[poppler] Fwd: Re: CVE-2012-2142 xpdf, poppler: Insufficient sanitization of escape sequences in the error messages

[William Bader]

In my own code, I sometimes filter with ((c&0x7F) < 0x20 || (c&0x7F) == 0x7F) to allow accented characters to pass and to avoid using isprint(). I have had bad luck with passing signed chars to is* macros on old systems, plus the whole idea is to avoid passing escapes to xterm, and maybe some locale considers char 27 as printable.Some of the patches call isprint() with a char, and I think that is bad.  The man page for isprint on Fedora 17 says that the argument to is* macros must be "unsigned char" or EOF.  To be safe, the patches should use isprint((unsigned char)c) or isprint(c&0xFF).William 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler/attachments/20121201/cccadbac/attachment.html>