--- poppler-0.10.5.orig/debian/libpoppler4.install +++ poppler-0.10.5/debian/libpoppler4.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler.so.* --- poppler-0.10.5.orig/debian/copyright +++ poppler-0.10.5/debian/copyright @@ -0,0 +1,27 @@ +This package was debianized by Changwoo Ryu . + +It was downloaded from http://poppler.freedesktop.org + +Copyright: + Copyright (C) 1996-2003 Glyph & Cog, LLC + +Upstream Author: + Kristian Høgsberg + +License: + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; version 2 dated June, 1991. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +On Debian systems, the complete text of the GNU General +Public License can be found in `/usr/share/common-licenses/GPL-2'. --- poppler-0.10.5.orig/debian/rules +++ poppler-0.10.5/debian/rules @@ -0,0 +1,31 @@ +#!/usr/bin/make -f + +include /usr/share/cdbs/1/rules/debhelper.mk +include /usr/share/cdbs/1/rules/simple-patchsys.mk +include /usr/share/cdbs/1/class/autotools.mk + +# use qt4's moc as the default moc is qt3's when both are installed +PATH := /usr/share/qt4/bin:$(PATH) +export PATH + +# a trick to fix xpdfrc location without modifying autotools stuff +DEB_CONFIGURE_SYSCONFDIR := /etc/xpdf + +# disable gtk stuff to minimize Build-Depends +DEB_CONFIGURE_EXTRA_FLAGS += \ + --enable-libjpeg \ + --disable-openjpeg \ + --enable-splash-output \ + --enable-cairo-output \ + --enable-poppler-glib \ + --enable-poppler-qt \ + --enable-poppler-qt4 \ + --enable-a4-paper \ + --enable-gtk-doc \ + --disable-gtk-test + +DEB_DH_MAKESHLIBS_ARGS_libpoppler4 += -V"libpoppler4" +DEB_DH_MAKESHLIBS_ARGS_libpoppler-glib4 += -V"libpoppler-glib4" +DEB_DH_MAKESHLIBS_ARGS_libpoppler-qt2 += -V"libpoppler-qt2 (>= 0.6)" +DEB_DH_MAKESHLIBS_ARGS_libpoppler-qt4-3 += -V"libpoppler-qt4-3 (>= 0.10)" + --- poppler-0.10.5.orig/debian/changelog +++ poppler-0.10.5/debian/changelog @@ -0,0 +1,688 @@ +poppler (0.10.5-1ubuntu2.4) jaunty-security; urgency=low + + * SECURITY UPDATE: denial of service or arbitrary code execution via + unsafe malloc usage + - debian/patches/30_security_CVE-2009-3605.patch: introduce gmallocn3 + in goo/gmem.{cc,h} and replace malloc calls with safe versions in + glib/poppler-page.cc, poppler/{ArthurOutputDev,CairoOutputDev, + GfxState,JBIG2Stream,PSOutputDev,SplashOutputDev}.cc, + splash/{SplashBitmap,Splash,SplashFTFont}.cc. + - CVE-2009-3605 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in rowSize computation + - debian/patches/31_security_CVE-2009-360x.patch: make sure width value + is sane in splash/SplashBitmap.cc. + - CVE-2009-3603 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in pixel buffer size calculation + - debian/patches/31_security_CVE-2009-360x.patch: make sure yp value + is sane in splash/Splash.cc, splash/SplashErrorCodes.h. + - CVE-2009-3604 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in object stream handling + - debian/patches/31_security_CVE-2009-360x.patch: limit number of + nObjects in poppler/XRef.cc. + - CVE-2009-3608 + * SECURITY UPDATE: denial of service or arbitrary code execution via + integer overflow in ImageStream::ImageStream + - debian/patches/31_security_CVE-2009-360x.patch: check size of width + and nComps in poppler/Stream.cc. + - CVE-2009-3609 + * SECURITY UPDATE: denial of service or arbitrary code execution via + overflow in create_surface_from_thumbnail_data + - debian/patches/32_security_CVE-2009-3607.patch: eliminate g_malloc in + glib/poppler-page.cc. + - CVE-2009-3607 + + -- Marc Deslauriers Tue, 20 Oct 2009 09:26:30 -0400 + +poppler (0.10.5-1ubuntu2.2) jaunty-proposed; urgency=low + + * debian/patches/20_pdftops-multiple-page-size-support.patch: Made new + page-size-conserving PostScript output mode working together with Duplex, + (LP: #382379). + + -- Till Kamppeter Mon, 22 Jun 2009 16:43:49 +0200 + +poppler (0.10.5-1ubuntu2.1) jaunty-proposed; urgency=low + + * debian/patches/25_poppler-ps-output-broken-binary-encoding-fix.patch: + Fixed bug in copying ASCII85-encoded binary data from the PDF input + file which produced broken PostScript (LP: #335397). + * debian/patches/20_pdftops-multiple-page-size-support.patch: Added new + output mode to the PostScript output device, so that the original page + sizes of PDF documents with multiple page sizes stay conserved + (LP: #382379). + + -- Till Kamppeter Wed, 17 Jun 2009 12:04:49 +0200 + +poppler (0.10.5-1ubuntu2) jaunty; urgency=low + + * SECURITY UPDATE: denial of service and possible code execution from + multiple integer overflows, buffer overflows, and other issues with + JBIG2 decoding. (LP: #361875) + - debian/patches/11_security_jbig2.patch: prevent integer overflow in + poppler/CairoOutputDev.cc and splash/SplashBitmap.cc, add overflow + checking, improve error handling, and fix other issues in + poppler/JBIG2Stream.*. + - CVE-2009-0146 + - CVE-2009-0147 + - CVE-2009-0166 + - CVE-2009-0799 + - CVE-2009-0800 + - CVE-2009-1179 + - CVE-2009-1180 + - CVE-2009-1181 + - CVE-2009-1182 + - CVE-2009-1183 + - CVE-2009-1187 + - CVE-2009-1188 + + -- Marc Deslauriers Thu, 16 Apr 2009 22:40:29 -0400 + +poppler (0.10.5-1ubuntu1) jaunty; urgency=low + + * New version sync on debian + * debian/control, debian/rules: + - don't use openjpeg it's in universe + + -- Sebastien Bacher Wed, 01 Apr 2009 23:15:31 +0200 + +poppler (0.10.5-1) unstable; urgency=low + + [ Pino Toscano ] + * New upstream release, no API nor ABI changes. + + Fixes crash when rendering documents with optional content. + (Closes: #519494) + * Remove lintian override for poppler-dbg, which is no more needed with + lintian >= 2.2.1. + + -- Josselin Mouette Wed, 01 Apr 2009 15:19:53 +0200 + +poppler (0.10.4-3) unstable; urgency=low + + * Revert previous upload, now openjpeg was built successfully on + alpha. + * Build-depend on libglib2.0-doc to ensure proper xrefs. + + -- Josselin Mouette Tue, 10 Mar 2009 12:03:06 +0100 + +poppler (0.10.4-2) unstable; urgency=low + + * Don’t require openjpeg on alpha, since it doesn’t build there. + + -- Josselin Mouette Sun, 08 Mar 2009 03:33:50 +0100 + +poppler (0.10.4-1) unstable; urgency=low + + [ Pino Toscano ] + * New upstream stable release, with ABI and API changes wrt poppler 0.8. + - Rename libpoppler3 to libpoppler4, libpoppler-glib3 to libpoppler-glib4; + libpoppler-qt2 and libpoppler-qt4-3 are not renamed; update control, + DEB_DH_MAKESHLIBS_ARGS_* in rules, and rename install files. + - Add shlib version for libpoppler-qt4-3. + - Drop patches 60_manpages-cfg-flag.patch, 61_manpages-hyphens.patch, and + 62_pdftops-mandatory-arg.patch, merged upstream. + * Build-dep on libopenjpeg-dev for better JPEG2000 reading. + + [ Josselin Mouette ] + * Build-depend explicitly on libjpeg-dev, libfreetype6-dev and + libxml2-dev. + * Bump requirement on libqt4-dev. + + -- Josselin Mouette Fri, 06 Mar 2009 12:54:09 +0100 + +poppler (0.8.7-1) unstable; urgency=low + + * Bump up Standards-Version to 3.8.0. + * New patch, 61_manpages-hyphens, fixes escaping of hyphens in man pages; + FreeDesktop #17225. + * New patch, 62_pdftops-mandatory-arg, fixes synopsis of pdftops in man page + to clarify that a PDF file is required in all cases; FreeDesktop #17226; + closes: #491816. + * Build-dep on cdbs (>= 0.4.52) and add a lintian override with rationale + for the following lintian warning: + W: poppler-dbg: dbg-package-missing-depends poppler + * Add xrefs and CVE for #489756 in 0.8.5-1 as I didn't merge the 0.8.4-1.1 + NMU. + * New upstream release; no API change, bug fixes. + + -- Loic Minier Wed, 20 Aug 2008 17:36:12 +0200 + +poppler (0.8.6-1) unstable; urgency=low + + * Fix /usr/share/gtk-doc/html/poppler symlink to point at + /usr/share/doc/libpoppler-glib-dev/html/poppler instead of + /usr/share/doc/libpoppler-glib-dev/html; LP: #226677. + * New upstream stable release; bug fixes, no API change. + * New patch, 60_manpages-cfg-flag, drop unimplemented -cfg flag from man + pages; FreeDesktop #17222; closes: #461961. + * Rename patch 001_jpxstream_int_crash to 10_jpxstream_int_crash as we don't + have that many patches; also add upstream bug id (FreeDesktop #5667) and + refresh to apply cleanly. + * Build-dep on pkg-config >= 0.18 to make sure -lpoppler is only in + poppler-qt's Libs.private (it already is though); closes: #360595. + + -- Loic Minier Fri, 01 Aug 2008 15:04:05 +0200 + +poppler (0.8.5-1) unstable; urgency=low + + * New upstream release; no API changes, misc fixes. + - Initializes pageWidgets in Page.cc, otherwise it can be a rubbish + pointer as Annots is not a valid object; upstream commit + fd0bf8b05cb155e2f29df31fa01964b12e710b89; CVE-2008-2950; + closes: #489756. + + -- Loic Minier Wed, 30 Jul 2008 14:52:42 +0200 + +poppler (0.8.4-1) unstable; urgency=low + + * New upstream release; no API change. + - Fixes crash when reloading PDFs; GNOME #536482; closes: 484160. + + -- Loic Minier Mon, 30 Jun 2008 10:44:16 +0200 + +poppler (0.8.3-1) unstable; urgency=low + + * New upstream release. Closes: #487214. + + Fix crasher with some PDF files. Closes: #484224. + + -- Josselin Mouette Wed, 25 Jun 2008 16:40:39 +0200 + +poppler (0.8.2-2) unstable; urgency=low + + * Upload to unstable. + * Set myself as Maintainer instead of Uploader, taking over from Ondřej Surý + but I wish we move to an official team; closes: #481323. + + -- Loic Minier Thu, 15 May 2008 12:33:18 +0200 + +poppler (0.8.2-1) experimental; urgency=low + + * New upstream releases. + - Drop patch 006_pthreads_ldflags, upstream now calls ACX_PTHREAD() in + configure.ac which does the right thing. + - Drop patch 102_embedded-font-fixes, merged upstream. + + -- Loic Minier Sun, 11 May 2008 01:02:22 +0200 + +poppler (0.8.0-1) experimental; urgency=low + + * Bump libcairo2-dev build-dep and dep to >= 1.4; thanks + Marc 'HE' Brockschmidt. + * New upstream stable release, with ABI and API changes; closes: #476323. + - Rename libpoppler2 to libpoppler3, libpoppler-glib2 to libpoppler-glib3, + and libpoppler-qt4-2 to libpoppler-qt4-3; NB: libpoppler-qt2 not + renamed; update control, DEB_DH_MAKESHLIBS_ARGS_* in rules, rename + install files. + - Drop shlib version except for libpoppler-qt2. + - Update patch 006_pthreads_ldflags for the version-info changes in + poppler/Makefile.am. + - Force usage of qt4's moc via a PATH setting; export PATH. + * Let libpoppler-glib-dev depend on libglib2.0-dev >= 2.6 for consistency + with build-deps. + * New patch, 102_embedded-font-fixes; protects the methods of the Object + class to be more robust and prevent things like CVE-2008-1693; see also + FreeDesktop/Poppler #11392; taken from the Ubuntu package; + closes: #476842. + * Add a poppler-dbg package; closes: #408403. + - Bump up cdbs build-dep to >= 0.4.51 for -dbg handling fixes. + - Add poppler-dbg to control. + + -- Loic Minier Mon, 17 Mar 2008 21:00:13 +0100 + +poppler (0.6.4-1) unstable; urgency=medium + + * Add ${shlibs:Depends} to libpoppler-glib-dev, libpoppler-dev, + libpoppler-qt-dev, libpoppler-qt4-dev. + * Add ${misc:Depends}. + * Cleanups. + * New upstream releases; no API change; bug fixes; closes: #459342. + * Fix copyright information to use version 2 of the GPL (instead of version 2 + or later); thanks Timo Jyrinki for the patch; closes: #453865. + * Urgency medium for RC bug fix. + * List pdftohtml in poppler-utils' description; closes: #464439. + * Drop libpoppler-qt-dev dependency from libpoppler-qt4-dev; thanks + Pino Toscano; closes: #459922. + * Bump up Standards-Version to 3.7.3. + + -- Loic Minier Fri, 18 Jan 2008 13:35:06 +0100 + +poppler (0.6.2-1) unstable; urgency=low + + * New upstream version. (Closes: #447992) + * Dependency on xpdfrc was removed on 2007-02-25 (Closes: #347789, #440936) + * Changes since 0.6.1: + - Fix CVE-2007-4352, CVE-2007-5392 and CVE-2007-5393 (Closes: #450628) + - Fix a crash on documents with wrong CCITTFaxStream + - Fix a crash in the Cairo renderer with invalid embedded fonts + - Fix a crash with invalid TrueType fonts + - Check if font is inside the clip area before rendering + it to a temporary bitmap in the Splash renderer. Fixes crashes on + incorrect documents + - Do not use exit(1) on DCTStream errors + - Detect form fields at any depth level + - Do not generate appearance stream for radio buttons that are not active + + -- Ondřej Surý Wed, 14 Nov 2007 11:20:07 +0100 + +poppler (0.6.1-2) unstable; urgency=low + + * Upload to unstable. + + -- Ondřej Surý Tue, 06 Nov 2007 09:07:10 +0100 + +poppler (0.6.1-1) experimental; urgency=low + + * New upstream version. + * Changes since 0.6.0: + - poppler core: + + Fix printing with different x and y scale + + Fix crash when Form Fields array contains references to non + existent objects + + Fix crash in CairoOutputDev::drawMaskedImage() + + Fix embedded file description not working on some cases + - Qt4 frontend: + + Fix printing issue + + Avoid double free + + Fix memory leak when dealing with embedded files + - glib frontend: + + Fix build with --disable-cairo-output + + Do not return unknown field type for signature form fields + - build system: + + Support automake-1.10 + + More compatible sh code in qt.m4 + - utils: + + Fix build on Sun Studio compiler + + -- Ondřej Surý Thu, 25 Oct 2007 11:33:04 +0200 + +poppler (0.6-1) experimental; urgency=low + + * New upstream release. (Closes: #429700) + - merged changes from Ubuntu, courtesy of Sebastien Bacher + - Fix security issue MOAB-06-01-2007 + - Fix security issue CVE-2007-3387 + - Fix security issue CVE-2007-5049 (Closes: #443903) + * debian/watch: + - update (Closes: #441012) + * debian/control, debian/libpoppler2.install, debian/libpoppler-glib2.install, + debian/libpoppler-qt2.install, debian/libpoppler-qt4-2.install, + debian/rules: + - updated for soname change + * debian/libpoppler-glib-dev.install: + - install new test-poppler-glib + * debian/patches/002_CVE-2006-0301.patch: + - dropped, deprecated by the upstream changes + * debian/patches/003_glib-2.0-configure.patch: + * debian/patches/004_CVE-2007-0104.patch: + * debian/patches/005_fix_inverted_text_from_bug_8944.patch: + - dropped, fixed with the new version + * debian/patches/006_pthreads_ldflags.patch: + - updated + + -- Ondřej Surý Thu, 27 Sep 2007 09:03:33 +0200 + +poppler (0.5.4-6) unstable; urgency=low + + * Conflict with old library names from experimental. (Closes: #426023) + + -- Ondřej Surý Wed, 30 May 2007 08:42:32 +0200 + +poppler (0.5.4-5) unstable; urgency=low + + * Add missing poppler/poppler-link-qt3.h header to libpoppler-qt-dev; thanks + Sune Vuorela; closes: #425486. + * Let libpoppler-qt4-dev depend on libpoppler-qt-dev since some of its + headers require poppler-page-transition.h which is clearly from the Qt + bindings; thanks Sune Vuorela; closes: #425540. + * Wrap build-deps and deps. + * Drop useless debian/*.dirs. + * Misc cleanups. + * Build-dep on autotools-dev and drop bogus lintian overrides. + + -- Loic Minier Thu, 24 May 2007 23:09:23 +0200 + +poppler (0.5.4-4) unstable; urgency=low + + * The "Augean Stables" release. + * 0.5.x branch fixes all kind of displaying errors + Closes: #372169, #235360, #331380, #332426, #336616 + Closes: #402647, #369164, #413953, #343654 + * Add versioned conflict to pdftohtml (Closes: #393169) + * We dropped .la files some time ago, libjpeg62-dev dependency not + needed now (Closes: #413112) + * Crash fixed in 0.5.4 (Closes: #418638) + * [control.in]: dropped some time ago (Closes: #407818) + * NMU 0.5.4-5.1 merged as 004_CVE-2007-0104.patch (Closes: #407810) + * 0.5.x uploaded to unstable (Closes: #352522) + * qt4 libraries are now part of build (Closes: #414643) + * No longer depends on poppler-data (Closes: #389753) + * [debian/patches/006_pthreads_ldflags.patch]: + + Add -lpthread to poppler/Makefile.am (Closes: #399275) + + -- Ondřej Surý Wed, 16 May 2007 10:45:39 +0200 + +poppler (0.5.4-3) unstable; urgency=low + + * Upload to unstable. + * Enable Cairo output again. + * Enable gtk-doc build. + * Add lintian override for outdated-autotools-helper-files (we use CDBS). + * Change shared library packages names according to Library Packaging Guide. + * Change ${Source-Version} to ${binary:Version} to allow binNMU + * Drop (= ${Source-Version}) dependency in glib, qt3, qt4 libraries; we are + adding that from debian/rules + * Merge changes from Ubuntu: + + Enable Qt4 library build (but change name to libpoppler-qt4-1). + + [debian/patches/004_CVE-2007-0104.patch]: + - Limit recursion depth of the parsing tree to 100 to avoid infinite loop + with crafted documents. + - Patch taken from koffice security update (which has a copy of xpdf + sources). + + [debian/patches/005_fix_inverted_text_from_bug_8944.patch]: + - fixes "text is inverted in some PDFs" + + -- Ondřej Surý Wed, 16 May 2007 08:26:47 +0200 + +poppler (0.5.4-2) experimental; urgency=low + + * [debian/control]: poppler-data is non-free, do not depend on it (Closes: #389753) + + -- Ondřej Surý Mon, 2 Oct 2006 14:41:58 +0200 + +poppler (0.5.4-1) experimental; urgency=low + + * New upstrem release. + * [debian/control.in]: remove file and add all pkg-freedesktop people + to Uploaders: field + * [debian/control]: Add dependency on poppler-data package. + * [debian/patches/03_glib-2.0-configure.patch]: fix broken configure.ac + + -- Ondřej Surý Fri, 22 Sep 2006 16:49:17 +0200 + +poppler (0.5.3-1) experimental; urgency=low + + * New upstream release. + * debian/lib{poppler,poppler-glib,poppler-qt}-dev.install: + Stop shipping /usr/lib/*.la in libpoppler*-dev. + + -- Ondřej Surý Wed, 31 May 2006 17:19:34 +0200 + +poppler (0.5.2-1) experimental; urgency=low + + * New upstream release. + * Remove patches adopted upstream: + debian/patches/000_incorrect_define_fix.patch + debian/patches/000_splash_build_fix.patch + + -- Ondřej Surý Tue, 23 May 2006 20:21:30 +0200 + +poppler (0.5.1-1) experimental; urgency=low + + * Merge back changes from Ubuntu. + * Upload to experimental (Closes: 352522) + + -- Ondřej Surý Tue, 18 Apr 2006 15:08:26 +0200 + +poppler (0.5.1-0ubuntu6) dapper; urgency=low + + * Install poppler-page-transition into libpoppler-qt-dev (not + libpoppler-dev), since it comes from the Qt bindings. Closes: LP#32179 + + -- Martin Pitt Mon, 10 Apr 2006 12:20:46 +0200 + +poppler (0.5.1-0ubuntu5) dapper; urgency=low + + * debian/patches/000_incorrect_define_fix.patch: + - patch from the CVS, fix an incorrect boxes rendering (Ubuntu: #33239) + + -- Sebastien Bacher Thu, 23 Mar 2006 12:33:17 +0100 + +poppler (0.5.1-0ubuntu4) dapper; urgency=low + + * debian/control.in: libpoppler-dev needs to depend on libfontconfig1-dev, + because we directly include in GlobalParams.h + + -- Adam Conrad Thu, 16 Mar 2006 11:23:00 +1100 + +poppler (0.5.1-0ubuntu3) dapper; urgency=low + + * debian/control.in: Have poppler-utils Replace: xpdf-reader, since both + contain pdftoppm.1.gz. + + -- Martin Pitt Mon, 13 Mar 2006 09:10:12 +0100 + +poppler (0.5.1-0ubuntu2) dapper; urgency=low + + * debian/control.in: + - fix the libpoppler1 package description + + -- Sebastien Bacher Thu, 9 Mar 2006 09:43:15 +0000 + +poppler (0.5.1-0ubuntu1) dapper; urgency=low + + * New upstream version: + - Support for embedded files. + - Handle 0-width lines correctly. + - Avoid external file use when opening fonts. + - Only use vector fonts returned from fontconfig (#5758). + - Fix scaled 1x1 pixmaps use for drawing lines (#3387). + - drawSoftMaskedImage support in cairo backend. + - Misc bug fixes: #5922, #5946, #5749, #5952, #4030, #5420. + * debian/control.in, debian/libpoppler0c2.dirs, + debian/libpoppler0c2-glib.dirs, debian/libpoppler0c2-glib.install, + debian/libpoppler0c2.install, debian/libpoppler0c2-qt.dirs, + debian/libpoppler0c2-qt.install, debian/rules: + - updated for the soname change + * debian/patches/000_splash_build_fix.patch: + - fix build when using splash + * debian/patches/001_fixes_for_fonts_selection.patch: + - fix with the new version + + -- Sebastien Bacher Mon, 6 Mar 2006 18:42:44 +0000 + +poppler (0.5.0-0ubuntu5) dapper; urgency=low + + * debian/control.in, debian/rules: + - build without libcairo + + -- Sebastien Bacher Sun, 26 Feb 2006 20:05:10 +0100 + +poppler (0.5.0-0ubuntu4) dapper; urgency=low + + * debian/patches/001_fixes_for_fonts_selection.patch: + - change from the CVS, fix some renderings issues and fonts selection + + -- Sebastien Bacher Tue, 7 Feb 2006 13:38:04 +0100 + +poppler (0.5.0-0ubuntu3) dapper; urgency=low + + * SECURITY UPDATE: Buffer overflow. + * Add debian/patches/002_CVE-2006-0301.patch: + - splash/Splash.cc, Splash::drawPixel(), Splash::drawSpan(), + Splash::xorSpan(): Check coordinates for integer overflow. + * CVE-2006-0301 + + -- Martin Pitt Fri, 3 Feb 2006 18:13:30 +0000 + +poppler (0.5.0-0ubuntu2) dapper; urgency=low + + * debian/rules: Bump shlibs version to 0.5.0. + + -- Martin Pitt Fri, 20 Jan 2006 16:56:40 +0100 + +poppler (0.5.0-0ubuntu1) dapper; urgency=low + + * New upstream release 0.5.0, required for new evince 0.5. + * Merge with Debian. + * Remove patches adopted upstream: + - debian/patches/000_add-poppler-utils.patch + - debian/patches/002-selection-crash-bug.patch + * debian/libpoppler-dev.install: + - Install poppler-page-transition.h. + - Do not install poppler-config.h, it doesn't exist any more. + - Upstream doesn't install legacy xpdf includes any more, fix path to + install them into libpoppler-dev. + * Add debian/patches/001_jpxstream_int_crash.patch: + - poppler/JPXStream.h: Fix declaration of cbW to be signed. + JPXStream.cc, readCodeBlockData() negates the value, which results in an + invalid value on 64 bit platforms if using unsigned types. + - Thanks to Vladimir Nadvornik for pointing at this. + + -- Martin Pitt Thu, 19 Jan 2006 23:49:52 +0100 + +poppler (0.4.4-1) unstable; urgency=high + + * New upstream security release + - fixes CVE-2005-3624, CVE-2005-3625, CVE-2005-3627 + * Remove debian/patches/003-CVE-2005-3624_5_7.patch: + - Merged upstream + * Remove debian/patches/004-fix-CVE-2005-3192.patch: + - Merged upstream + * Remove debian/patches/001-relibtoolize.patch + - Upstream uses recent libtool + + -- Ondřej Surý Thu, 12 Jan 2006 20:40:27 +0100 + +poppler (0.4.3-3) unstable; urgency=low + + * Fix missing libcairo2-dev dependency (Closes: #346277) + + -- Ondřej Surý Fri, 6 Jan 2006 21:37:10 +0100 + +poppler (0.4.3-2) unstable; urgency=high + + [ Martin Pitt ] + * SECURITY UPDATE: Multiple integer/buffer overflows. + * Add debian/patches/003-CVE-2005-3624_5_7.patch: + - poppler/Stream.cc, CCITTFaxStream::CCITTFaxStream(): + + Check columns for negative or large values. + + CVE-2005-3624 + - poppler/Stream.cc, numComps checks introduced in CVE-2005-3191 patch: + + Reset numComps to 0 since it's a global variable that is used later. + + CVE-2005-3627 + - poppler/Stream.cc, DCTStream::readHuffmanTables(): + + Fix out of bounds array access in Huffman tables. + + CVE-2005-3627 + - poppler/Stream.cc, DCTStream::readMarker(): + + Check for EOF in while loop to prevent endless loops. + + CVE-2005-3625 + - poppler/JBIG2Stream.cc, JBIG2Bitmap::JBIG2Bitmap(), + JBIG2Bitmap::expand(), JBIG2Stream::readHalftoneRegionSeg(): + + Check user supplied width and height against invalid values. + + Allocate one extra byte to prevent out of bounds access in combine(). + * Add debian/patches/004-fix-CVE-2005-3192.patch: + - Fix nVals int overflow check in StreamPredictor::StreamPredictor(). + - Forwarded upstream to https://bugs.freedesktop.org/show_bug.cgi?id=5514. + + [ Ondřej Surý ] + * Merge changes from Ubuntu (Closes: #346076). + * Enable Cairo output again. + + -- Ondřej Surý Thu, 5 Jan 2006 14:54:44 +0100 + +poppler (0.4.3-1) unstable; urgency=high + + * New upstream release. + * New maintainer (Closes: #344738) + * CVE-2005-3191 and CAN-2005-2097 fixes merged upstream. + * Fixed some rendering bugs and disabled Cairo output + (Closes: #314556, #322964, #328211) + * Acknowledge NMU (Closes: #342288) + * Add 001-selection-crash-bug.patch (Closes: #330544) + * Add poppler-utils (merge patch from Ubuntu) + + -- Ondřej Surý Fri, 30 Dec 2005 11:34:07 +0100 + +poppler (0.4.2-1.1) unstable; urgency=high + + * SECURITY UPDATE: Multiple integer/buffer overflows. + + * NMU to fix RC security bug (closes: #342288) + * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu, + thanks to Martin Pitt: + * poppler/Stream.cc, DCTStream::readBaselineSOF(), + DCTStream::readProgressiveSOF(), DCTStream::readScanInfo(): + - Check numComps for invalid values. + - http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities + - CVE-2005-3191 + * poppler/Stream.cc, StreamPredictor::StreamPredictor(): + - Check rowBytes for invalid values. + - http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities + - CVE-2005-3192 + * poppler/JPXStream.cc, JPXStream::readCodestream(): + - Check img.nXTiles * img.nYTiles for integer overflow. + - http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities + - CVE-2005-3193 + + -- Frank Küster Fri, 23 Dec 2005 16:36:30 +0100 + +poppler (0.4.2-1) unstable; urgency=low + + * GNOME Team upload. + * New upstream version. + * debian/control.in: + - updated the Build-Depends on libqt (Closes: #326130). + * debian/rules: + - updated the shlibs. + + -- Sebastien Bacher Wed, 7 Sep 2005 12:41:48 +0200 + +poppler (0.4.0-1) unstable; urgency=low + + * GNOME Team Upload. + * Rebuild for the CPP transition. + * New upstream version (Closes: #311133): + - fix some crashers (Closes: #315590, #312261, #309410). + - fix some rendering defaults (Closes: #314441, #315383, #309697, #308785). + * debian/control.in, debian/rules: + - build with the current cairo version (Closes: #321368, #318293). + - update for the renamed the packages. + * debian/patches/01_CAN-2005-2097.patch: + - Patch from Ubuntu, thanks Martin Pitt. + - Check sanity of the TrueType "loca" table. Specially crafted broken + tables caused disk space exhaustion due to very large generated glyph + descriptions when attempting to fix the table. + - Upstream patch scheduled for xpdf 3.01. + - CAN-2005-2097 + * debian/watch: + - fixed, patch by Jerome Warnier (Closes: #310996). + + -- Sebastien Bacher Wed, 17 Aug 2005 21:54:07 +0200 + +poppler (0.3.1-1) unstable; urgency=low + + * New upstream release + * Upstream fixed the Qt build bug, so now I can enable Qt + build. (Closes:#307340) It leads two new binary packages + libpoppler0-qt and libpoppler-qt-dev. + * Excluded DEB_CONFIGURE_SYSCONFDIR setting, which is obsolete by the + upstream removal of xpdfrc config. + + -- Changwoo Ryu Wed, 4 May 2005 00:19:35 +0900 + +poppler (0.3.0-2) unstable; urgency=high + + * Added shlib version info for libpoppler0-glib. + * Corrected dependencies of libpoppler0-glib and libpoppler-glib-dev. + (Closes: #306897) + * Build-Depends on libgtk2.0-dev for -glib packages. (Closes: #306885) + * Corrected descriptions of -glib packages. + + -- Changwoo Ryu Thu, 28 Apr 2005 02:41:25 +0900 + +poppler (0.3.0-1) unstable; urgency=low + + * New upstream release (Closes: #306573) + * Added new binary packages libpoppler0-glib and libpoppler-glib-dev, + which are GLib-based interfaces. Qt interface build is termporarily + disabled, because of an upstream FTBFS. + + -- Changwoo Ryu Thu, 28 Apr 2005 02:07:23 +0900 + +poppler (0.1.2-1) unstable; urgency=low + + * Initial Release (Closes: #299518) + + -- Changwoo Ryu Tue, 15 Mar 2005 02:08:00 +0900 --- poppler-0.10.5.orig/debian/libpoppler-glib4.install +++ poppler-0.10.5/debian/libpoppler-glib4.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler-glib.so.* --- poppler-0.10.5.orig/debian/libpoppler-qt4-dev.install +++ poppler-0.10.5/debian/libpoppler-qt4-dev.install @@ -0,0 +1,4 @@ +debian/tmp/usr/include/poppler/qt4 +debian/tmp/usr/lib/libpoppler-qt4.a +debian/tmp/usr/lib/libpoppler-qt4.so +debian/tmp/usr/lib/pkgconfig/poppler-qt4.pc --- poppler-0.10.5.orig/debian/poppler-utils.install +++ poppler-0.10.5/debian/poppler-utils.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin/ +debian/tmp/usr/share/man/man1/ --- poppler-0.10.5.orig/debian/libpoppler-dev.install +++ poppler-0.10.5/debian/libpoppler-dev.install @@ -0,0 +1,8 @@ +poppler/*.h usr/include/poppler/ +goo/*.h usr/include/poppler/goo/ +splash/*.h usr/include/poppler/splash/ +debian/tmp/usr/lib/libpoppler.a +debian/tmp/usr/lib/libpoppler.so +debian/tmp/usr/lib/pkgconfig/poppler.pc +debian/tmp/usr/lib/pkgconfig/poppler-splash.pc +debian/tmp/usr/lib/pkgconfig/poppler-cairo.pc --- poppler-0.10.5.orig/debian/libpoppler-glib-dev.install +++ poppler-0.10.5/debian/libpoppler-glib-dev.install @@ -0,0 +1,6 @@ +debian/tmp/usr/share/gtk-doc/html/poppler/ usr/share/doc/libpoppler-glib-dev/html/ +debian/tmp/usr/include/poppler/glib/ +debian/tmp/usr/lib/libpoppler-glib.a +debian/tmp/usr/lib/libpoppler-glib.so +debian/tmp/usr/lib/pkgconfig/poppler-glib.pc +glib/.libs/test-poppler-glib usr/lib/poppler --- poppler-0.10.5.orig/debian/libpoppler-qt4-3.install +++ poppler-0.10.5/debian/libpoppler-qt4-3.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler-qt4.so.* --- poppler-0.10.5.orig/debian/libpoppler-glib-dev.links +++ poppler-0.10.5/debian/libpoppler-glib-dev.links @@ -0,0 +1 @@ +usr/share/doc/libpoppler-glib-dev/html/poppler usr/share/gtk-doc/html/poppler --- poppler-0.10.5.orig/debian/control +++ poppler-0.10.5/debian/control @@ -0,0 +1,155 @@ +Source: poppler +Section: devel +Priority: optional +Maintainer: Ubuntu Core Developers +XSBC-Original-Maintainer: Loic Minier +Uploaders: Josselin Mouette , + Dave Beckett , + Ross Burton +Build-Depends: cdbs (>= 0.4.52), + debhelper (>= 5), + autotools-dev, + gnome-pkg-tools, + libglib2.0-dev (>= 2.6), + libgtk2.0-dev (>= 2.4.0), + libfontconfig1-dev, + libqt3-mt-dev (>= 3:3.3.4-4), + libqt4-dev (>= 4.1.0), + libglade2-dev, + libcairo2-dev (>= 1.4), + libjpeg-dev, + libfreetype6-dev, + libxml2-dev, + gtk-doc-tools (>= 1.0), + pkg-config (>= 0.18), + libglib2.0-doc +Standards-Version: 3.8.0 + +Package: libpoppler4 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the shared library. + +Package: libpoppler-dev +Architecture: any +Section: libdevel +Depends: libpoppler4 (= ${binary:Version}), + libfontconfig1-dev, + ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library -- development files + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the headers and development libraries needed to + build applications using Poppler. + +Package: libpoppler-glib4 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library (GLib-based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the GLib-based shared library for applications + using the GLib interface to Poppler. + +Package: libpoppler-glib-dev +Architecture: any +Section: libdevel +Depends: libpoppler-glib4 (= ${binary:Version}), + libpoppler-dev (= ${binary:Version}), + libglib2.0-dev (>= 2.6), + libpango1.0-dev, + libcairo2-dev (>= 1.4), + ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library -- development files (GLib interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a GLib-style interface to Poppler. + +Package: libpoppler-qt2 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library (Qt 3 based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the Qt 3 based shared library for applications + using the Qt 3 interface to Poppler. + +Package: libpoppler-qt-dev +Architecture: any +Section: libdevel +Depends: libpoppler-qt2 (= ${binary:Version}), + libpoppler-dev (= ${binary:Version}), + libqt3-mt-dev, + ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library -- development files (Qt 3 interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a Qt 3 style interface to Poppler. + +Package: libpoppler-qt4-3 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library (Qt 4 based shared library) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides the Qt 4 based shared library for applications + using the Qt 4 interface to Poppler. + +Package: libpoppler-qt4-dev +Architecture: any +Section: libdevel +Depends: libpoppler-qt4-3 (= ${binary:Version}), + libpoppler-dev (= ${binary:Version}), + libqt4-dev, + ${shlibs:Depends}, + ${misc:Depends} +Description: PDF rendering library -- development files (Qt 4 interface) + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package provides a Qt 4 style interface to Poppler. + +Package: poppler-utils +Architecture: any +Section: utils +Depends: ${shlibs:Depends}, + ${misc:Depends} +Recommends: ghostscript +Conflicts: xpdf-utils, + pdftohtml (<< 0.36-14) +Replaces: xpdf-utils, + pdftohtml, + xpdf-reader +Provides: xpdf-utils, + pdftohtml +Description: PDF utilitites (based on libpoppler) + This package contains pdftops (PDF to PostScript converter), pdfinfo + (PDF document information extractor), pdfimages (PDF image extractor), + pdftohtml (PDF to HTML converter), pdftotext (PDF to text converter), + and pdffonts (PDF font analyzer). + +Package: poppler-dbg +Architecture: any +Section: libs +Priority: extra +Depends: ${misc:Depends}, + libpoppler4 (= ${binary:Version}), + ${shlibs:Depends} +Description: PDF rendering library - detached debugging symbols + Poppler is a PDF rendering library based on xpdf PDF viewer. + . + This package contains the detached debugging symbols. + --- poppler-0.10.5.orig/debian/docs +++ poppler-0.10.5/debian/docs @@ -0,0 +1,5 @@ +AUTHORS +NEWS +README +README-XPDF +TODO --- poppler-0.10.5.orig/debian/compat +++ poppler-0.10.5/debian/compat @@ -0,0 +1 @@ +5 --- poppler-0.10.5.orig/debian/libpoppler-qt-dev.install +++ poppler-0.10.5/debian/libpoppler-qt-dev.install @@ -0,0 +1,4 @@ +debian/tmp/usr/include/poppler/qt3 +debian/tmp/usr/lib/libpoppler-qt.a +debian/tmp/usr/lib/libpoppler-qt.so +debian/tmp/usr/lib/pkgconfig/poppler-qt.pc --- poppler-0.10.5.orig/debian/libpoppler-qt2.install +++ poppler-0.10.5/debian/libpoppler-qt2.install @@ -0,0 +1 @@ +debian/tmp/usr/lib/libpoppler-qt.so.* --- poppler-0.10.5.orig/debian/watch +++ poppler-0.10.5/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://poppler.freedesktop.org/ poppler-([0-9.]*)\.tar\.gz debian uupdate --- poppler-0.10.5.orig/debian/patches/20_pdftops-multiple-page-size-support.patch +++ poppler-0.10.5/debian/patches/20_pdftops-multiple-page-size-support.patch @@ -0,0 +1,147 @@ +diff -Nur -x '*.orig' -x '*~' poppler-0.11.0/poppler/PSOutputDev.cc poppler-0.11.0.new/poppler/PSOutputDev.cc +--- poppler-0.11.0/poppler/PSOutputDev.cc 2009-05-11 19:59:09.000000000 +0200 ++++ poppler-0.11.0.new/poppler/PSOutputDev.cc 2009-06-22 16:40:04.000000000 +0200 +@@ -1269,6 +1269,7 @@ + Object info, obj1; + + switch (mode) { ++ case psModePSOrigPageSizes: + case psModePS: + writePS("%!PS-Adobe-3.0\n"); + break; +@@ -1299,6 +1300,9 @@ + writePS("%%DocumentSuppliedResources: (atend)\n"); + + switch (mode) { ++ case psModePSOrigPageSizes: ++ prevWidth = 0; ++ prevHeight = 0; + case psModePS: + writePSFmt("%%DocumentMedia: plain {0:d} {1:d} 0 () ()\n", + paperWidth, paperHeight); +@@ -3122,7 +3132,7 @@ + GBool landscape; + + +- if (mode == psModePS) { ++ if (mode == psModePS || mode == psModePSOrigPageSizes) { + GooString pageLabel; + const GBool gotLabel = m_catalog->indexToLabel(pageNum -1, &pageLabel); + if (gotLabel) { +@@ -3137,7 +3147,8 @@ + } else { + writePSFmt("%%Page: {0:d} {1:d}\n", pageNum, seqPage); + } +- writePS("%%BeginPageSetup\n"); ++ if (mode != psModePSOrigPageSizes) ++ writePS("%%BeginPageSetup\n"); + } + + // underlays +@@ -3150,6 +3161,35 @@ + + switch (mode) { + ++ case psModePSOrigPageSizes: ++ x1 = (int)floor(state->getX1()); ++ y1 = (int)floor(state->getY1()); ++ x2 = (int)ceil(state->getX2()); ++ y2 = (int)ceil(state->getY2()); ++ width = x2 - x1; ++ height = y2 - y1; ++ if (width > height) { ++ landscape = gTrue; ++ } else { ++ landscape = gFalse; ++ } ++ writePSFmt("%%PageBoundingBox: {0:d} {1:d} {2:d} {3:d}\n", x1, y1, x2 - x1, y2 - y1); ++ writePS("%%BeginPageSetup\n"); ++ writePSFmt("%%PageOrientation: {0:s}\n", ++ landscape ? "Landscape" : "Portrait"); ++ if ((width != prevWidth) || (height != prevHeight)) { ++ // Set page size only when it actually changes, as otherwise Duplex ++ // printing does not work ++ writePSFmt("<> setpagedevice\n", width, height); ++ prevWidth = width; ++ prevHeight = height; ++ } ++ writePS("pdfStartPage\n"); ++ writePSFmt("{0:d} {1:d} {2:d} {3:d} re W\n", x1, y1, x2 - x1, y2 - y1); ++ writePS("%%EndPageSetup\n"); ++ ++seqPage; ++ break; ++ + case psModePS: + // rotate, translate, and scale page + imgWidth = imgURX - imgLLX; +diff -Nur -x '*.orig' -x '*~' poppler-0.11.0/poppler/PSOutputDev.h poppler-0.11.0.new/poppler/PSOutputDev.h +--- poppler-0.11.0/poppler/PSOutputDev.h 2009-05-11 19:59:09.000000000 +0200 ++++ poppler-0.11.0.new/poppler/PSOutputDev.h 2009-06-22 16:40:04.000000000 +0200 +@@ -53,7 +53,8 @@ + enum PSOutMode { + psModePS, + psModeEPS, +- psModeForm ++ psModeForm, ++ psModePSOrigPageSizes + }; + + enum PSFileType { +@@ -333,6 +334,10 @@ + PSOutMode mode; // PostScript mode (PS, EPS, form) + int paperWidth; // width of paper, in pts + int paperHeight; // height of paper, in pts ++ int prevWidth; // width of previous page ++ // (only psModePSOrigPageSizes output mode) ++ int prevHeight; // height of previous page ++ // (only psModePSOrigPageSizes output mode) + int imgLLX, imgLLY, // imageable area, in pts + imgURX, imgURY; + GBool preload; // load all images into memory, and +diff -Nur -x '*.orig' -x '*~' poppler-0.11.0/utils/pdftops.cc poppler-0.11.0.new/utils/pdftops.cc +--- poppler-0.11.0/utils/pdftops.cc 2008-11-08 20:00:30.000000000 +0100 ++++ poppler-0.11.0.new/utils/pdftops.cc 2009-06-22 16:39:56.000000000 +0200 +@@ -74,6 +74,7 @@ + static GBool level2Sep = gFalse; + static GBool level3 = gFalse; + static GBool level3Sep = gFalse; ++static GBool doOrigPageSizes = gFalse; + static GBool doEPS = gFalse; + static GBool doForm = gFalse; + #if OPI_SUPPORT +@@ -115,6 +116,8 @@ + "generate Level 3 PostScript"}, + {"-level3sep", argFlag, &level3Sep, 0, + "generate Level 3 separable PostScript"}, ++ {"-origpagesizes",argFlag, &doOrigPageSizes,0, ++ "conserve original page sizes"}, + {"-eps", argFlag, &doEPS, 0, + "generate Encapsulated PostScript (EPS)"}, + {"-form", argFlag, &doForm, 0, +@@ -202,8 +205,10 @@ + fprintf(stderr, "Error: use only one of the 'level' options.\n"); + exit(1); + } +- if (doEPS && doForm) { +- fprintf(stderr, "Error: use only one of -eps and -form\n"); ++ if ((doOrigPageSizes ? 1 : 0) + ++ (doEPS ? 1 : 0) + ++ (doForm ? 1 : 0) > 1) { ++ fprintf(stderr, "Error: use only one of -origpagesizes, -eps, and -form\n"); + exit(1); + } + if (level1) { +@@ -223,9 +228,10 @@ + fprintf(stderr, "Error: forms are only available with Level 2 output.\n"); + exit(1); + } +- mode = doEPS ? psModeEPS +- : doForm ? psModeForm +- : psModePS; ++ mode = doOrigPageSizes ? psModePSOrigPageSizes ++ : doEPS ? psModeEPS ++ : doForm ? psModeForm ++ : psModePS; + fileName = new GooString(argv[1]); + + // read config file --- poppler-0.10.5.orig/debian/patches/10_jpxstream_int_crash.patch +++ poppler-0.10.5/debian/patches/10_jpxstream_int_crash.patch @@ -0,0 +1,13 @@ +FreeDesktop #5667; fixes crash on 64-bits arches + +--- poppler-0.8.6/poppler/JPXStream.h 2008-03-26 20:38:52.000000000 +0100 ++++ poppler-0.8.6.new/poppler/JPXStream.h 2008-08-20 14:21:34.000000000 +0200 +@@ -212,7 +212,7 @@ + + //----- computed + Guint x0, y0, x1, y1; // bounds of the tile-comp, in ref coords +- Guint cbW; // code-block width ++ int cbW; // code-block width + Guint cbH; // code-block height + + //----- image data --- poppler-0.10.5.orig/debian/patches/25_poppler-ps-output-broken-binary-encoding-fix.patch +++ poppler-0.10.5/debian/patches/25_poppler-ps-output-broken-binary-encoding-fix.patch @@ -0,0 +1,23 @@ +diff -Nur -x '*.orig' -x '*~' poppler-0.11.0/poppler/PSOutputDev.cc poppler-0.11.0.new/poppler/PSOutputDev.cc +--- poppler-0.11.0/poppler/PSOutputDev.cc 2009-06-04 18:20:49.000000000 +0200 ++++ poppler-0.11.0.new/poppler/PSOutputDev.cc 2009-06-04 18:21:22.000000000 +0200 +@@ -2705,6 +2705,9 @@ + } + ++col; + } ++ if (c == (useASCIIHex ? '>' : '~') || c == EOF) { ++ break; ++ } + } + if (col > 225) { + ++size; +@@ -2756,6 +2759,9 @@ + writePSChar(c); + ++col; + } ++ if (c == (useASCIIHex ? '>' : '~') || c == EOF) { ++ break; ++ } + } + // each line is: "dup nnnnn <~...data...~> put" + // so max data length = 255 - 20 = 235 --- poppler-0.10.5.orig/debian/patches/11_security_jbig2.patch +++ poppler-0.10.5/debian/patches/11_security_jbig2.patch @@ -0,0 +1,788 @@ +# +# Description: fix denial of service and possible code execution from +# multiple integer and buffer overflows, and other issues with +# JBIG2 decoding. +# Patch: Based on Albert Astals Cid's poppler patch +# +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/CairoOutputDev.cc poppler-0.10.5.new/poppler/CairoOutputDev.cc +--- poppler-0.10.5/poppler/CairoOutputDev.cc 2009-02-25 13:40:06.000000000 -0500 ++++ poppler-0.10.5.new/poppler/CairoOutputDev.cc 2009-04-08 19:00:38.000000000 -0400 +@@ -1605,7 +1605,7 @@ + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn (width, height * 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/JBIG2Stream.cc poppler-0.10.5.new/poppler/JBIG2Stream.cc +--- poppler-0.10.5/poppler/JBIG2Stream.cc 2009-02-25 16:42:16.000000000 -0500 ++++ poppler-0.10.5.new/poppler/JBIG2Stream.cc 2009-04-08 19:00:38.000000000 -0400 +@@ -438,12 +438,14 @@ + table[i] = table[len]; + + // assign prefixes +- i = 0; +- prefix = 0; +- table[i++].prefix = prefix++; +- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { +- prefix <<= table[i].prefixLen - table[i-1].prefixLen; +- table[i].prefix = prefix++; ++ if (table[0].rangeLen != jbig2HuffmanEOT) { ++ i = 0; ++ prefix = 0; ++ table[i++].prefix = prefix++; ++ for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { ++ prefix <<= table[i].prefixLen - table[i-1].prefixLen; ++ table[i].prefix = prefix++; ++ } + } + } + +@@ -507,7 +509,7 @@ + } + if (p->bits < 0) { + error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); +- return 0; ++ return EOF; + } + bufLen -= p->bits; + return p->n; +@@ -779,6 +781,8 @@ + inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { + if (y < 0 || y >= h || x >= w) { + ptr->p = NULL; ++ ptr->shift = 0; // make gcc happy ++ ptr->x = 0; // make gcc happy + } else if (x < 0) { + ptr->p = &data[y * line]; + ptr->shift = 7; +@@ -823,6 +827,10 @@ + Guint src0, src1, src, dest, s1, s2, m1, m2, m3; + GBool oneByte; + ++ // check for the pathological case where y = -2^31 ++ if (y < -0x7fffffff) { ++ return; ++ } + if (y < 0) { + y0 = -y; + } else { +@@ -1325,6 +1333,13 @@ + // keep track of the start of the segment data + segDataPos = getPos(); + ++ // check for missing page information segment ++ if (!pageBitmap && ((segType >= 4 && segType <= 7) || ++ (segType >= 20 && segType <= 43))) { ++ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); ++ goto syntaxError; ++ } ++ + // read the segment data + switch (segType) { + case 0: +@@ -1479,6 +1494,8 @@ + Guint i, j, k; + Guchar *p; + ++ symWidths = NULL; ++ + // symbol dictionary flags + if (!readUWord(&flags)) { + goto eofError; +@@ -1539,7 +1556,13 @@ + // part of it + if ((seg = findSegment(refSegs[i]))) { + if (seg->getType() == jbig2SegSymbolDict) { +- numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); ++ j = ((JBIG2SymbolDict *)seg)->getSize(); ++ if (numInputSyms > UINT_MAX - j) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } ++ numInputSyms += j; + } else if (seg->getType() == jbig2SegCodeTable) { + codeTables->append(seg); + } +@@ -1548,13 +1571,18 @@ + return gFalse; + } + } ++ if (numInputSyms > UINT_MAX - numNewSyms) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } + + // compute symbol code length +- symCodeLen = 0; +- i = 1; +- while (i < numInputSyms + numNewSyms) { ++ symCodeLen = 1; ++ i = (numInputSyms + numNewSyms) >> 1; ++ while (i) { + ++symCodeLen; +- i <<= 1; ++ i >>= 1; + } + + // get the input symbol bitmaps +@@ -1585,6 +1613,9 @@ + } else if (huffDH == 1) { + huffDHTable = huffTableE; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDW == 0) { +@@ -1592,17 +1623,26 @@ + } else if (huffDW == 1) { + huffDWTable = huffTableC; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffBMSize == 0) { + huffBMSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffBMSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffAggInst == 0) { + huffAggInstTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffAggInstTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +@@ -1635,7 +1675,6 @@ + } + + // allocate symbol widths storage +- symWidths = NULL; + if (huff && !refAgg) { + symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); + } +@@ -1677,6 +1716,10 @@ + goto syntaxError; + } + symWidth += dw; ++ if (i >= numNewSyms) { ++ error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + + // using a collective bitmap, so don't read a bitmap here + if (huff && !refAgg) { +@@ -1713,6 +1756,10 @@ + arithDecoder->decodeInt(&refDX, iardxStats); + arithDecoder->decodeInt(&refDY, iardyStats); + } ++ if (symID >= numInputSyms + i) { ++ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + refBitmap = bitmaps[symID]; + bitmaps[numInputSyms + i] = + readGenericRefinementRegion(symWidth, symHeight, +@@ -1779,6 +1826,13 @@ + } else { + arithDecoder->decodeInt(&run, iaexStats); + } ++ if (i + run > numInputSyms + numNewSyms || ++ (ex && j + run > numExSyms)) { ++ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); ++ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL); ++ delete symbolDict; ++ goto syntaxError; ++ } + if (ex) { + for (cnt = 0; cnt < run; ++cnt) { + symbolDict->setBitmap(j++, bitmaps[i++]->copy()); +@@ -1788,10 +1842,11 @@ + } + ex = !ex; + } +- for ( ; j < numExSyms; ++j) { +- // this should never happen but happens on PDF we don't parse +- // correctly like bug #19702 +- symbolDict->setBitmap(j, NULL); ++ if (j != numExSyms) { ++ error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); ++ for ( ; j < numExSyms; ++j) symbolDict->setBitmap(j, NULL); ++ delete symbolDict; ++ goto syntaxError; + } + + for (i = 0; i < numNewSyms; ++i) { +@@ -1815,6 +1870,10 @@ + + return gTrue; + ++ codeTableError: ++ error(getPos(), "Missing code table in JBIG2 symbol dictionary"); ++ delete codeTables; ++ + syntaxError: + for (i = 0; i < numNewSyms; ++i) { + if (bitmaps[numInputSyms + i]) { +@@ -1917,6 +1976,8 @@ + } + } else { + error(getPos(), "Invalid segment reference in JBIG2 text region"); ++ delete codeTables; ++ return; + } + } + symCodeLen = 0; +@@ -1951,6 +2012,9 @@ + } else if (huffFS == 1) { + huffFSTable = huffTableG; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDS == 0) { +@@ -1960,6 +2024,9 @@ + } else if (huffDS == 2) { + huffDSTable = huffTableJ; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDT == 0) { +@@ -1969,6 +2036,9 @@ + } else if (huffDT == 2) { + huffDTTable = huffTableM; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDW == 0) { +@@ -1976,6 +2046,9 @@ + } else if (huffRDW == 1) { + huffRDWTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDH == 0) { +@@ -1983,6 +2056,9 @@ + } else if (huffRDH == 1) { + huffRDHTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDX == 0) { +@@ -1990,6 +2066,9 @@ + } else if (huffRDX == 1) { + huffRDXTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDY == 0) { +@@ -1997,11 +2076,17 @@ + } else if (huffRDY == 1) { + huffRDYTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRSize == 0) { + huffRSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +@@ -2098,8 +2183,15 @@ + + return; + ++ codeTableError: ++ error(getPos(), "Missing code table in JBIG2 text region"); ++ gfree(codeTables); ++ delete syms; ++ return; ++ + eofError: + error(getPos(), "Unexpected EOF in JBIG2 stream"); ++ return; + } + + JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, +@@ -2134,6 +2226,10 @@ + + // allocate the bitmap + bitmap = new JBIG2Bitmap(0, w, h); ++ if (!bitmap->isOk()) { ++ delete bitmap; ++ return NULL; ++ } + if (defPixel) { + bitmap->clearToOne(); + } else { +@@ -2226,7 +2322,7 @@ + decodeSuccess = decodeSuccess && arithDecoder->decodeInt(&rdy, iardyStats); + } + +- if (decodeSuccess) ++ if (decodeSuccess && syms[symID]) + { + refDX = ((rdw >= 0) ? rdw : rdw - 1) / 2 + rdx; + refDY = ((rdh >= 0) ? rdh : rdh - 1) / 2 + rdy; +@@ -2577,7 +2673,9 @@ + + // read the bitmap + bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, +- NULL, atx, aty, mmr ? 0 : length - 18); ++ NULL, atx, aty, mmr ? length - 18 : 0); ++ if (!bitmap) ++ return; + + // combine the region bitmap into the page bitmap + if (imm) { +@@ -2599,6 +2697,43 @@ + error(getPos(), "Unexpected EOF in JBIG2 stream"); + } + ++inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w) { ++ if (a1 > codingLine[*a0i]) { ++ if (a1 > w) { ++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); ++ a1 = w; ++ } ++ if ((*a0i & 1) ^ blackPixels) { ++ ++*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } ++} ++ ++inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w) { ++ if (a1 > codingLine[*a0i]) { ++ if (a1 > w) { ++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); ++ a1 = w; ++ } ++ if ((*a0i & 1) ^ blackPixels) { ++ ++*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } else if (a1 < codingLine[*a0i]) { ++ if (a1 < 0) { ++ error(getPos(), "Invalid JBIG2 MMR code"); ++ a1 = 0; ++ } ++ while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) { ++ --*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } ++} ++ + JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h, + int templ, GBool tpgdOn, + GBool useSkip, JBIG2Bitmap *skip, +@@ -2611,9 +2746,13 @@ + JBIG2BitmapPtr atPtr0 = {0}, atPtr1 = {0}, atPtr2 = {0}, atPtr3 = {0}; + int *refLine, *codingLine; + int code1, code2, code3; +- int x, y, a0, pix, i, refI, codingI; ++ int x, y, a0i, b1i, blackPixels, pix, i; + + bitmap = new JBIG2Bitmap(0, w, h); ++ if (!bitmap->isOk()) { ++ delete bitmap; ++ return NULL; ++ } + bitmap->clearToZero(); + + //----- MMR decode +@@ -2621,9 +2760,18 @@ + if (mmr) { + + mmrDecoder->reset(); ++ if (w > INT_MAX - 2) { ++ error(getPos(), "Bad width in JBIG2 generic bitmap"); ++ // force a call to gmalloc(-1), which will throw an exception ++ w = -3; ++ } ++ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w ++ // ---> max codingLine size = w + 1 ++ // refLine has one extra guard entry at the end ++ // ---> max refLine size = w + 2 ++ codingLine = (int *)gmallocn(w + 1, sizeof(int)); + refLine = (int *)gmallocn(w + 2, sizeof(int)); +- codingLine = (int *)gmallocn(w + 2, sizeof(int)); +- codingLine[0] = codingLine[1] = w; ++ codingLine[0] = w; + + for (y = 0; y < h; ++y) { + +@@ -2631,128 +2779,157 @@ + for (i = 0; codingLine[i] < w; ++i) { + refLine[i] = codingLine[i]; + } +- refLine[i] = refLine[i + 1] = w; ++ refLine[i++] = w; ++ refLine[i] = w; + + // decode a line +- refI = 0; // b1 = refLine[refI] +- codingI = 0; // a1 = codingLine[codingI] +- a0 = 0; +- do { ++ codingLine[0] = 0; ++ a0i = 0; ++ b1i = 0; ++ blackPixels = 0; ++ // invariant: ++ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w ++ // exception at left edge: ++ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible ++ // exception at right edge: ++ // refLine[b1i] = refLine[b1i+1] = w is possible ++ while (codingLine[a0i] < w) { + code1 = mmrDecoder->get2DCode(); + switch (code1) { + case twoDimPass: +- if (refLine[refI] < w) { +- a0 = refLine[refI + 1]; +- refI += 2; +- } +- break; ++ mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w); ++ if (refLine[b1i + 1] < w) { ++ b1i += 2; ++ } ++ break; + case twoDimHoriz: +- if (codingI & 1) { +- code1 = 0; +- do { +- code1 += code3 = mmrDecoder->getBlackCode(); +- } while (code3 >= 64); +- code2 = 0; +- do { +- code2 += code3 = mmrDecoder->getWhiteCode(); +- } while (code3 >= 64); +- } else { +- code1 = 0; +- do { +- code1 += code3 = mmrDecoder->getWhiteCode(); +- } while (code3 >= 64); +- code2 = 0; +- do { +- code2 += code3 = mmrDecoder->getBlackCode(); +- } while (code3 >= 64); +- } +- if (code1 > 0 || code2 > 0) { +- a0 = codingLine[codingI++] = a0 + code1; +- a0 = codingLine[codingI++] = a0 + code2; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVert0: +- a0 = codingLine[codingI++] = refLine[refI]; +- if (refLine[refI] < w) { +- ++refI; +- } +- break; +- case twoDimVertR1: +- a0 = codingLine[codingI++] = refLine[refI] + 1; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVertR2: +- a0 = codingLine[codingI++] = refLine[refI] + 2; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; ++ code1 = code2 = 0; ++ if (blackPixels) { ++ do { ++ code1 += code3 = mmrDecoder->getBlackCode(); ++ } while (code3 >= 64); ++ do { ++ code2 += code3 = mmrDecoder->getWhiteCode(); ++ } while (code3 >= 64); ++ } else { ++ do { ++ code1 += code3 = mmrDecoder->getWhiteCode(); ++ } while (code3 >= 64); ++ do { ++ code2 += code3 = mmrDecoder->getBlackCode(); ++ } while (code3 >= 64); ++ } ++ mmrAddPixels(codingLine[a0i] + code1, blackPixels, ++ codingLine, &a0i, w); ++ if (codingLine[a0i] < w) { ++ mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1, ++ codingLine, &a0i, w); ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ break; + case twoDimVertR3: +- a0 = codingLine[codingI++] = refLine[refI] + 3; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVertL1: +- a0 = codingLine[codingI++] = refLine[refI] - 1; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; +- case twoDimVertL2: +- a0 = codingLine[codingI++] = refLine[refI] - 2; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; ++ mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertR2: ++ mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertR1: ++ mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVert0: ++ mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; + case twoDimVertL3: +- a0 = codingLine[codingI++] = refLine[refI] - 3; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; ++ mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertL2: ++ mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertL1: ++ mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case EOF: ++ mmrAddPixels(w, 0, codingLine, &a0i, w); ++ break; + default: + error(getPos(), "Illegal code in JBIG2 MMR bitmap data"); ++ mmrAddPixels(w, 0, codingLine, &a0i, w); + break; + } +- } while (a0 < w); +- codingLine[codingI++] = w; ++ } + + // convert the run lengths to a bitmap line + i = 0; +- while (codingLine[i] < w) { ++ while (1) { + for (x = codingLine[i]; x < codingLine[i+1]; ++x) { + bitmap->setPixel(x, y); + } ++ if (codingLine[i+1] >= w || codingLine[i+2] >= w) { ++ break; ++ } + i += 2; + } + } +@@ -2800,7 +2977,9 @@ + ltp = !ltp; + } + if (ltp) { +- bitmap->duplicateRow(y, y-1); ++ if (y > 0) { ++ bitmap->duplicateRow(y, y-1); ++ } + continue; + } + } +@@ -3111,6 +3290,10 @@ + tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); ++ } else { ++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy ++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; ++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; + } + + for (x = 0; x < w; ++x) { +@@ -3182,6 +3365,10 @@ + tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); ++ } else { ++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy ++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; ++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; + } + + for (x = 0; x < w; ++x) { +@@ -3247,6 +3434,12 @@ + } + pageBitmap = new JBIG2Bitmap(0, pageW, curPageH); + ++ if (!pageBitmap->isOk()) { ++ delete pageBitmap; ++ pageBitmap = NULL; ++ return; ++ } ++ + // default pixel value + if (pageDefPixel) { + pageBitmap->clearToOne(); +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/JBIG2Stream.h poppler-0.10.5.new/poppler/JBIG2Stream.h +--- poppler-0.10.5/poppler/JBIG2Stream.h 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/poppler/JBIG2Stream.h 2009-04-08 19:00:38.000000000 -0400 +@@ -76,6 +76,10 @@ + Guint *refSegs, Guint nRefSegs); + void readGenericRegionSeg(Guint segNum, GBool imm, + GBool lossless, Guint length); ++ void mmrAddPixels(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w); ++ void mmrAddPixelsNeg(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w); + JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h, + int templ, GBool tpgdOn, + GBool useSkip, JBIG2Bitmap *skip, +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/SplashBitmap.cc poppler-0.10.5.new/splash/SplashBitmap.cc +--- poppler-0.10.5/splash/SplashBitmap.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/splash/SplashBitmap.cc 2009-04-08 19:00:38.000000000 -0400 +@@ -62,7 +62,7 @@ + } + rowSize += rowPad - 1; + rowSize -= rowSize % rowPad; +- data = (SplashColorPtr)gmalloc(rowSize * height); ++ data = (SplashColorPtr)gmallocn(rowSize, height); + if (!topDown) { + data += (height - 1) * rowSize; + rowSize = -rowSize; --- poppler-0.10.5.orig/debian/patches/32_security_CVE-2009-3607.patch +++ poppler-0.10.5/debian/patches/32_security_CVE-2009-3607.patch @@ -0,0 +1,55 @@ +# +# Description: fix denial of service or arbitrary code execution via +# overflow in create_surface_from_thumbnail_data +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b706092583f6b12ed3cc634bf5af34b7a2bb +# +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/glib/poppler-page.cc poppler-0.10.5.new/glib/poppler-page.cc +--- poppler-0.10.5/glib/poppler-page.cc 2009-10-20 09:25:59.000000000 -0400 ++++ poppler-0.10.5.new/glib/poppler-page.cc 2009-10-20 09:26:21.000000000 -0400 +@@ -575,28 +575,28 @@ + gint rowstride) + { + guchar *cairo_pixels; ++ gint cairo_stride; + cairo_surface_t *surface; +- static cairo_user_data_key_t key; + int j; + +- cairo_pixels = (guchar *)g_malloc (4 * width * height); +- surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels, +- CAIRO_FORMAT_RGB24, +- width, height, 4 * width); +- cairo_surface_set_user_data (surface, &key, +- cairo_pixels, (cairo_destroy_func_t)g_free); ++ surface = cairo_image_surface_create (CAIRO_FORMAT_RGB24, width, height); ++ if (cairo_surface_status (surface)) ++ return NULL; ++ ++ cairo_pixels = cairo_image_surface_get_data (surface); ++ cairo_stride = cairo_image_surface_get_stride (surface); + + for (j = height; j; j--) { + guchar *p = data; + guchar *q = cairo_pixels; + guchar *end = p + 3 * width; +- ++ + while (p < end) { + #if G_BYTE_ORDER == G_LITTLE_ENDIAN + q[0] = p[2]; + q[1] = p[1]; + q[2] = p[0]; +-#else ++#else + q[1] = p[0]; + q[2] = p[1]; + q[3] = p[2]; +@@ -606,7 +606,7 @@ + } + + data += rowstride; +- cairo_pixels += 4 * width; ++ cairo_pixels += cairo_stride; + } + + return surface; --- poppler-0.10.5.orig/debian/patches/31_security_CVE-2009-360x.patch +++ poppler-0.10.5/debian/patches/31_security_CVE-2009-360x.patch @@ -0,0 +1,195 @@ +# +# Description: fix multiple overflows +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=1082e1671afd8ab91583dabc876304008acb021c +# +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/Stream.cc poppler-0.10.5.new/poppler/Stream.cc +--- poppler-0.10.5/poppler/Stream.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/poppler/Stream.cc 2009-10-19 09:34:32.000000000 -0400 +@@ -403,6 +403,10 @@ + } else { + imgLineSize = nVals; + } ++ if (width > INT_MAX / nComps) { ++ // force a call to gmallocn(-1,...), which will throw an exception ++ imgLineSize = -1; ++ } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/XRef.cc poppler-0.10.5.new/poppler/XRef.cc +--- poppler-0.10.5/poppler/XRef.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/poppler/XRef.cc 2009-10-19 09:34:32.000000000 -0400 +@@ -76,6 +76,8 @@ + // generation 0. + ObjectStream(XRef *xref, int objStrNumA); + ++ GBool isOk() { return ok; } ++ + ~ObjectStream(); + + // Return the object number of this object stream. +@@ -91,6 +93,7 @@ + int nObjects; // number of objects in the stream + Object *objs; // the objects (length = nObjects) + int *objNums; // the object numbers (length = nObjects) ++ GBool ok; + }; + + ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { +@@ -104,6 +107,7 @@ + nObjects = 0; + objs = NULL; + objNums = NULL; ++ ok = gFalse; + + if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { + goto err1; +@@ -129,8 +133,11 @@ + goto err1; + } + +- if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) { +- error(-1, "Invalid 'nObjects'"); ++ // this is an arbitrary limit to avoid integer overflow problems ++ // in the 'new Object[nObjects]' call (Acrobat apparently limits ++ // object streams to 100-200 objects) ++ if (nObjects > 1000000) { ++ error(-1, "Too many objects in an object stream"); + goto err1; + } + +@@ -190,10 +197,10 @@ + } + + gfree(offsets); ++ ok = gTrue; + + err1: + objStr.free(); +- return; + } + + ObjectStream::~ObjectStream() { +@@ -970,6 +977,11 @@ + delete objStr; + } + objStr = new ObjectStream(this, e->offset); ++ if (!objStr->isOk()) { ++ delete objStr; ++ objStr = NULL; ++ goto err; ++ } + } + objStr->getObject(e->gen, num, obj); + break; +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/SplashBitmap.cc poppler-0.10.5.new/splash/SplashBitmap.cc +--- poppler-0.10.5/splash/SplashBitmap.cc 2009-10-19 09:34:12.000000000 -0400 ++++ poppler-0.10.5.new/splash/SplashBitmap.cc 2009-10-19 09:34:32.000000000 -0400 +@@ -26,6 +26,7 @@ + #endif + + #include ++#include + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashBitmap.h" +@@ -42,26 +43,48 @@ + mode = modeA; + switch (mode) { + case splashModeMono1: +- rowSize = (width + 7) >> 3; ++ if (width > 0) { ++ rowSize = (width + 7) >> 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeMono8: +- rowSize = width; ++ if (width > 0) { ++ rowSize = width; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeRGB8: + case splashModeBGR8: +- rowSize = width * 3; ++ if (width > 0 && width <= INT_MAX / 3) { ++ rowSize = width * 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeXBGR8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #endif + } +- rowSize += rowPad - 1; +- rowSize -= rowSize % rowPad; ++ if (rowSize > 0) { ++ rowSize += rowPad - 1; ++ rowSize -= rowSize % rowPad; ++ } + data = (SplashColorPtr)gmallocn(rowSize, height); + if (!topDown) { + data += (height - 1) * rowSize; +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/Splash.cc poppler-0.10.5.new/splash/Splash.cc +--- poppler-0.10.5/splash/Splash.cc 2009-10-19 09:34:12.000000000 -0400 ++++ poppler-0.10.5.new/splash/Splash.cc 2009-10-19 09:34:32.000000000 -0400 +@@ -27,6 +27,7 @@ + + #include + #include ++#include + #include "goo/gmem.h" + #include "SplashErrorCodes.h" + #include "SplashMath.h" +@@ -2001,6 +2002,9 @@ + xq = w % scaledWidth; + + // allocate pixel buffer ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } + pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); + + // initialize the pixel pipe +@@ -2301,6 +2305,9 @@ + xq = w % scaledWidth; + + // allocate pixel buffers ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } + colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); + if (srcAlpha) { + alphaBuf = (Guchar *)gmallocn((yp + 1), w); +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/SplashErrorCodes.h poppler-0.10.5.new/splash/SplashErrorCodes.h +--- poppler-0.10.5/splash/SplashErrorCodes.h 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/splash/SplashErrorCodes.h 2009-10-19 09:34:32.000000000 -0400 +@@ -41,6 +41,8 @@ + + #define splashErrSingularMatrix 8 // matrix is singular + +-#define splashErrZeroImage 9 // image of 0x0 ++#define splashErrBadArg 9 // bad argument ++ ++#define splashErrZeroImage 254 // image of 0x0 + + #endif --- poppler-0.10.5.orig/debian/patches/30_security_CVE-2009-3605.patch +++ poppler-0.10.5/debian/patches/30_security_CVE-2009-3605.patch @@ -0,0 +1,367 @@ +# +# Description: fix unsafe malloc usage +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb22f812b31858e519411f57747d39bd8 +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=0131f0a01cba8691d10a18de1137a4744988b346 +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=7b2d314a61fd0e12f47c62996cb49ec0d1ba747a +# Patch: http://cgit.freedesktop.org/poppler/poppler/commit/?id=284a92899602daa4a7f429e61849e794569310b5 +# +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/glib/poppler-page.cc poppler-0.10.5.new/glib/poppler-page.cc +--- poppler-0.10.5/glib/poppler-page.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/glib/poppler-page.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -291,7 +291,7 @@ + + output_dev = page->document->output_dev; + cairo_rowstride = cairo_width * 4; +- cairo_data = (guchar *) gmalloc (cairo_height * cairo_rowstride); ++ cairo_data = (guchar *) gmallocn (cairo_height, cairo_rowstride); + if (transparent) + memset (cairo_data, 0x00, cairo_height * cairo_rowstride); + else +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/goo/gmem.cc poppler-0.10.5.new/goo/gmem.cc +--- poppler-0.10.5/goo/gmem.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/goo/gmem.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -206,6 +206,32 @@ + return gmalloc(n); + } + ++void *gmallocn3(int a, int b, int c) GMEM_EXCEP { ++ int n = a * b; ++ if (b <= 0 || a < 0 || a >= INT_MAX / b) { ++#if USE_EXCEPTIONS ++ throw GMemException(); ++#else ++ fprintf(stderr, "Bogus memory allocation size\n"); ++ exit(1); ++#endif ++ } ++ return gmallocn(n, c); ++} ++ ++void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP { ++ int n = a * b; ++ if (b <= 0 || a < 0 || a >= INT_MAX / b) { ++#if USE_EXCEPTIONS ++ throw GMemException(); ++#else ++ fprintf(stderr, "Bogus memory allocation size\n"); ++ return NULL; ++#endif ++ } ++ return gmallocn_checkoverflow(n, c); ++} ++ + void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP { + int n; + +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/goo/gmem.h poppler-0.10.5.new/goo/gmem.h +--- poppler-0.10.5/goo/gmem.h 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/goo/gmem.h 2009-10-19 09:32:36.000000000 -0400 +@@ -70,6 +70,8 @@ + */ + extern void *gmallocn(int nObjs, int objSize) GMEM_EXCEP; + extern void *gmallocn_checkoverflow(int nObjs, int objSize) GMEM_EXCEP; ++extern void *gmallocn3(int a, int b, int c) GMEM_EXCEP; ++extern void *gmallocn3_checkoverflow(int a, int b, int c) GMEM_EXCEP; + extern void *greallocn(void *p, int nObjs, int objSize) GMEM_EXCEP; + extern void *greallocn_checkoverflow(void *p, int nObjs, int objSize) GMEM_EXCEP; + +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/ArthurOutputDev.cc poppler-0.10.5.new/poppler/ArthurOutputDev.cc +--- poppler-0.10.5/poppler/ArthurOutputDev.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/poppler/ArthurOutputDev.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -751,7 +751,7 @@ + QMatrix matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn3(width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/CairoOutputDev.cc poppler-0.10.5.new/poppler/CairoOutputDev.cc +--- poppler-0.10.5/poppler/CairoOutputDev.cc 2009-10-19 09:32:20.000000000 -0400 ++++ poppler-0.10.5.new/poppler/CairoOutputDev.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -550,7 +550,7 @@ + if (!currentFont) + return; + +- glyphs = (cairo_glyph_t *) gmalloc (len * sizeof (cairo_glyph_t)); ++ glyphs = (cairo_glyph_t *) gmallocn (len, sizeof (cairo_glyph_t)); + glyphCount = 0; + } + +@@ -1007,7 +1007,7 @@ + int row_stride; + + row_stride = (width + 3) & ~3; +- buffer = (unsigned char *) malloc (height * row_stride); ++ buffer = (unsigned char *) gmallocn (height, row_stride); + if (buffer == NULL) { + error(-1, "Unable to allocate memory for image."); + return; +@@ -1171,7 +1171,7 @@ + invert_bit = invert ? 1 : 0; + + row_stride = (scaledWidth + 3) & ~3; +- buffer = (unsigned char *) malloc (scaledHeight * row_stride); ++ buffer = (unsigned char *) gmallocn (scaledHeight, row_stride); + if (buffer == NULL) { + error(-1, "Unable to allocate memory for image."); + return; +@@ -1361,7 +1361,7 @@ + + int row_stride = (maskWidth + 3) & ~3; + unsigned char *maskBuffer; +- maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight); ++ maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight); + unsigned char *maskDest; + cairo_surface_t *maskImage; + cairo_pattern_t *maskPattern; +@@ -1397,7 +1397,7 @@ + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn3 (width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +@@ -1486,7 +1486,7 @@ + + int row_stride = (maskWidth + 3) & ~3; + unsigned char *maskBuffer; +- maskBuffer = (unsigned char *)gmalloc (row_stride * maskHeight); ++ maskBuffer = (unsigned char *)gmallocn (row_stride, maskHeight); + unsigned char *maskDest; + cairo_surface_t *maskImage; + cairo_pattern_t *maskPattern; +@@ -1513,7 +1513,7 @@ + cairo_matrix_t maskMatrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmalloc (width * height * 4); ++ buffer = (unsigned char *)gmallocn3 (width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +@@ -1605,7 +1605,7 @@ + cairo_matrix_t matrix; + int is_identity_transform; + +- buffer = (unsigned char *)gmallocn (width, height * 4); ++ buffer = (unsigned char *)gmallocn3 (width, height, 4); + + /* TODO: Do we want to cache these? */ + imgStr = new ImageStream(str, width, +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/GfxState.cc poppler-0.10.5.new/poppler/GfxState.cc +--- poppler-0.10.5/poppler/GfxState.cc 2009-01-31 19:14:58.000000000 -0500 ++++ poppler-0.10.5.new/poppler/GfxState.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -1201,7 +1201,7 @@ + int i, j, n; + + n = base->getNComps(); +- line = (Guchar *) gmalloc (length * n); ++ line = (Guchar *) gmallocn (length, n); + for (i = 0; i < length; i++) + for (j = 0; j < n; j++) + line[i * n + j] = lookup[in[i] * n + j]; +@@ -3424,7 +3424,7 @@ + nComps2 = colorSpace2->getNComps(); + lookup2 = indexedCS->getLookup(); + colorSpace2->getDefaultRanges(x, y, indexHigh); +- byte_lookup = (Guchar *)gmalloc ((maxPixel + 1) * nComps2); ++ byte_lookup = (Guchar *)gmallocn ((maxPixel + 1), nComps2); + for (k = 0; k < nComps2; ++k) { + lookup[k] = (GfxColorComp *)gmallocn(maxPixel + 1, + sizeof(GfxColorComp)); +@@ -3572,7 +3572,7 @@ + switch (colorSpace->getMode()) { + case csIndexed: + case csSeparation: +- tmp_line = (Guchar *) gmalloc (length * nComps2); ++ tmp_line = (Guchar *) gmallocn (length, nComps2); + for (i = 0; i < length; i++) { + for (j = 0; j < nComps2; j++) { + tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j]; +@@ -3602,7 +3602,7 @@ + switch (colorSpace->getMode()) { + case csIndexed: + case csSeparation: +- tmp_line = (Guchar *) gmalloc (length * nComps2); ++ tmp_line = (Guchar *) gmallocn (length, nComps2); + for (i = 0; i < length; i++) { + for (j = 0; j < nComps2; j++) { + tmp_line[i * nComps2 + j] = byte_lookup[in[i] * nComps2 + j]; +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/JBIG2Stream.cc poppler-0.10.5.new/poppler/JBIG2Stream.cc +--- poppler-0.10.5/poppler/JBIG2Stream.cc 2009-10-19 09:32:20.000000000 -0400 ++++ poppler-0.10.5.new/poppler/JBIG2Stream.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -709,7 +709,7 @@ + return; + } + // need to allocate one extra guard byte for use in combine() +- data = (Guchar *)gmalloc(h * line + 1); ++ data = (Guchar *)gmallocn(h, line + 1); + data[h * line] = 0; + } + +@@ -726,7 +726,7 @@ + return; + } + // need to allocate one extra guard byte for use in combine() +- data = (Guchar *)gmalloc(h * line + 1); ++ data = (Guchar *)gmallocn(h, line + 1); + memcpy(data, bitmap->data, h * line); + data[h * line] = 0; + } +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/PSOutputDev.cc poppler-0.10.5.new/poppler/PSOutputDev.cc +--- poppler-0.10.5/poppler/PSOutputDev.cc 2009-10-19 09:32:20.000000000 -0400 ++++ poppler-0.10.5.new/poppler/PSOutputDev.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -2327,7 +2327,7 @@ + if ((ffTT = FoFiTrueType::load(fileName->getCString(), faceIndex))) { + int n = ((GfxCIDFont *)font)->getCIDToGIDLen(); + if (n) { +- codeToGID = (Gushort *)gmalloc(n * sizeof(Gushort)); ++ codeToGID = (Gushort *)gmallocn(n, sizeof(Gushort)); + memcpy(codeToGID, ((GfxCIDFont *)font)->getCIDToGID(), n * sizeof(Gushort)); + } else { + codeToGID = ((GfxCIDFont *)font)->getCodeToGIDMap(ffTT, &n); +@@ -4542,7 +4542,7 @@ + width, -height, height); + + // allocate a line buffer +- lineBuf = (Guchar *)gmalloc(4 * width); ++ lineBuf = (Guchar *)gmallocn(width, 4); + + // set up to process the data stream + imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/poppler/SplashOutputDev.cc poppler-0.10.5.new/poppler/SplashOutputDev.cc +--- poppler-0.10.5/poppler/SplashOutputDev.cc 2009-01-31 19:14:59.000000000 -0500 ++++ poppler-0.10.5.new/poppler/SplashOutputDev.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -2013,7 +2013,7 @@ + break; + case splashModeRGB8: + case splashModeBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2023,7 +2023,7 @@ + } + break; + case splashModeXBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2035,7 +2035,7 @@ + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getCMYK(&pix, &cmyk); +@@ -2278,7 +2278,7 @@ + break; + case splashModeRGB8: + case splashModeBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2288,7 +2288,7 @@ + } + break; + case splashModeXBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2300,7 +2300,7 @@ + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getCMYK(&pix, &cmyk); +@@ -2421,7 +2421,7 @@ + break; + case splashModeRGB8: + case splashModeBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(3 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 3); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2431,7 +2431,7 @@ + } + break; + case splashModeXBGR8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getRGB(&pix, &rgb); +@@ -2443,7 +2443,7 @@ + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- imgData.lookup = (SplashColorPtr)gmalloc(4 * n); ++ imgData.lookup = (SplashColorPtr)gmallocn(n, 4); + for (i = 0; i < n; ++i) { + pix = (Guchar)i; + colorMap->getCMYK(&pix, &cmyk); +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/SplashBitmap.cc poppler-0.10.5.new/splash/SplashBitmap.cc +--- poppler-0.10.5/splash/SplashBitmap.cc 2009-10-19 09:32:20.000000000 -0400 ++++ poppler-0.10.5.new/splash/SplashBitmap.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -68,7 +68,7 @@ + rowSize = -rowSize; + } + if (alphaA) { +- alpha = (Guchar *)gmalloc(width * height); ++ alpha = (Guchar *)gmallocn(width, height); + } else { + alpha = NULL; + } +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/Splash.cc poppler-0.10.5.new/splash/Splash.cc +--- poppler-0.10.5/splash/Splash.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/splash/Splash.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -2001,7 +2001,7 @@ + xq = w % scaledWidth; + + // allocate pixel buffer +- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w); ++ pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); + + // initialize the pixel pipe + pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha, +@@ -2301,9 +2301,9 @@ + xq = w % scaledWidth; + + // allocate pixel buffers +- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); ++ colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); + if (srcAlpha) { +- alphaBuf = (Guchar *)gmalloc((yp + 1) * w); ++ alphaBuf = (Guchar *)gmallocn((yp + 1), w); + } else { + alphaBuf = NULL; + } +diff -Nur -x '*.orig' -x '*~' poppler-0.10.5/splash/SplashFTFont.cc poppler-0.10.5.new/splash/SplashFTFont.cc +--- poppler-0.10.5/splash/SplashFTFont.cc 2008-10-09 16:30:34.000000000 -0400 ++++ poppler-0.10.5.new/splash/SplashFTFont.cc 2009-10-19 09:32:36.000000000 -0400 +@@ -243,7 +243,7 @@ + } else { + rowSize = (bitmap->w + 7) >> 3; + } +- bitmap->data = (Guchar *)gmalloc(rowSize * bitmap->h); ++ bitmap->data = (Guchar *)gmallocn(rowSize, bitmap->h); + bitmap->freeData = gTrue; + for (i = 0, p = bitmap->data, q = slot->bitmap.buffer; + i < bitmap->h;