current/SOURCES/poppler-0.52.0-CVE-2017-1000456.patch

From 7ee9dadef37b20bca707a6b1e858e17d191e368b Mon Sep 17 00:00:00 2001
From: Jason Crain <jason@inspiresomeone.us>
Date: Thu, 5 Oct 2017 15:32:13 -0500
Subject: TextOutputDev: Fix crash in fuzzed file

This file crashes pdftotext because it positions texts past INT_MIN,
leading to overflow in subsequent calculations.

Bug #103116
---
 poppler/TextOutputDev.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
index d30874c..1400240 100644
--- a/poppler/TextOutputDev.cc
+++ b/poppler/TextOutputDev.cc
@@ -30,7 +30,7 @@
 // Copyright (C) 2010 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
 // Copyright (C) 2011 Sam Liao <phyomh@gmail.com>
 // Copyright (C) 2012 Horst Prote <prote@fmi.uni-stuttgart.de>
-// Copyright (C) 2012, 2013-2016 Jason Crain <jason@aquaticape.us>
+// Copyright (C) 2012, 2013-2017 Jason Crain <jason@aquaticape.us>
 // Copyright (C) 2012 Peter Breitenlohner <peb@mppmu.mpg.de>
 // Copyright (C) 2013 José Aliste <jaliste@src.gnome.org>
 // Copyright (C) 2013 Thomas Freitag <Thomas.Freitag@alfa.de>
@@ -889,11 +889,11 @@ void TextPool::addWord(TextWord *word) {
   TextWord *w0, *w1;
 
   // expand the array if needed
-  if (unlikely((word->base / textPoolStep) > INT_MAX)) {
-      error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX");
+  wordBaseIdx = (int)(word->base / textPoolStep);
+  if (unlikely(wordBaseIdx <= INT_MIN + 128 || wordBaseIdx >= INT_MAX - 128)) {
+      error(errSyntaxWarning, -1, "wordBaseIdx out of range");
       return;
   }
-  wordBaseIdx = (int)(word->base / textPoolStep);
   if (minBaseIdx > maxBaseIdx) {
     minBaseIdx = wordBaseIdx - 128;
     maxBaseIdx = wordBaseIdx + 128;
-- 
cgit v1.1

1	ns80	1191818	From 7ee9dadef37b20bca707a6b1e858e17d191e368b Mon Sep 17 00:00:00 2001
2			From: Jason Crain <jason@inspiresomeone.us>
3			Date: Thu, 5 Oct 2017 15:32:13 -0500
4			Subject: TextOutputDev: Fix crash in fuzzed file
5
6			This file crashes pdftotext because it positions texts past INT_MIN,
7			leading to overflow in subsequent calculations.
8
9			Bug #103116
10			---
11			poppler/TextOutputDev.cc \| 8 ++++----
12			1 file changed, 4 insertions(+), 4 deletions(-)
13
14			diff --git a/poppler/TextOutputDev.cc b/poppler/TextOutputDev.cc
15			index d30874c..1400240 100644
16			--- a/poppler/TextOutputDev.cc
17			+++ b/poppler/TextOutputDev.cc
18			@@ -30,7 +30,7 @@
19			// Copyright (C) 2010 Suzuki Toshiya <mpsuzuki@hiroshima-u.ac.jp>
20			// Copyright (C) 2011 Sam Liao <phyomh@gmail.com>
21			// Copyright (C) 2012 Horst Prote <prote@fmi.uni-stuttgart.de>
22			-// Copyright (C) 2012, 2013-2016 Jason Crain <jason@aquaticape.us>
23			+// Copyright (C) 2012, 2013-2017 Jason Crain <jason@aquaticape.us>
24			// Copyright (C) 2012 Peter Breitenlohner <peb@mppmu.mpg.de>
25			// Copyright (C) 2013 José Aliste <jaliste@src.gnome.org>
26			// Copyright (C) 2013 Thomas Freitag <Thomas.Freitag@alfa.de>
27			@@ -889,11 +889,11 @@ void TextPool::addWord(TextWord *word) {
28			TextWord w0, w1;
29
30			// expand the array if needed
31			- if (unlikely((word->base / textPoolStep) > INT_MAX)) {
32			- error(errSyntaxWarning, -1, "word->base / textPoolStep > INT_MAX");
33			+ wordBaseIdx = (int)(word->base / textPoolStep);
34			+ if (unlikely(wordBaseIdx <= INT_MIN + 128 \|\| wordBaseIdx >= INT_MAX - 128)) {
35			+ error(errSyntaxWarning, -1, "wordBaseIdx out of range");
36			return;
37			}
38			- wordBaseIdx = (int)(word->base / textPoolStep);
39			if (minBaseIdx > maxBaseIdx) {
40			minBaseIdx = wordBaseIdx - 128;
41			maxBaseIdx = wordBaseIdx + 128;
42			--
43			cgit v1.1
44