2006-01-10 Kristian Høgsberg <krh@redhat.com>poppler-0.4.4

        * configure.ac: Bump realease to 0.4.4.

        * NEWS: Sum up changes.

        * poppler/DCTStream.cc: Backport patch for KDE #119569.

4 files changed, 29 insertions, 12 deletions

diff --git a/ChangeLog b/ChangeLog
index d31d8e44..950e318a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
 2006-01-10  Kristian Høgsberg  <krh@redhat.com>
 
+	* configure.ac: Bump realease to 0.4.4.
+
+	* NEWS: Sum up changes.
+
+	* poppler/DCTStream.cc: Backport patch for KDE #119569.
+
+2006-01-10  Kristian Høgsberg  <krh@redhat.com>
+
 	Security patch from Martin Pitt (#5516).  Multiple integer/buffer
 	overflows.
 
diff --git a/NEWS b/NEWS
index 9d2f2f77..8fa22892 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,8 @@
+Release 0.4.4
+
+	- Security update; CVE-2005-3624, CVE-2005-3625, CVE-2005-3627.
+	- Fix KDE bug #119569, endless loop in jpeg decoder.
+
 Release 0.4.3
 
 	- Fix selection crasher (Nickolay V. Shmyrev, #4402).
diff --git a/configure.ac b/configure.ac
index b4f89b42..c3e13216 100644
--- a/configure.ac
+++ b/configure.ac
@@ -113,7 +113,7 @@ dnl Based on kde acinclude.m4.in, LGPL Licensed
 
 
 AC_PREREQ(2.59)
-AC_INIT(poppler, 0.4.3)
+AC_INIT(poppler, 0.4.4)
 AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
 AM_CONFIG_HEADER(config.h)
 AM_CONFIG_HEADER(poppler/poppler-config.h)
diff --git a/poppler/DCTStream.cc b/poppler/DCTStream.cc
index 2c17cb75..46936838 100644
--- a/poppler/DCTStream.cc
+++ b/poppler/DCTStream.cc
@@ -14,21 +14,25 @@ static void str_init_source(j_decompress_ptr cinfo)
 
 static boolean str_fill_input_buffer(j_decompress_ptr cinfo)
 {
+  int c;
   struct str_src_mgr * src = (struct str_src_mgr *)cinfo->src;
   if (src->index == 0) {
-    src->buffer = 0xFF;
+    c = 0xFF;
     src->index++;
   }
   else if (src->index == 1) {
-    src->buffer = 0xD8;
+    c = 0xD8;
     src->index++;
   }
-  else {
-      src->buffer = src->str->getChar();
+  else c = src->str->getChar();
+  if (c != EOF)
+  {
+    src->buffer = c;
+    src->pub.next_input_byte = &src->buffer;
+    src->pub.bytes_in_buffer = 1;
+    return TRUE;
   }
-  src->pub.next_input_byte = &src->buffer;
-  src->pub.bytes_in_buffer = 1;
-  return TRUE;
+  else return FALSE;
 }
 
 static void str_skip_input_data(j_decompress_ptr cinfo, long num_bytes)
@@ -83,18 +87,17 @@ void DCTStream::reset() {
   // the start marker...
   bool startFound = false;
   int c = 0, c2 = 0;
-  int n = 0;
   while (!startFound)
   {
     if (!c)
     {
       c = str->getChar();
-      if (c != 0xFF) c = 0;
       if (c == -1)
       {
         error(-1, "Could not find start of jpeg data");
         exit(1);
       }
+      if (c != 0xFF) c = 0;
     }
     else
     {
@@ -106,7 +109,6 @@ void DCTStream::reset() {
       }
       else startFound = true;
     }
-    n++;
   }
 
   jpeg_read_header(&cinfo, TRUE);
@@ -121,7 +123,9 @@ int DCTStream::getChar() {
 
   if (x == 0) {
     if (cinfo.output_scanline < cinfo.output_height)
-      jpeg_read_scanlines(&cinfo, row_buffer, 1);
+    {
+      if (!jpeg_read_scanlines(&cinfo, row_buffer, 1)) return EOF;
+    }
     else return EOF;
   }
   c = row_buffer[0][x];