Pullup ticket 955 - requested by Lubomir Sedlacik

security fix via patch for print/poppler Module Name: pkgsrc Committed By: salo Date: Sun Dec 11 05:08:50 UTC 2005 Modified Files: pkgsrc/print/poppler: Makefile distinfo Added Files: pkgsrc/print/poppler/patches: patch-aa patch-ab patch-ac Log Message: Security fixes for CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193. Patches from xpdf.
author: seb <seb@pkgsrc.org> 2005-12-15 01:00:51 +0000
committer: seb <seb@pkgsrc.org> 2005-12-15 01:00:51 +0000
commit: a6a1ec704eeac6a30cec390b956fbab7e1367ff9 (patch)
tree: ea005893d3d0f137dee226fe45e47ba65e06c8c8
parent: efd2ef1d39336fdb420731fb6efb4ee2ed928ed3 (diff)
download: pkgsrc-a6a1ec704eeac6a30cec390b956fbab7e1367ff9.tar.gz
5 files changed, 139 insertions, 4 deletions
diff --git a/print/poppler/Makefile b/print/poppler/Makefile
index af3ecd355e9..ebab0fb121c 100644
--- a/print/poppler/Makefile
+++ b/print/poppler/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.1.1.1 2005/07/08 20:31:34 reed Exp $
+# $NetBSD: Makefile,v 1.1.1.1.2.1 2005/12/15 01:00:51 seb Exp $
 #
 
 DISTNAME=		poppler-0.3.3
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES=		print
 MASTER_SITES=		http://poppler.freedesktop.org/
 
@@ -10,7 +10,7 @@ MAINTAINER=		reed@reedmedia.net
 HOMEPAGE=		http://poppler.freedesktop.org/
 COMMENT=		PDF rendering library
 
-USE_TOOLS=		gmake
+USE_TOOLS+=		gmake pkg-config
 USE_LIBTOOL=		yes
 LIBTOOL_OVERRIDE=	${WRKSRC}/libtool
 #PKGCONFIG_OVERRIDE+=	${WRKSRC}/poppler-cairo.pc.in
diff --git a/print/poppler/distinfo b/print/poppler/distinfo
index 302af0593de..05a17894873 100644
--- a/print/poppler/distinfo
+++ b/print/poppler/distinfo
@@ -1,6 +1,9 @@
-$NetBSD: distinfo,v 1.1.1.1 2005/07/08 20:31:34 reed Exp $
+$NetBSD: distinfo,v 1.1.1.1.2.1 2005/12/15 01:00:51 seb Exp $
 
 SHA1 (poppler-0.3.3.tar.gz) = 4dd3e060815a307dfb217dbe7dd7d52c7f688edf
 RMD160 (poppler-0.3.3.tar.gz) = a607766a46a39ae27cbd1bdfd5866c1bc74cf4d3
 Size (poppler-0.3.3.tar.gz) = 742493 bytes
 SHA1 (patch-aa) = be585bf002516f55d98cff5a7902327c41733c09
+SHA1 (patch-ab) = 6bbd1edcdba2564f470474f71b7824dfaf302a7d
+SHA1 (patch-ac) = db8e38a2e4382bd14bbb5edc9979df5ce2927943
+SHA1 (patch-ad) = 9900a274d586bf4f4d814716b1296e4d5e5f9429
diff --git a/print/poppler/patches/patch-ab b/print/poppler/patches/patch-ab
new file mode 100644
index 00000000000..8bc8ef73bc9
--- /dev/null
+++ b/print/poppler/patches/patch-ab
@@ -0,0 +1,31 @@
+$NetBSD: patch-ab,v 1.1.2.2 2005/12/15 01:00:51 seb Exp $
+
+Security fix for CVE-2005-3193.
+
+--- poppler/JPXStream.cc.orig	2005-03-03 20:46:03.000000000 +0100
++++ poppler/JPXStream.cc	2005-12-11 06:14:42.000000000 +0100
+@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-				     sizeof(JPXTile));
++      nTiles = img.nXTiles * img.nYTiles;
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++        error(getPos(), "Bad tile count in JPX SIZ marker segment");
++        return gFalse;
++      }
++      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ 							sizeof(JPXTileComp));
diff --git a/print/poppler/patches/patch-ac b/print/poppler/patches/patch-ac
new file mode 100644
index 00000000000..2602bd62441
--- /dev/null
+++ b/print/poppler/patches/patch-ac
@@ -0,0 +1,78 @@
+$NetBSD: patch-ac,v 1.1.2.2 2005/12/15 01:00:51 seb Exp $
+
+Security fix for CVE-2005-3191 and CVE-2005-3192.
+
+--- poppler/Stream.cc.orig	2005-04-28 17:23:34.000000000 +0200
++++ poppler/Stream.cc	2005-12-11 06:14:45.000000000 +0100
+@@ -415,18 +415,33 @@ void ImageStream::skipLine() {
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -1020,6 +1035,10 @@ LZWStream::LZWStream(Stream *strA, int p
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -2907,6 +2926,14 @@ GBool DCTStream::readBaselineSOF() {
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -3268,6 +3295,10 @@ FlateStream::FlateStream(Stream *strA, i
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
diff --git a/print/poppler/patches/patch-ad b/print/poppler/patches/patch-ad
new file mode 100644
index 00000000000..1ef0fdb6ba6
--- /dev/null
+++ b/print/poppler/patches/patch-ad
@@ -0,0 +1,23 @@
+$NetBSD: patch-ad,v 1.1.2.1 2005/12/15 01:00:51 seb Exp $
+
+Security fix for CVE-2005-3192.
+
+--- poppler/Stream.h.orig	2005-04-28 17:23:34.000000000 +0200
++++ poppler/Stream.h	2005-12-11 06:14:47.000000000 +0100
+@@ -231,6 +231,8 @@ public:
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -248,6 +250,7 @@ private:
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------
author	seb <seb@pkgsrc.org>	2005-12-15 01:00:51 +0000
committer	seb <seb@pkgsrc.org>	2005-12-15 01:00:51 +0000
commit	a6a1ec704eeac6a30cec390b956fbab7e1367ff9 (patch)
tree	ea005893d3d0f137dee226fe45e47ba65e06c8c8
parent	efd2ef1d39336fdb420731fb6efb4ee2ed928ed3 (diff)
download	pkgsrc-a6a1ec704eeac6a30cec390b956fbab7e1367ff9.tar.gz