From fd04d26cdfa19b34c957bad2b3c2ca4d6d69a916 Mon Sep 17 00:00:00 2001 From: xiongyi Date: Wed, 29 Nov 2023 15:49:07 +0800 Subject: [PATCH] Fix infinite looping in cvtGlyph with broken files Signed-off-by: xiongyi (cherry picked from commit fbd46f08e3129e5a9d900f06cdeccafda0a98e4c) --- backport-CVE-2020-36023.patch | 110 ++++++++++++++++++++++++++++++++++ poppler.spec | 8 ++- 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2020-36023.patch diff --git a/backport-CVE-2020-36023.patch b/backport-CVE-2020-36023.patch new file mode 100644 index 0000000..0bf0939 --- /dev/null +++ b/backport-CVE-2020-36023.patch @@ -0,0 +1,110 @@ +From 182914fd1e41183282630675594c255e519f580a Mon Sep 17 00:00:00 2001 +From: xiongyi +Date: Wed, 29 Nov 2023 14:29:46 +0800 +Subject: [PATCH] backport-CVE-2020-36023 + +Signed-off-by: xiongyi +--- + fofi/FoFiType1C.cc | 20 +++++++++++++++----- + fofi/FoFiType1C.h | 4 +++- + 2 files changed, 18 insertions(+), 6 deletions(-) + +diff --git a/fofi/FoFiType1C.cc b/fofi/FoFiType1C.cc +index 9a39063..c8241f2 100644 +--- a/fofi/FoFiType1C.cc ++++ b/fofi/FoFiType1C.cc +@@ -551,8 +551,9 @@ void FoFiType1C::convertToCIDType0(const char *psName, const int *codeMap, int n + if (!ok) { + subrIdx.pos = -1; + } ++ std::set offsetBeingParsed; + cvtGlyph(val.pos, val.len, charStrings, +- &subrIdx, &privateDicts[fdSelect ? fdSelect[gid] : 0], true); ++ &subrIdx, &privateDicts[fdSelect ? fdSelect[gid] : 0], true, offsetBeingParsed); + } + } + } +@@ -1183,7 +1184,8 @@ void FoFiType1C::eexecCvtGlyph(Type1CEexecBuf *eb, const char *glyphName, + + // generate the charstring + charBuf = new GooString(); +- cvtGlyph(offset, nBytes, charBuf, subrIdx, pDict, true); ++ std::set offsetBeingParsed; ++ cvtGlyph(offset, nBytes, charBuf, subrIdx, pDict, true, offsetBeingParsed); + + buf = GooString::format("/{0:s} {1:d} RD ", glyphName, charBuf->getLength()); + eexecWrite(eb, buf->c_str()); +@@ -1197,7 +1199,7 @@ void FoFiType1C::eexecCvtGlyph(Type1CEexecBuf *eb, const char *glyphName, + + void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + const Type1CIndex *subrIdx, const Type1CPrivateDict *pDict, +- bool top) { ++ bool top, std::set &offsetBeingParsed) { + Type1CIndexVal val; + bool ok, dFP; + double d, dx, dy; +@@ -1205,6 +1207,12 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + unsigned char byte; + int pos, subrBias, start, i, k; + ++ if (offsetBeingParsed.find(offset) != offsetBeingParsed.end()) { ++ return; ++ } ++ ++ auto offsetEmplaceResult = offsetBeingParsed.emplace(offset); ++ + start = charBuf->getLength(); + if (top) { + charBuf->append('\x49'); //73; +@@ -1362,7 +1370,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + ok = true; + getIndexVal(subrIdx, k, &val, &ok); + if (likely(ok && val.pos != offset)) { +- cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false); ++ cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false, offsetBeingParsed); + } + } else { + //~ error(-1, "Too few args to Type 2 callsubr"); +@@ -1597,7 +1605,7 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + ok = true; + getIndexVal(&gsubrIdx, k, &val, &ok); + if (likely(ok && val.pos != offset)) { +- cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false); ++ cvtGlyph(val.pos, val.len, charBuf, subrIdx, pDict, false, offsetBeingParsed); + } + } else { + //~ error(-1, "Too few args to Type 2 callgsubr"); +@@ -1825,6 +1833,8 @@ void FoFiType1C::cvtGlyph(int offset, int nBytes, GooString *charBuf, + r2 = (byte + r2) * 52845 + 22719; + } + } ++ ++ offsetBeingParsed.erase(offsetEmplaceResult.first); + } + + void FoFiType1C::cvtGlyphWidth(bool useOp, GooString *charBuf, +diff --git a/fofi/FoFiType1C.h b/fofi/FoFiType1C.h +index 067ab99..b1b48fe 100644 +--- a/fofi/FoFiType1C.h ++++ b/fofi/FoFiType1C.h +@@ -27,6 +27,8 @@ + + #include "FoFiBase.h" + ++#include ++ + class GooString; + + //------------------------------------------------------------------------ +@@ -210,7 +212,7 @@ private: + const Type1CPrivateDict *pDict); + void cvtGlyph(int offset, int nBytes, GooString *charBuf, + const Type1CIndex *subrIdx, const Type1CPrivateDict *pDict, +- bool top); ++ bool top, std::set &offsetBeingParsed); + void cvtGlyphWidth(bool useOp, GooString *charBuf, + const Type1CPrivateDict *pDict); + void cvtNum(double x, bool isFP, GooString *charBuf) const; +-- +2.33.0 + diff --git a/poppler.spec b/poppler.spec index f2b3bfb..2e35535 100644 --- a/poppler.spec +++ b/poppler.spec @@ -4,7 +4,7 @@ Summary: PDF rendering library Name: poppler Version: 0.90.0 -Release: 6 +Release: 7 License: (GPLv2 or GPLv3) and GPLv2+ and LGPLv2+ and MIT URL: http://poppler.freedesktop.org/ Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz @@ -22,6 +22,7 @@ Patch6004: backport-CVE-2022-37050.patch Patch6005: backport-CVE-2022-37051.patch Patch6006: backport-CVE-2022-37052.patch Patch6007: backport-CVE-2022-38349.patch +Patch6008: backport-CVE-2020-36023.patch BuildRequires: cmake BuildRequires: gcc-c++ @@ -221,6 +222,11 @@ test "$(pkg-config --modversion poppler-splash)" = "%{version}" %{_mandir}/man1/* %changelog +* Wed Nov 29 2023 xiongyi - 0.90.0-7 +- fix CVE-2020-36023 +- fix infinite looping in cvtGlyph with broken files +- patch source:https://gitlab.freedesktop.org/poppler/poppler/-/issues/1013 + * Wed Aug 30 2023 zhouwenpei - 0.90.0-6 - fix CVE-2022-37050,CVE-2022-37051,CVE-2022-37052,CVE-2022-38349,CVE-2020-23804 - fix install error -- Gitee