diff options
Diffstat (limited to 'gnu/packages/patches/poppler-CVE-2015-8868.patch')
| -rw-r--r-- | gnu/packages/patches/poppler-CVE-2015-8868.patch | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/gnu/packages/patches/poppler-CVE-2015-8868.patch b/gnu/packages/patches/poppler-CVE-2015-8868.patch new file mode 100644 index 0000000000..ac78d32ffa --- /dev/null +++ b/gnu/packages/patches/poppler-CVE-2015-8868.patch @@ -0,0 +1,30 @@ +Fixes CVE-2015-8868 (heap overflow). + +Upstream source: +https://cgit.freedesktop.org/poppler/poppler/commit/?id=b3425dd3261679958cd56c0f71995c15d2124433 + +From b3425dd3261679958cd56c0f71995c15d2124433 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid <aacid@kde.org> +Date: Tue, 22 Dec 2015 22:50:33 +0100 +Subject: Do not crash on invalid files + +Bug #93476 + +diff --git a/poppler/Function.cc b/poppler/Function.cc +index 67283df..ee5afc1 100644 +--- a/poppler/Function.cc ++++ b/poppler/Function.cc +@@ -577,6 +577,10 @@ ExponentialFunction::ExponentialFunction(Object *funcObj, Dict *dict) { + goto err2; + } + n = obj1.arrayGetLength(); ++ if (unlikely(n > funcMaxOutputs)) { ++ error(errSyntaxError, -1, "Function's C0 array is wrong length"); ++ n = funcMaxOutputs; ++ } + for (i = 0; i < n; ++i) { + obj1.arrayGet(i, &obj2); + if (!obj2.isNum()) { +-- +cgit v0.10.2 + |