Package: libpoppler0c2
Version: 0.4.5-5.1
Severity: normal
Tags: patch
The readCodeBlockData function in JPXStream.cc uses array index values like
"coeff[-tileComp->cbW]" in several places. That can cause crashes for some
pdf files when viewed on 64-bit systems. Because tileComp->cbW is an unsigned
int,
the value is first negated as a 32-bit int and then zero extended to 64-bit.
That results in an index value of about 4 billion.
The following patch fixes the crash by casting to signed int before negating.
$ cat debian/patches/109_readCodeBlockData.patch
diff -Nur poppler-0.4.5/poppler/JPXStream.cc
poppler-0.4.5.new/poppler/JPXStream.cc
--- poppler-0.4.5/poppler/JPXStream.cc 2007-04-10 16:15:08.000000000 -0600
+++ poppler-0.4.5.new/poppler/JPXStream.cc 2007-04-10 16:15:54.000000000
-0600
@@ -2006,7 +2006,7 @@
horizSign += (coeff[-1].flags & jpxCoeffSign) ? -1 : 1;
}
if (y0+y1 > cb->y0) {
- diag += (coeff[-tileComp->cbW - 1].flags
+ diag += (coeff[-((int)tileComp->cbW) - 1].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2020,7 +2020,7 @@
horizSign += (coeff[1].flags & jpxCoeffSign) ? -1 : 1;
}
if (y0+y1 > cb->y0) {
- diag += (coeff[-tileComp->cbW + 1].flags
+ diag += (coeff[-((int)tileComp->cbW) + 1].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2029,9 +2029,9 @@
}
}
if (y0+y1 > cb->y0) {
- if (coeff[-tileComp->cbW].flags & jpxCoeffSignificant) {
+ if (coeff[-((int)tileComp->cbW)].flags & jpxCoeffSignificant) {
++vert;
- vertSign += (coeff[-tileComp->cbW].flags & jpxCoeffSign)
+ vertSign += (coeff[-((int)tileComp->cbW)].flags &
jpxCoeffSign)
? -1 : 1;
}
}
@@ -2081,7 +2081,7 @@
if (x > cb->x0) {
all += (coeff[-1].flags >> jpxCoeffSignificantB) & 1;
if (y0+y1 > cb->y0) {
- all += (coeff[-tileComp->cbW - 1].flags
+ all += (coeff[-((int)tileComp->cbW) - 1].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2092,7 +2092,7 @@
if (x < cb->x1 - 1) {
all += (coeff[1].flags >> jpxCoeffSignificantB) & 1;
if (y0+y1 > cb->y0) {
- all += (coeff[-tileComp->cbW + 1].flags
+ all += (coeff[-((int)tileComp->cbW) + 1].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2101,7 +2101,7 @@
}
}
if (y0+y1 > cb->y0) {
- all += (coeff[-tileComp->cbW].flags
+ all += (coeff[-((int)tileComp->cbW)].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2139,12 +2139,12 @@
!(coeff1[2 * tileComp->cbW].flags & jpxCoeffTouched) &&
!(coeff1[3 * tileComp->cbW].flags & jpxCoeffTouched) &&
(x == cb->x0 || y0 == cb->y0 ||
- !(coeff1[-tileComp->cbW - 1].flags
+ !(coeff1[-((int)tileComp->cbW) - 1].flags
& jpxCoeffSignificant)) &&
(y0 == cb->y0 ||
- !(coeff1[-tileComp->cbW].flags & jpxCoeffSignificant)) &&
+ !(coeff1[-((int)tileComp->cbW)].flags & jpxCoeffSignificant)) &&
(x == cb->x1 - 1 || y0 == cb->y0 ||
- !(coeff1[-tileComp->cbW + 1].flags & jpxCoeffSignificant)) &&
+ !(coeff1[-((int)tileComp->cbW) + 1].flags &
jpxCoeffSignificant)) &&
(x == cb->x0 ||
(!(coeff1[-1].flags & jpxCoeffSignificant) &&
!(coeff1[tileComp->cbW - 1].flags
@@ -2207,7 +2207,7 @@
horizSign += (coeff[-1].flags & jpxCoeffSign) ? -1 : 1;
}
if (y0+y1 > cb->y0) {
- diag += (coeff[-tileComp->cbW - 1].flags
+ diag += (coeff[-((int)tileComp->cbW) - 1].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2221,7 +2221,7 @@
horizSign += (coeff[1].flags & jpxCoeffSign) ? -1 : 1;
}
if (y0+y1 > cb->y0) {
- diag += (coeff[-tileComp->cbW + 1].flags
+ diag += (coeff[-((int)tileComp->cbW) + 1].flags
>> jpxCoeffSignificantB) & 1;
}
if (y0+y1 < cb->y1 - 1) {
@@ -2230,9 +2230,9 @@
}
}
if (y0+y1 > cb->y0) {
- if (coeff[-tileComp->cbW].flags & jpxCoeffSignificant) {
+ if (coeff[-((int)tileComp->cbW)].flags & jpxCoeffSignificant) {
++vert;
- vertSign += (coeff[-tileComp->cbW].flags & jpxCoeffSign)
+ vertSign += (coeff[-((int)tileComp->cbW)].flags &
jpxCoeffSign)
? -1 : 1;
}
}
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libpoppler0c2 depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libgcc1 1:4.1.1-21 GCC support library
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3-13 compression library - runtime
libpoppler0c2 recommends no packages.
-- no debconf information
--
Mike Stroyan, [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
