Fix CVE-2018-19149: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19149 https://gitlab.freedesktop.org/poppler/poppler/issues/664 Patch copied from upstream source repository: https://gitlab.freedesktop.org/poppler/poppler/commit/f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 From f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 Mon Sep 17 00:00:00 2001 From: Marek Kasik <mkasik@redhat.com> Date: Fri, 20 Apr 2018 11:38:13 +0200 Subject: [PATCH] Fix crash on missing embedded file Check whether an embedded file is actually present in the PDF and show warning in that case. https://bugs.freedesktop.org/show_bug.cgi?id=106137 https://gitlab.freedesktop.org/poppler/poppler/issues/236 --- glib/poppler-attachment.cc | 26 +++++++++++++++++--------- glib/poppler-document.cc | 3 ++- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/glib/poppler-attachment.cc b/glib/poppler-attachment.cc index c6502e9d..11ba5bb5 100644 --- a/glib/poppler-attachment.cc +++ b/glib/poppler-attachment.cc @@ -111,17 +111,25 @@ _poppler_attachment_new (FileSpec *emb_file) attachment->description = _poppler_goo_string_to_utf8 (emb_file->getDescription ()); embFile = emb_file->getEmbeddedFile(); - attachment->size = embFile->size (); + if (embFile != NULL && embFile->streamObject()->isStream()) + { + attachment->size = embFile->size (); - if (embFile->createDate ()) - _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); - if (embFile->modDate ()) - _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); + if (embFile->createDate ()) + _poppler_convert_pdf_date_to_gtime (embFile->createDate (), (time_t *)&attachment->ctime); + if (embFile->modDate ()) + _poppler_convert_pdf_date_to_gtime (embFile->modDate (), (time_t *)&attachment->mtime); - if (embFile->checksum () && embFile->checksum ()->getLength () > 0) - attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), - embFile->checksum ()->getLength ()); - priv->obj_stream = embFile->streamObject()->copy(); + if (embFile->checksum () && embFile->checksum ()->getLength () > 0) + attachment->checksum = g_string_new_len (embFile->checksum ()->getCString (), + embFile->checksum ()->getLength ()); + priv->obj_stream = embFile->streamObject()->copy(); + } + else + { + g_warning ("Missing stream object for embedded file"); + g_clear_object (&attachment); + } return attachment; } diff --git a/glib/poppler-document.cc b/glib/poppler-document.cc index 83f6aea6..ea319344 100644 --- a/glib/poppler-document.cc +++ b/glib/poppler-document.cc @@ -670,7 +670,8 @@ poppler_document_get_attachments (PopplerDocument *document) attachment = _poppler_attachment_new (emb_file); delete emb_file; - retval = g_list_prepend (retval, attachment); + if (attachment != NULL) + retval = g_list_prepend (retval, attachment); } return g_list_reverse (retval); } -- 2.19.1