xpdf/SOURCES/xpdf-4.02-CVE-2019-12360.patch

diff -up xpdf-4.02/fofi/FoFiTrueType.cc.CVE-2019-12360 xpdf-4.02/fofi/FoFiTrueType.cc
--- xpdf-4.02/fofi/FoFiTrueType.cc.CVE-2019-12360	2020-06-26 15:15:48.156850534 -0400
+++ xpdf-4.02/fofi/FoFiTrueType.cc	2020-06-26 15:15:35.204068577 -0400
@@ -20,6 +20,7 @@
 #include "gtypes.h"
 #include "gmem.h"
 #include "gmempp.h"
+#include "GLikely.h"
 #include "GString.h"
 #include "GHash.h"
 #include "FoFiType1C.h"
@@ -1764,7 +1765,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu
   GBool ok;
   Guint checksum;
   int nNewTables;
-  int glyfTableLen, length, pos, glyfPos, i, j, k;
+  int glyfTableLen, length, pos, glyfPos, i, j, k, vmtxTabLength;
   Guchar vheaTab[36] = {
     0, 1, 0, 0,			// table version number
     0, 0,			// ascent
@@ -1891,6 +1892,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu
     }
   }
   vmtxTab = NULL; // make gcc happy
+  vmtxTabLength = 0;
   advance = 0; // make gcc happy
   if (needVerticalMetrics) {
     needVhea = seekTable("vhea") < 0;
@@ -1951,6 +1953,7 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu
 	checksum = computeTableChecksum(vheaTab, length);
       } else if (needVerticalMetrics && i == t42VmtxTable) {
 	length = 4 + (nGlyphs - 1) * 2;
+	vmtxTabLength = length;
 	vmtxTab = (Guchar *)gmalloc(length);
 	vmtxTab[0] = (Guchar)(advance / 256);
 	vmtxTab[1] = (Guchar)(advance % 256);
@@ -2065,8 +2068,16 @@ void FoFiTrueType::cvtSfnts(FoFiOutputFu
 	  dumpString(file + tables[j].offset, tables[j].len,
 		     outputFunc, outputStream);
 	} else if (needVerticalMetrics && i == t42VheaTable) {
+	  if (unlikely(length > (int)sizeof(vheaTab))) {
+	    //~ error(errSyntaxWarning, -1, "length bigger than vheaTab size");
+	    length = sizeof(vheaTab);
+	  }
 	  dumpString(vheaTab, length, outputFunc, outputStream);
 	} else if (needVerticalMetrics && i == t42VmtxTable) {
+	  if (unlikely(length > vmtxTabLength)) {
+	    //~ error(errSyntaxWarning, -1, "length bigger than vmtxTab size");
+	    length = vmtxTabLength;
+	  }
 	  dumpString(vmtxTab, length, outputFunc, outputStream);
 	}
       }
diff -up xpdf-4.02/goo/GLikely.h.CVE-2019-12360 xpdf-4.02/goo/GLikely.h
--- xpdf-4.02/goo/GLikely.h.CVE-2019-12360	2020-06-26 15:11:32.839149675 -0400
+++ xpdf-4.02/goo/GLikely.h	2020-06-26 15:11:07.713572773 -0400
@@ -0,0 +1,22 @@
+//========================================================================
+//
+// GLikely.h
+//
+// This file is licensed under the GPLv2 or later
+//
+// Copyright (C) 2008 Kees Cook <kees@outflux.net>
+//
+//========================================================================
+
+#ifndef GLIKELY_H
+#define GLIKELY_H
+
+#if defined(__GNUC__) && (__GNUC__ > 2) && defined(__OPTIMIZE__)
+# define likely(x)	__builtin_expect((x), 1)
+# define unlikely(x)    __builtin_expect((x), 0)
+#else
+# define likely(x)	(x)
+# define unlikely(x)    (x)
+#endif
+
+#endif