calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '19a0e6160b'
${ noResults }
gentoo-overlay/app-text/poppler/files/poppler-0.57.0-CVE-2017-145...

101 lines
3.2 KiB
Raw Blame History

From 778180c0c09002f6adfc272eba6b0d0e4401c4cc Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Wed, 13 Sep 2017 23:01:03 +0200
Subject: [PATCH 3/4] Gfx::doShowText: Fix infinite recursion on broken files
Bug #102701
---
poppler/Gfx.cc | 25 +++++++++++++++++++++++--
poppler/Gfx.h | 1 +
poppler/GfxFont.cc | 9 +++++++++
poppler/GfxFont.h | 1 +
4 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/poppler/Gfx.cc b/poppler/Gfx.cc
index 37220280..9feac54c 100644
--- a/poppler/Gfx.cc
+++ b/poppler/Gfx.cc
@@ -4031,12 +4031,33 @@ void Gfx::doShowText(GooString *s) {
state->transformDelta(dx, dy, &ddx, &ddy);
if (!out->beginType3Char(state, curX + riseX, curY + riseY, ddx, ddy,
code, u, uLen)) {
- ((Gfx8BitFont *)font)->getCharProc(code, &charProc);
+ ((Gfx8BitFont *)font)->getCharProcNF(code, &charProc);
+ int refNum = -1;
+ if (charProc.isRef()) {
+ refNum = charProc.getRef().num;
+ charProc.fetch(((Gfx8BitFont *)font)->getCharProcs()->getXRef(), &charProc);
+ }
if ((resDict = ((Gfx8BitFont *)font)->getResources())) {
pushResources(resDict);
}
if (charProc.isStream()) {
- display(&charProc, gFalse);
+ std::set<int>::iterator charProcDrawingIt;
+ bool displayCharProc = true;
+ if (refNum != -1) {
+ if (charProcDrawing.find(refNum) == charProcDrawing.end()) {
+ charProcDrawingIt = charProcDrawing.insert(refNum).first;
+ } else {
+ displayCharProc = false;
+ error(errSyntaxError, -1, "CharProc wants to draw a CharProc that is already beign drawn");
+ }
+ }
+ if (displayCharProc) {
+ display(&charProc, gFalse);
+
+ if (refNum != -1) {
+ charProcDrawing.erase(charProcDrawingIt);
+ }
+ }
} else {
error(errSyntaxError, getPos(), "Missing or bad Type3 CharProc entry");
}
diff --git a/poppler/Gfx.h b/poppler/Gfx.h
index a82f9f4a..44adaed5 100644
--- a/poppler/Gfx.h
+++ b/poppler/Gfx.h
@@ -228,6 +228,7 @@ private:
Parser *parser; // parser for page content stream(s)
std::set<int> formsDrawing; // the forms that are being drawn
+ std::set<int> charProcDrawing; // the charProc that are being drawn
GBool // callback to check for an abort
(*abortCheckCbk)(void *data);
diff --git a/poppler/GfxFont.cc b/poppler/GfxFont.cc
index b59ec06c..bb87c5a0 100644
--- a/poppler/GfxFont.cc
+++ b/poppler/GfxFont.cc
@@ -1818,6 +1818,15 @@ Object *Gfx8BitFont::getCharProc(int code, Object *proc) {
return proc;
}
+Object *Gfx8BitFont::getCharProcNF(int code, Object *proc) {
+ if (enc[code] && charProcs.isDict()) {
+ charProcs.dictLookupNF(enc[code], proc);
+ } else {
+ proc->initNull();
+ }
+ return proc;
+}
+
Dict *Gfx8BitFont::getResources() {
return resources.isDict() ? resources.getDict() : (Dict *)NULL;
}
diff --git a/poppler/GfxFont.h b/poppler/GfxFont.h
index de7a7464..89a0ca0d 100644
--- a/poppler/GfxFont.h
+++ b/poppler/GfxFont.h
@@ -353,6 +353,7 @@ public:
// Return the Type 3 CharProc for the character associated with <code>.
Object *getCharProc(int code, Object *proc);
+ Object *getCharProcNF(int code, Object *proc);
// Return the Type 3 Resources dictionary, or NULL if none.
Dict *getResources();
--
2.14.1
Reference in new issue View Git Blame Copy Permalink