Hello community, here is the log from the commit of package poppler checked in at Fri Jan 19 19:23:53 CET 2007. -------- --- GNOME/poppler/poppler.changes 2007-01-15 15:46:13.000000000 +0100 +++ /mounts/work_src_done/STABLE/poppler/poppler.changes 2007-01-19 17:54:57.585023000 +0100 @@ -1,0 +2,6 @@ +Fri Jan 19 10:54:23 CST 2007 - maw@suse.de + +- Add poppler-PageTree-depth-CVE-2007-0104.patch, fixing an + infinite loop in page tree (#233133 and CVE-2007-0104). + +------------------------------------------------------------------- New: ---- poppler-PageTree-depth-CVE-2007-0104.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ poppler.spec ++++++ --- /var/tmp/diff_new_pack.J23797/_old 2007-01-19 19:23:48.000000000 +0100 +++ /var/tmp/diff_new_pack.J23797/_new 2007-01-19 19:23:48.000000000 +0100 @@ -13,7 +13,7 @@ Name: poppler BuildRequires: gtk-doc gtk2-devel libdrm-devel libjpeg-devel libqt4-devel qt-devel qt3-devel update-desktop-files zlib-devel Version: 0.5.4 -Release: 32 +Release: 33 URL: http://poppler.freedesktop.org/ Group: System/Libraries License: GNU General Public License (GPL) @@ -21,6 +21,7 @@ Source: %{name}-%{version}.tar.bz2 Patch: poppler-qt-m4.patch Patch1: fix-pedantic-header-compile.diff +Patch2: poppler-PageTree-depth-CVE-2007-0104.patch Autoreqprov: on BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -284,6 +285,7 @@ %setup %patch %patch1 +%patch2 -p0 %build ACLOCAL="aclocal -I m4" autoreconf -f -i @@ -362,6 +364,9 @@ %{_datadir}/gtk-doc/html/poppler %changelog -n poppler +* Fri Jan 19 2007 - maw@suse.de +- Add poppler-PageTree-depth-CVE-2007-0104.patch, fixing an + infinite loop in page tree (#233133 and CVE-2007-0104). * Mon Jan 15 2007 - dmueller@suse.de - don't build static libs * Fri Jan 12 2007 - dmueller@suse.de ++++++ poppler-PageTree-depth-CVE-2007-0104.patch ++++++ --- poppler/Catalog.cc.orig 2006-09-13 17:10:52.000000000 +0200 +++ poppler/Catalog.cc 2007-01-19 17:34:23.634229000 +0100 @@ -26,6 +26,12 @@ #include "UGooString.h" #include "Catalog.h" +// This define is used to limit the depth of recursive readPageTree calls +// This is needed because the page tree nodes can reference their parents +// leaving us in an infinite loop +// Most sane pdf documents don't have a call depth higher than 10 +#define MAX_CALL_DEPTH 1000 + //------------------------------------------------------------------------ // Catalog //------------------------------------------------------------------------ @@ -75,7 +81,7 @@ pageRefs[i].num = -1; pageRefs[i].gen = -1; } - numPages = readPageTree(pagesDict.getDict(), NULL, 0); + numPages = readPageTree(pagesDict.getDict(), NULL, 0, 0); if (numPages != numPages0) { error(-1, "Page count in top-level pages object is incorrect"); } @@ -217,7 +223,7 @@ return s; } -int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start) { +int Catalog::readPageTree(Dict *pagesDict, PageAttrs *attrs, int start, int callDepth) { Object kids; Object kid; Object kidRef; @@ -262,9 +268,13 @@ // This should really be isDict("Pages"), but I've seen at least one // PDF file where the /Type entry is missing. } else if (kid.isDict()) { - if ((start = readPageTree(kid.getDict(), attrs1, start)) - < 0) - goto err2; + if (callDepth > MAX_CALL_DEPTH) { + error(-1, "Limit of %d recursive calls reached while reading the page tree. If your document is correct and not a test to try to force a crash, please report a bug.", MAX_CALL_DEPTH); + } else { + if ((start = readPageTree(kid.getDict(), attrs1, start, callDepth + 1)) + < 0) + goto err2; + } } else { error(-1, "Kid object (page %d) is wrong type (%s)", start+1, kid.getTypeName()); --- poppler/Catalog.h.orig 2006-01-23 15:43:36.000000000 +0100 +++ poppler/Catalog.h 2007-01-19 17:36:23.107619000 +0100 @@ -193,7 +193,7 @@ PageMode pageMode; // page mode PageLayout pageLayout; // page layout - int readPageTree(Dict *pages, PageAttrs *attrs, int start); + int readPageTree(Dict *pages, PageAttrs *attrs, int start, int callDepth); Object *findDestInTree(Object *tree, GooString *name, Object *obj); }; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de