Package: libpoppler0c2 Version: 0.4.5-5.1 Severity: normal Tags: patch The readCodeBlockData function in JPXStream.cc uses array index values like "coeff[-tileComp->cbW]" in several places. That can cause crashes for some pdf files when viewed on 64-bit systems. Because tileComp->cbW is an unsigned int, the value is first negated as a 32-bit int and then zero extended to 64-bit. That results in an index value of about 4 billion.
The following patch fixes the crash by casting to signed int before negating. $ cat debian/patches/109_readCodeBlockData.patch diff -Nur poppler-0.4.5/poppler/JPXStream.cc poppler-0.4.5.new/poppler/JPXStream.cc --- poppler-0.4.5/poppler/JPXStream.cc 2007-04-10 16:15:08.000000000 -0600 +++ poppler-0.4.5.new/poppler/JPXStream.cc 2007-04-10 16:15:54.000000000 -0600 @@ -2006,7 +2006,7 @@ horizSign += (coeff[-1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW - 1].flags + diag += (coeff[-((int)tileComp->cbW) - 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2020,7 +2020,7 @@ horizSign += (coeff[1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW + 1].flags + diag += (coeff[-((int)tileComp->cbW) + 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2029,9 +2029,9 @@ } } if (y0+y1 > cb->y0) { - if (coeff[-tileComp->cbW].flags & jpxCoeffSignificant) { + if (coeff[-((int)tileComp->cbW)].flags & jpxCoeffSignificant) { ++vert; - vertSign += (coeff[-tileComp->cbW].flags & jpxCoeffSign) + vertSign += (coeff[-((int)tileComp->cbW)].flags & jpxCoeffSign) ? -1 : 1; } } @@ -2081,7 +2081,7 @@ if (x > cb->x0) { all += (coeff[-1].flags >> jpxCoeffSignificantB) & 1; if (y0+y1 > cb->y0) { - all += (coeff[-tileComp->cbW - 1].flags + all += (coeff[-((int)tileComp->cbW) - 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2092,7 +2092,7 @@ if (x < cb->x1 - 1) { all += (coeff[1].flags >> jpxCoeffSignificantB) & 1; if (y0+y1 > cb->y0) { - all += (coeff[-tileComp->cbW + 1].flags + all += (coeff[-((int)tileComp->cbW) + 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2101,7 +2101,7 @@ } } if (y0+y1 > cb->y0) { - all += (coeff[-tileComp->cbW].flags + all += (coeff[-((int)tileComp->cbW)].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2139,12 +2139,12 @@ !(coeff1[2 * tileComp->cbW].flags & jpxCoeffTouched) && !(coeff1[3 * tileComp->cbW].flags & jpxCoeffTouched) && (x == cb->x0 || y0 == cb->y0 || - !(coeff1[-tileComp->cbW - 1].flags + !(coeff1[-((int)tileComp->cbW) - 1].flags & jpxCoeffSignificant)) && (y0 == cb->y0 || - !(coeff1[-tileComp->cbW].flags & jpxCoeffSignificant)) && + !(coeff1[-((int)tileComp->cbW)].flags & jpxCoeffSignificant)) && (x == cb->x1 - 1 || y0 == cb->y0 || - !(coeff1[-tileComp->cbW + 1].flags & jpxCoeffSignificant)) && + !(coeff1[-((int)tileComp->cbW) + 1].flags & jpxCoeffSignificant)) && (x == cb->x0 || (!(coeff1[-1].flags & jpxCoeffSignificant) && !(coeff1[tileComp->cbW - 1].flags @@ -2207,7 +2207,7 @@ horizSign += (coeff[-1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW - 1].flags + diag += (coeff[-((int)tileComp->cbW) - 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2221,7 +2221,7 @@ horizSign += (coeff[1].flags & jpxCoeffSign) ? -1 : 1; } if (y0+y1 > cb->y0) { - diag += (coeff[-tileComp->cbW + 1].flags + diag += (coeff[-((int)tileComp->cbW) + 1].flags >> jpxCoeffSignificantB) & 1; } if (y0+y1 < cb->y1 - 1) { @@ -2230,9 +2230,9 @@ } } if (y0+y1 > cb->y0) { - if (coeff[-tileComp->cbW].flags & jpxCoeffSignificant) { + if (coeff[-((int)tileComp->cbW)].flags & jpxCoeffSignificant) { ++vert; - vertSign += (coeff[-tileComp->cbW].flags & jpxCoeffSign) + vertSign += (coeff[-((int)tileComp->cbW)].flags & jpxCoeffSign) ? -1 : 1; } } -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages libpoppler0c2 depends on: ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib ii libgcc1 1:4.1.1-21 GCC support library ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3-13 compression library - runtime libpoppler0c2 recommends no packages. -- no debconf information -- Mike Stroyan, [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]