Backport security fixes: CVE-2019-9199, CVE-2019-9687

podofo-0.9.4-freetype.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/CMakeLists.txt podofo-0.9.6-new/CMakeLists.txt
 --- podofo-0.9.6/CMakeLists.txt	2018-07-08 12:33:27.000000000 +0200
-+++ podofo-0.9.6-new/CMakeLists.txt	2018-12-19 22:42:36.833111799 +0100
++++ podofo-0.9.6-new/CMakeLists.txt	2019-03-13 23:15:12.088138762 +0100
 @@ -398,8 +398,8 @@ ENDIF(NOT PODOFO_BUILD_LIB_ONLY)
  
  FIND_PACKAGE(OpenSSL)

podofo.spec

@@ -1,6 +1,6 @@
 Name:           podofo
 Version:        0.9.6
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Tools and libraries to work with the PDF file format
 
 # The library is licensed under the LGPL.
@@ -38,6 +38,12 @@ Patch16:        podofo_CVE-2018-19532.patch
 # Backport patch for CVE-2018-20751
 # https://sourceforge.net/p/podofo/code/1954
 Patch17:        podofo_CVE-2018-20751.patch
+# Backport patch for CVE-2019-9199
+# https://sourceforge.net/p/podofo/code/1971/
+Patch18:        podofo_CVE-2019-9199.patch
+# Backport patch for CVE-2019-9687
+# https://sourceforge.net/p/podofo/code/1969
+Patch19:        podofo_CVE-2019-9687.patch
 
 BuildRequires:  gcc-c++
 %if %{?el7:1}%{!?el7:0}
@@ -149,6 +155,9 @@ find doc/html -exec touch -r %{SOURCE0} {} \;
 
 
 %changelog
+* Wed Mar 13 2019 Sandro Mani <manisandro@gmail.com> - 0.9.6-6
+- Backport security fixes: CVE-2019-9199, CVE-2019-9687
+
 * Tue Feb 05 2019 Sandro Mani <manisandro@gmail.com> - 0.9.6-5
 - Backport security fix for CVE-2018-20751
 

podofo_CVE-2018-11254.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.cpp podofo-0.9.6-new/src/doc/PdfPagesTree.cpp
 --- podofo-0.9.6/src/doc/PdfPagesTree.cpp	2018-02-25 23:36:48.000000000 +0100
-+++ podofo-0.9.6-new/src/doc/PdfPagesTree.cpp	2018-12-19 22:42:36.898106630 +0100
++++ podofo-0.9.6-new/src/doc/PdfPagesTree.cpp	2019-03-13 23:15:12.173138741 +0100
 @@ -51,7 +51,7 @@ PdfPagesTree::PdfPagesTree( PdfVecObject
      : PdfElement( "Pages", pParent ),
        m_cache( 0 )
@@ -634,7 +634,7 @@ diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.cpp podofo-0.9.6-new/src/doc/PdfPag
      }
 diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.h podofo-0.9.6-new/src/doc/PdfPagesTree.h
 --- podofo-0.9.6/src/doc/PdfPagesTree.h	2014-06-15 14:27:46.000000000 +0200
-+++ podofo-0.9.6-new/src/doc/PdfPagesTree.h	2018-12-19 22:42:36.898106630 +0100
++++ podofo-0.9.6-new/src/doc/PdfPagesTree.h	2019-03-13 23:15:12.174138740 +0100
 @@ -190,7 +190,6 @@ class PODOFO_DOC_API PdfPagesTree : publ
      PdfPagesTree();	// don't allow construction from nothing!
  
@@ -645,7 +645,7 @@ diff -rupN podofo-0.9.6/src/doc/PdfPagesTree.h podofo-0.9.6-new/src/doc/PdfPages
  
 diff -rupN podofo-0.9.6/test/unit/PagesTreeTest.cpp podofo-0.9.6-new/test/unit/PagesTreeTest.cpp
 --- podofo-0.9.6/test/unit/PagesTreeTest.cpp	2016-05-12 22:08:20.000000000 +0200
-+++ podofo-0.9.6-new/test/unit/PagesTreeTest.cpp	2018-12-19 22:42:36.899106551 +0100
++++ podofo-0.9.6-new/test/unit/PagesTreeTest.cpp	2019-03-13 23:15:12.174138740 +0100
 @@ -22,6 +22,8 @@
  
  #include <podofo.h>
@@ -903,7 +903,7 @@ diff -rupN podofo-0.9.6/test/unit/PagesTreeTest.cpp podofo-0.9.6-new/test/unit/P
 +}
 diff -rupN podofo-0.9.6/test/unit/PagesTreeTest.h podofo-0.9.6-new/test/unit/PagesTreeTest.h
 --- podofo-0.9.6/test/unit/PagesTreeTest.h	2009-05-08 19:45:52.000000000 +0200
-+++ podofo-0.9.6-new/test/unit/PagesTreeTest.h	2018-12-19 22:42:36.899106551 +0100
++++ podofo-0.9.6-new/test/unit/PagesTreeTest.h	2019-03-13 23:15:12.174138740 +0100
 @@ -21,11 +21,14 @@
  #ifndef _PAGES_TREE_TEST_H_
  #define _PAGES_TREE_TEST_H_

podofo_CVE-2018-11255.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/src/doc/PdfPage.cpp podofo-0.9.6-new/src/doc/PdfPage.cpp
 --- podofo-0.9.6/src/doc/PdfPage.cpp	2018-03-11 20:40:59.000000000 +0100
-+++ podofo-0.9.6-new/src/doc/PdfPage.cpp	2018-12-19 22:42:36.937103529 +0100
++++ podofo-0.9.6-new/src/doc/PdfPage.cpp	2019-03-13 23:15:12.206138732 +0100
 @@ -595,6 +595,13 @@ unsigned int PdfPage::GetPageNumber() co
              while( it != kids.end() && (*it).GetReference() != ref )
              {

podofo_CVE-2018-11256.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/src/doc/PdfDocument.cpp podofo-0.9.6-new/src/doc/PdfDocument.cpp
 --- podofo-0.9.6/src/doc/PdfDocument.cpp	2016-11-18 20:08:56.000000000 +0100
-+++ podofo-0.9.6-new/src/doc/PdfDocument.cpp	2018-12-19 22:42:36.969100985 +0100
++++ podofo-0.9.6-new/src/doc/PdfDocument.cpp	2019-03-13 23:15:12.234138725 +0100
 @@ -325,6 +325,12 @@ const PdfDocument & PdfDocument::Append(
          for(int i=0;i<rDoc.GetPageCount();i++ )
          {

podofo_CVE-2018-12982.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/src/base/PdfDictionary.h podofo-0.9.6-new/src/base/PdfDictionary.h
 --- podofo-0.9.6/src/base/PdfDictionary.h	2018-06-11 01:46:56.000000000 +0200
-+++ podofo-0.9.6-new/src/base/PdfDictionary.h	2018-12-19 22:42:37.000098520 +0100
++++ podofo-0.9.6-new/src/base/PdfDictionary.h	2019-03-13 23:15:12.260138718 +0100
 @@ -180,6 +180,21 @@ class PODOFO_API PdfDictionary : public
       */
      PdfObject* GetKey( const PdfName & key );
@@ -44,7 +44,7 @@ diff -rupN podofo-0.9.6/src/base/PdfDictionary.h podofo-0.9.6-new/src/base/PdfDi
      this->Write( pDevice, eWriteMode, pEncrypt, PdfName::KeyNull ); 
 diff -rupN podofo-0.9.6/src/base/PdfEncrypt.cpp podofo-0.9.6-new/src/base/PdfEncrypt.cpp
 --- podofo-0.9.6/src/base/PdfEncrypt.cpp	2017-02-26 21:48:19.000000000 +0100
-+++ podofo-0.9.6-new/src/base/PdfEncrypt.cpp	2018-12-19 22:42:37.001098440 +0100
++++ podofo-0.9.6-new/src/base/PdfEncrypt.cpp	2019-03-13 23:15:12.260138718 +0100
 @@ -561,13 +561,13 @@ PdfEncrypt* PdfEncrypt::CreatePdfEncrypt
      try {
          PdfString sTmp;

podofo_CVE-2018-14320.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/src/base/PdfEncoding.cpp podofo-0.9.6-new/src/base/PdfEncoding.cpp
 --- podofo-0.9.6/src/base/PdfEncoding.cpp	2017-04-28 18:49:01.000000000 +0200
-+++ podofo-0.9.6-new/src/base/PdfEncoding.cpp	2018-12-19 22:42:37.033095901 +0100
++++ podofo-0.9.6-new/src/base/PdfEncoding.cpp	2019-03-13 23:15:12.294138709 +0100
 @@ -285,6 +285,12 @@ void PdfEncoding::ParseToUnicode()
              
              if (strcmp (streamToken, "beginbfrange") == 0)
@@ -29,7 +29,7 @@ diff -rupN podofo-0.9.6/src/base/PdfEncoding.cpp podofo-0.9.6-new/src/base/PdfEn
                  stkToken.pop ();
 diff -rupN podofo-0.9.6/test/unit/EncodingTest.cpp podofo-0.9.6-new/test/unit/EncodingTest.cpp
 --- podofo-0.9.6/test/unit/EncodingTest.cpp	2018-03-10 18:01:08.000000000 +0100
-+++ podofo-0.9.6-new/test/unit/EncodingTest.cpp	2018-12-19 22:42:37.033095901 +0100
++++ podofo-0.9.6-new/test/unit/EncodingTest.cpp	2019-03-13 23:15:12.294138709 +0100
 @@ -359,6 +359,57 @@ void EncodingTest::testToUnicodeParse()
  #endif
          CPPUNIT_ASSERT_EQUAL( expects, unicodeStr[ii] );

podofo_CVE-2018-19532.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp
 --- podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp	2016-11-18 20:08:56.000000000 +0100
-+++ podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp	2018-12-19 22:42:37.061093680 +0100
++++ podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp	2019-03-13 23:15:12.323138702 +0100
 @@ -256,7 +256,13 @@ namespace PoDoFo
  				PdfPage * page = sourceDoc->GetPage ( i );
  				PdfMemoryOutputStream outMemStream ( 1 );

podofo_CVE-2018-20751.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/tools/podofocrop/podofocrop.cpp podofo-0.9.6-new/tools/podofocrop/podofocrop.cpp
 --- podofo-0.9.6/tools/podofocrop/podofocrop.cpp	2016-11-18 20:08:56.000000000 +0100
-+++ podofo-0.9.6-new/tools/podofocrop/podofocrop.cpp	2019-02-05 15:10:16.723460528 +0100
++++ podofo-0.9.6-new/tools/podofocrop/podofocrop.cpp	2019-03-13 23:15:12.352138694 +0100
 @@ -61,6 +61,11 @@ void crop_page( PdfPage* pPage, const Pd
             rCropBox.GetHeight());
      */

podofo_CVE-2018-5783.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/src/base/PdfCompilerCompat.h podofo-0.9.6-new/src/base/PdfCompilerCompat.h
 --- podofo-0.9.6/src/base/PdfCompilerCompat.h	2017-10-27 08:38:19.000000000 +0200
-+++ podofo-0.9.6-new/src/base/PdfCompilerCompat.h	2018-12-19 22:42:36.864109334 +0100
++++ podofo-0.9.6-new/src/base/PdfCompilerCompat.h	2019-03-13 23:15:12.143138748 +0100
 @@ -184,12 +184,15 @@ namespace PoDoFo {
  #if defined(_MSC_VER)
  #  define PDF_FORMAT_INT64 "I64d"
@@ -19,7 +19,7 @@ diff -rupN podofo-0.9.6/src/base/PdfCompilerCompat.h podofo-0.9.6-new/src/base/P
  
 diff -rupN podofo-0.9.6/src/base/PdfVecObjects.cpp podofo-0.9.6-new/src/base/PdfVecObjects.cpp
 --- podofo-0.9.6/src/base/PdfVecObjects.cpp	2017-06-04 15:28:32.000000000 +0200
-+++ podofo-0.9.6-new/src/base/PdfVecObjects.cpp	2018-12-19 22:42:36.865109254 +0100
++++ podofo-0.9.6-new/src/base/PdfVecObjects.cpp	2019-03-13 23:15:12.144138748 +0100
 @@ -100,6 +100,10 @@ private:
      const PdfReference m_ref;
  };
@@ -33,7 +33,7 @@ diff -rupN podofo-0.9.6/src/base/PdfVecObjects.cpp podofo-0.9.6-new/src/base/Pdf
  {
 diff -rupN podofo-0.9.6/src/base/PdfVecObjects.h podofo-0.9.6-new/src/base/PdfVecObjects.h
 --- podofo-0.9.6/src/base/PdfVecObjects.h	2016-11-14 17:21:06.000000000 +0100
-+++ podofo-0.9.6-new/src/base/PdfVecObjects.h	2018-12-19 22:42:36.865109254 +0100
++++ podofo-0.9.6-new/src/base/PdfVecObjects.h	2019-03-13 23:15:12.144138748 +0100
 @@ -414,6 +414,25 @@ class PODOFO_API PdfVecObjects {
      inline PdfObject* GetBack();
  

podofo_CVE-2019-9199.patch

@@ -0,0 +1,17 @@
+diff -rupN podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp
+--- podofo-0.9.6/tools/podofoimpose/pdftranslator.cpp	2019-03-13 23:15:12.348138695 +0100
++++ podofo-0.9.6-new/tools/podofoimpose/pdftranslator.cpp	2019-03-13 23:15:12.381138687 +0100
+@@ -148,7 +148,12 @@ namespace PoDoFo
+ // 	std::cerr << "Document has "<< pcount << " page(s) " << endl;
+ 			if ( pcount > 0 ) // only here to avoid possible segfault, but PDF without page is not conform IIRC
+ 			{
+-				PoDoFo::PdfRect rect ( sourceDoc->GetPage ( 0 )->GetMediaBox() );
++                PoDoFo::PdfPage* pFirstPage = sourceDoc->GetPage ( 0 );
++                if ( NULL == pFirstPage ) // Fixes CVE-2019-9199 (issue #40)
++                {
++                    PODOFO_RAISE_ERROR_INFO( ePdfError_PageNotFound, "First page (0) of source document not found" );
++                }
++                PoDoFo::PdfRect rect ( pFirstPage->GetMediaBox() );
+ 				// keep in mind it’s just a hint since PDF can have different page sizes in a same doc
+ 				sourceWidth =  rect.GetWidth() - rect.GetLeft();
+ 				sourceHeight =  rect.GetHeight() - rect.GetBottom() ;

podofo_CVE-2019-9687.patch

@@ -0,0 +1,57 @@
+diff -rupN podofo-0.9.6/src/base/PdfString.cpp podofo-0.9.6-new/src/base/PdfString.cpp
+--- podofo-0.9.6/src/base/PdfString.cpp	2018-03-10 17:30:53.000000000 +0100
++++ podofo-0.9.6-new/src/base/PdfString.cpp	2019-03-13 23:15:12.410138679 +0100
+@@ -626,8 +626,19 @@ void PdfString::InitUtf8()
+         pdf_long lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()), 
+                                                     this->GetUnicodeLength(), 
+                                                     reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient );
++        if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination here vs. 1 byte there
++        {
++            pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 ) );
++            if( !pBuffer )
++            {
++                PODOFO_RAISE_ERROR( ePdfError_OutOfMemory );
++            }
++            if (lUtf8 - 1 > lBufferLen)
++                lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()),
++                                                       this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1);
++        }
+ 
+-        pBuffer[lUtf8-1] = '\0';
++        pBuffer[lUtf8 - 1] = '\0';
+         pBuffer[lUtf8] = '\0';
+         m_sUtf8 = pBuffer;
+         podofo_free( pBuffer );
+@@ -811,6 +822,7 @@ pdf_long PdfString::ConvertUTF16toUTF8(
+     return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 );
+ }
+ 
++// returns used, or if not enough memory passed in, needed length incl. 1 byte termination
+ pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lLenUtf16, 
+                                     pdf_utf8* pszUtf8, pdf_long lLenUtf8, 
+                                     EPdfStringConversion eConversion  )
+@@ -828,12 +840,21 @@ pdf_long PdfString::ConvertUTF16toUTF8(
+     size_t sLength = lLenUtf16;
+     size_t resultBufLength = lLenUtf8;
+ 
+-    u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength);
++    uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength );
++    if (pReturnBuf != pResultBuf)
++    {
++        free(pReturnBuf); // allocated by libunistring, so don't use podofo_free()
++        PdfError::LogMessage( eLogSeverity_Warning, "Output string size too little to hold it\n" );
++        return resultBufLength + 1;
++    }
+ 
+     pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength + 1), lLenUtf8 );
+ 
+-    // Make sure buffer is 0 termnated
+-    pszUtf8[resultBufLength] = 0; 
++    // Make sure buffer is 0 terminated
++    if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 )
++        pszUtf8[resultBufLength] = 0;
++    else
++        return resultBufLength + 1; // means: check for this in the caller to detect non-termination
+     
+     return lBufferLen;
+ }

podofo_tests.patch

@@ -1,6 +1,6 @@
 diff -rupN podofo-0.9.6/test/TokenizerTest/CMakeLists.txt podofo-0.9.6-new/test/TokenizerTest/CMakeLists.txt
 --- podofo-0.9.6/test/TokenizerTest/CMakeLists.txt	2007-09-16 11:33:38.000000000 +0200
-+++ podofo-0.9.6-new/test/TokenizerTest/CMakeLists.txt	2018-12-19 23:54:17.173226972 +0100
++++ podofo-0.9.6-new/test/TokenizerTest/CMakeLists.txt	2019-03-13 23:15:12.116138755 +0100
 @@ -2,10 +2,3 @@ ADD_EXECUTABLE(TokenizerTest TokenizerTe
  TARGET_LINK_LIBRARIES(TokenizerTest ${PODOFO_LIB} ${PODOFO_LIB_DEPENDS})
  SET_TARGET_PROPERTIES(TokenizerTest PROPERTIES COMPILE_FLAGS "${PODOFO_CFLAGS}")