diff options
author | seb <seb> | 2005-12-12 23:04:01 +0000 |
---|---|---|
committer | seb <seb> | 2005-12-12 23:04:01 +0000 |
commit | 8f002ac6a8cf9a6255bd06b9a4a416df4e821424 (patch) | |
tree | 6f9f289c49946490095fc3d21eca113e0b2e1528 | |
parent | ad6fd0925d4ece41e5d25b8e78d7bd851f263784 (diff) | |
download | pkgsrc-8f002ac6a8cf9a6255bd06b9a4a416df4e821424.tar.gz |
Pullup ticket 953 - requested by Lubomir Sedlacik
security fix via patch for print/gpdf
-rw-r--r-- | print/gpdf/Makefile | 4 | ||||
-rw-r--r-- | print/gpdf/distinfo | 5 | ||||
-rw-r--r-- | print/gpdf/patches/patch-ac | 31 | ||||
-rw-r--r-- | print/gpdf/patches/patch-ad | 78 | ||||
-rw-r--r-- | print/gpdf/patches/patch-ae | 23 |
5 files changed, 138 insertions, 3 deletions
diff --git a/print/gpdf/Makefile b/print/gpdf/Makefile index e1a32318386..2bd998ab8d6 100644 --- a/print/gpdf/Makefile +++ b/print/gpdf/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.29 2005/09/05 14:42:42 jmmv Exp $ +# $NetBSD: Makefile,v 1.29.2.1 2005/12/12 23:04:01 seb Exp $ # DISTNAME= gpdf-2.10.0 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= print MASTER_SITES= ${MASTER_SITE_GNOME:=sources/gpdf/2.10/} EXTRACT_SUFX= .tar.bz2 diff --git a/print/gpdf/distinfo b/print/gpdf/distinfo index 2bfe02b6d3c..3bbcbd6046d 100644 --- a/print/gpdf/distinfo +++ b/print/gpdf/distinfo @@ -1,7 +1,10 @@ -$NetBSD: distinfo,v 1.12 2005/09/05 14:42:42 jmmv Exp $ +$NetBSD: distinfo,v 1.12.2.1 2005/12/12 23:04:01 seb Exp $ SHA1 (gpdf-2.10.0.tar.bz2) = f9b925ed5b15deb90968e834fd63fc7628688808 RMD160 (gpdf-2.10.0.tar.bz2) = 16cb9413e012c2c5268082d8322d1468e5c30907 Size (gpdf-2.10.0.tar.bz2) = 1079944 bytes SHA1 (patch-aa) = 8985b54bad962a31a6ee315747c0297419b8e291 SHA1 (patch-ab) = 4601088604b8c5a52546e689bfdccc2aa18ea1e6 +SHA1 (patch-ac) = cf2973f83d6a6f02c4c387696bb328512e20e877 +SHA1 (patch-ad) = a1138d90f28ec93de573d180bcce2cd2a15f7439 +SHA1 (patch-ae) = a75595e464d4a73e0ffeeb0d418f566d61b12732 diff --git a/print/gpdf/patches/patch-ac b/print/gpdf/patches/patch-ac new file mode 100644 index 00000000000..32933866b63 --- /dev/null +++ b/print/gpdf/patches/patch-ac @@ -0,0 +1,31 @@ +$NetBSD: patch-ac,v 1.1.2.1 2005/12/12 23:04:02 seb Exp $ + +Security fix for CVE-2005-3193. + +--- xpdf/JPXStream.cc.orig 2004-05-17 20:11:49.000000000 +0200 ++++ xpdf/JPXStream.cc 2005-12-11 05:08:28.000000000 +0100 +@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le + int segType; + GBool haveSIZ, haveCOD, haveQCD, haveSOT; + Guint precinctSize, style; +- Guint segLen, capabilities, comp, i, j, r; ++ Guint segLen, capabilities, nTiles, comp, i, j, r; + + //----- main header + haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; +@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * +- sizeof(JPXTile)); ++ nTiles = img.nXTiles * img.nYTiles; ++ // check for overflow before allocating memory ++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * + sizeof(JPXTileComp)); diff --git a/print/gpdf/patches/patch-ad b/print/gpdf/patches/patch-ad new file mode 100644 index 00000000000..a1d2df28f0b --- /dev/null +++ b/print/gpdf/patches/patch-ad @@ -0,0 +1,78 @@ +$NetBSD: patch-ad,v 1.1.2.1 2005/12/12 23:04:02 seb Exp $ + +Security fix for CVE-2005-3191 and CVE-2005-3192. + +--- xpdf/Stream.cc.orig 2004-05-17 21:37:57.000000000 +0200 ++++ xpdf/Stream.cc 2005-12-11 05:10:04.000000000 +0100 +@@ -407,18 +407,33 @@ void ImageStream::skipLine() { + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { ++ int totalBits; ++ + str = strA; + predictor = predictorA; + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + + nVals = width * nComps; ++ totalBits = nVals * nBits; ++ if (totalBits == 0 || ++ (totalBits / nBits) / nComps != width || ++ totalBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } diff --git a/print/gpdf/patches/patch-ae b/print/gpdf/patches/patch-ae new file mode 100644 index 00000000000..d81de7e5355 --- /dev/null +++ b/print/gpdf/patches/patch-ae @@ -0,0 +1,23 @@ +$NetBSD: patch-ae,v 1.1.2.1 2005/12/12 23:04:02 seb Exp $ + +Security fix for CVE-2005-3192. + +--- xpdf/Stream.h.orig 2004-05-17 21:37:57.000000000 +0200 ++++ xpdf/Stream.h 2005-12-11 05:10:04.000000000 +0100 +@@ -233,6 +233,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -250,6 +252,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------ |