[i] = codingLine[i];
+       }
+-      refLine[i++] = columns;
+-      refLine[i] = columns;
++      for (; i < columns + 2; ++i) {
++	refLine[i] = columns;
++      }
+       codingLine[0] = 0;
+       a0i = 0;
+       b1i = 0;