File CVE-2018-20551.patch of Package poppler-qt5.10689

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2018-20551.patch of Package poppler-qt5.10689

From 7f87dc10b6adccd6d1b977a28b064add254aa2da Mon Sep 17 00:00:00 2001
From: Adam Reichold <adam.reichold@t-online.de>
Date: Thu, 27 Dec 2018 11:54:53 +0100
Subject: [PATCH] Do not try to construct invalid rich media annotation assets.
 Closes #703

---
 poppler/Annot.cc | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

Index: poppler-0.62.0/poppler/Annot.cc
===================================================================
--- poppler-0.62.0.orig/poppler/Annot.cc	2019-03-20 11:36:11.108502780 +0000
+++ poppler-0.62.0/poppler/Annot.cc	2019-03-20 11:36:19.606530461 +0000
@@ -6551,20 +6551,22 @@ AnnotRichMedia::Content::Content(Dict *d
   if (obj1.isDict()) {
     Object obj2 = obj1.getDict()->lookup("Names");
     if (obj2.isArray()) {
-      nAssets = obj2.arrayGetLength() / 2;
+      const int length = obj2.arrayGetLength() / 2;
 
-      assets = (Asset **)gmallocn(nAssets, sizeof(Asset *));
+      assets = (Asset **)gmallocn(length, sizeof(Asset *));
+      for (int i = 0; i < length; ++i) {
+	Object objKey = obj2.arrayGet(2 * i);
+	Object objVal = obj2.arrayGet(2 * i + 1);
 
-      int counter = 0;
-      for (int i = 0; i < nAssets; ++i) {
-        assets[counter] = new AnnotRichMedia::Asset;
-
-        Object objKey = obj2.arrayGet(i * 2);
-        assets[counter]->fileSpec = obj2.arrayGet(i * 2 + 1);
-
-        assets[counter]->name = new GooString( objKey.getString() );
-        ++counter;
+	if (!objKey.isString() || objVal.isNull()) {
+	  error(errSyntaxError, -1, "Bad Annot Asset");
+	  continue;
+	}
 
+	assets[nAssets] = new AnnotRichMedia::Asset;
+	assets[nAssets]->name = new GooString( objKey.getString() );
+	assets[nAssets]->fileSpec = std::move(objVal);
+	++nAssets;
       }
     }
   }

Places

File CVE-2018-20551.patch of Package poppler-qt5.10689

Places