summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortonnerre <tonnerre@pkgsrc.org>2008-04-20 15:48:12 +0000
committertonnerre <tonnerre@pkgsrc.org>2008-04-20 15:48:12 +0000
commit4ad89e4880ab9c7ced53bd568a52af11c6d05032 (patch)
treed7eb22d2c4f7bd067493bf5c4962d3c8fae9f6a2
parent0114f2e8ef5fb2ffc055af529264b6c882ec3184 (diff)
downloadpkgsrc-4ad89e4880ab9c7ced53bd568a52af11c6d05032.tar.gz
Fix embedded font handling (CVE-2008-1693). While at it, add a patch
from upstream CVS which fixes display of 16-bit colors. Update from print/poppler. Approved-by: joerg
-rw-r--r--print/xpdf/Makefile3
-rw-r--r--print/xpdf/distinfo4
-rw-r--r--print/xpdf/patches/patch-aq134
-rw-r--r--print/xpdf/patches/patch-ar17
4 files changed, 156 insertions, 2 deletions
diff --git a/print/xpdf/Makefile b/print/xpdf/Makefile
index 0b58bdeb3d7..f302c3fc8f5 100644
--- a/print/xpdf/Makefile
+++ b/print/xpdf/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.64 2008/03/29 03:00:57 obache Exp $
+# $NetBSD: Makefile,v 1.65 2008/04/20 15:48:12 tonnerre Exp $
DISTNAME= xpdf-3.02
PKGNAME= xpdf-3.02pl2
+PKGREVISION= 1
CATEGORIES= print
MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \
${MASTER_SITE_SUNSITE:=apps/graphics/viewers/X/xpdf/} \
diff --git a/print/xpdf/distinfo b/print/xpdf/distinfo
index 6b95df36ced..9cfd0188af2 100644
--- a/print/xpdf/distinfo
+++ b/print/xpdf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.32 2008/03/29 03:00:57 obache Exp $
+$NetBSD: distinfo,v 1.33 2008/04/20 15:48:12 tonnerre Exp $
SHA1 (xpdf-3.02.tar.gz) = f9940698840c8a8045677e8be68ab8580903e20a
RMD160 (xpdf-3.02.tar.gz) = e900cb8670b8c430beaa45895fb474411cb1958d
@@ -24,4 +24,6 @@ SHA1 (patch-al) = b6e958b0592ac285b3ade90079c83da30db8a8b6
SHA1 (patch-am) = 794ff952c749c8dab6f575d55602cdc7e7157fef
SHA1 (patch-an) = 94ea208c43f4df1ac3a9bf01cc874d488ae49a9a
SHA1 (patch-ap) = 5961dfe22ac087a7df0311235b4fab27d7554c58
+SHA1 (patch-aq) = 1df0efb9fdde90df0597ba2a56c6030e7446e185
+SHA1 (patch-ar) = 5e4719a30a0412d9d731dbef8179c38bba67db94
SHA1 (patch-bb) = d38757d5e4a331d49149acfff897cfe7bc0a5e3b
diff --git a/print/xpdf/patches/patch-aq b/print/xpdf/patches/patch-aq
new file mode 100644
index 00000000000..de4d9da1570
--- /dev/null
+++ b/print/xpdf/patches/patch-aq
@@ -0,0 +1,134 @@
+$NetBSD: patch-aq,v 1.3 2008/04/20 15:48:12 tonnerre Exp $
+
+Fix arbitrary code execution with embedded fonts (CVE-2008-1693).
+
+--- xpdf/Object.h.orig 2007-02-27 22:05:52.000000000 +0000
++++ xpdf/Object.h
+@@ -68,17 +68,18 @@ enum ObjType {
+ //------------------------------------------------------------------------
+
+ #ifdef DEBUG_MEM
+-#define initObj(t) ++numAlloc[type = t]
++#define initObj(t) zeroUnion(); ++numAlloc[type = t]
+ #else
+-#define initObj(t) type = t
++#define initObj(t) zeroUnion(); type = t
+ #endif
+
+ class Object {
+ public:
+-
++ // attempt to clear the anonymous union
++ void zeroUnion() { this->name = NULL; }
+ // Default constructor.
+ Object():
+- type(objNone) {}
++ type(objNone) { zeroUnion(); }
+
+ // Initialize an object.
+ Object *initBool(GBool boolnA)
+@@ -220,16 +221,16 @@ private:
+ #include "Array.h"
+
+ inline int Object::arrayGetLength()
+- { return array->getLength(); }
++ { if (type != objArray) return 0; return array->getLength(); }
+
+ inline void Object::arrayAdd(Object *elem)
+- { array->add(elem); }
++ { if (type == objArray) array->add(elem); }
+
+ inline Object *Object::arrayGet(int i, Object *obj)
+- { return array->get(i, obj); }
++ { if (type != objArray) return obj->initNull(); return array->get(i, obj); }
+
+ inline Object *Object::arrayGetNF(int i, Object *obj)
+- { return array->getNF(i, obj); }
++ { if (type != objArray) return obj->initNull(); return array->getNF(i, obj); }
+
+ //------------------------------------------------------------------------
+ // Dict accessors.
+@@ -238,31 +239,31 @@ inline Object *Object::arrayGetNF(int i,
+ #include "Dict.h"
+
+ inline int Object::dictGetLength()
+- { return dict->getLength(); }
++ { if (type != objDict) return 0; return dict->getLength(); }
+
+ inline void Object::dictAdd(char *key, Object *val)
+- { dict->add(key, val); }
++ { if (type == objDict) dict->add(key, val); }
+
+ inline GBool Object::dictIs(char *dictType)
+- { return dict->is(dictType); }
++ { return (type == objDict) && dict->is(dictType); }
+
+ inline GBool Object::isDict(char *dictType)
+ { return type == objDict && dictIs(dictType); }
+
+ inline Object *Object::dictLookup(char *key, Object *obj)
+- { return dict->lookup(key, obj); }
++ { if (type != objDict) return obj->initNull(); return dict->lookup(key, obj); }
+
+ inline Object *Object::dictLookupNF(char *key, Object *obj)
+- { return dict->lookupNF(key, obj); }
++ { if (type != objDict) return obj->initNull(); return dict->lookupNF(key, obj); }
+
+ inline char *Object::dictGetKey(int i)
+- { return dict->getKey(i); }
++ { if (type != objDict) return NULL; return dict->getKey(i); }
+
+ inline Object *Object::dictGetVal(int i, Object *obj)
+- { return dict->getVal(i, obj); }
++ { if (type != objDict) return obj->initNull(); return dict->getVal(i, obj); }
+
+ inline Object *Object::dictGetValNF(int i, Object *obj)
+- { return dict->getValNF(i, obj); }
++ { if (type != objDict) return obj->initNull(); return dict->getValNF(i, obj); }
+
+ //------------------------------------------------------------------------
+ // Stream accessors.
+@@ -271,33 +272,33 @@ inline Object *Object::dictGetValNF(int
+ #include "Stream.h"
+
+ inline GBool Object::streamIs(char *dictType)
+- { return stream->getDict()->is(dictType); }
++ { return (type == objStream) && stream->getDict()->is(dictType); }
+
+ inline GBool Object::isStream(char *dictType)
+- { return type == objStream && streamIs(dictType); }
++ { return (type == objStream) && streamIs(dictType); }
+
+ inline void Object::streamReset()
+- { stream->reset(); }
++ { if (type == objStream) stream->reset(); }
+
+ inline void Object::streamClose()
+- { stream->close(); }
++ { if (type == objStream) stream->close(); }
+
+ inline int Object::streamGetChar()
+- { return stream->getChar(); }
++ { if (type != objStream) return EOF; return stream->getChar(); }
+
+ inline int Object::streamLookChar()
+- { return stream->lookChar(); }
++ { if (type != objStream) return EOF; return stream->lookChar(); }
+
+ inline char *Object::streamGetLine(char *buf, int size)
+- { return stream->getLine(buf, size); }
++ { if (type != objStream) return NULL; return stream->getLine(buf, size); }
+
+ inline Guint Object::streamGetPos()
+- { return stream->getPos(); }
++ { if (type != objStream) return 0; return stream->getPos(); }
+
+ inline void Object::streamSetPos(Guint pos, int dir)
+- { stream->setPos(pos, dir); }
++ { if (type == objStream) stream->setPos(pos, dir); }
+
+ inline Dict *Object::streamGetDict()
+- { return stream->getDict(); }
++ { if (type != objStream) return NULL; return stream->getDict(); }
+
+ #endif
diff --git a/print/xpdf/patches/patch-ar b/print/xpdf/patches/patch-ar
new file mode 100644
index 00000000000..48dff81936e
--- /dev/null
+++ b/print/xpdf/patches/patch-ar
@@ -0,0 +1,17 @@
+$NetBSD: patch-ar,v 1.4 2008/04/20 15:48:12 tonnerre Exp $
+
+--- xpdf/GfxState.cc.orig 2008-02-09 12:46:17.000000000 +0100
++++ xpdf/GfxState.cc
+@@ -3349,6 +3349,12 @@ GfxImageColorMap::GfxImageColorMap(int b
+ maxPixel = (1 << bits) - 1;
+ colorSpace = colorSpaceA;
+
++ // this is a hack to support 16 bits images, everywhere
++ // we assume a component fits in 8 bits, with this hack
++ // we treat 16 bit images as 8 bit ones until it's fixed correctly.
++ // The hack has another part on ImageStream::getLine
++ if (maxPixel > 255) maxPixel = 255;
++
+ // initialize
+ for (k = 0; k < gfxColorMaxComps; ++k) {
+ lookup[k] = NULL;