CVE-2010-0829 fix from https://bugzilla.redhat.com/show_bug.cgi?id=573999

6 files changed, 130 insertions, 3 deletions

diff --git a/graphics/dvipng/Makefile b/graphics/dvipng/Makefile
index 2e65af4c2a5..0b9d1c5bc83 100644
--- a/graphics/dvipng/Makefile
+++ b/graphics/dvipng/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.11 2010/05/07 08:34:22 ahoka Exp $
+# $NetBSD: Makefile,v 1.12 2010/05/17 20:21:38 tez Exp $
 
 DISTNAME=	dvipng-1.12
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=dvipng/}
 
diff --git a/graphics/dvipng/distinfo b/graphics/dvipng/distinfo
index f8ab4955f24..49dab6dad76 100644
--- a/graphics/dvipng/distinfo
+++ b/graphics/dvipng/distinfo
@@ -1,5 +1,9 @@
-$NetBSD: distinfo,v 1.2 2010/01/16 03:31:25 minskim Exp $
+$NetBSD: distinfo,v 1.3 2010/05/17 20:21:38 tez Exp $
 
 SHA1 (dvipng-1.12.tar.gz) = 313357bdeb84f705a5d3e2e1215d55c13a86d79e
 RMD160 (dvipng-1.12.tar.gz) = b8698d70f6a819fb84e1ff9d8dfb34765a05bced
 Size (dvipng-1.12.tar.gz) = 168196 bytes
+SHA1 (patch-aa) = 93345009e69f2347ddb001799a84e14d5eb80dce
+SHA1 (patch-ab) = 6e1982458289485d52b05aa0f07acf606cd607e3
+SHA1 (patch-ac) = 431b97551f3315a919b4aa2fd5a9ae88ba8abda9
+SHA1 (patch-ad) = 1e8c21a359513101f3ed6cd4307c2a79d99b6443
diff --git a/graphics/dvipng/patches/patch-aa b/graphics/dvipng/patches/patch-aa
new file mode 100644
index 00000000000..f8dc55b2094
--- /dev/null
+++ b/graphics/dvipng/patches/patch-aa
@@ -0,0 +1,55 @@
+$NetBSD: patch-aa,v 1.1 2010/05/17 20:21:38 tez Exp $
+CVE-2010-0829
+
+--- draw.c	2008-06-11 23:05:01 +0000
++++ draw.c	2010-04-27 09:34:06 +0000
+@@ -79,9 +79,15 @@
+ 
+   if (currentfont==NULL) 
+     Fatal("faulty DVI, trying to set character from null font");
+-
+-  if (c>=0 && c<=LASTFNTCHAR) 
+-    ptr = currentfont->chr[c];
++  if (c<0 || c>LASTFNTCHAR) {
++    Warning("glyph index out of range (%d), skipping",c);
++    return(0);
++  }
++  ptr=currentfont->chr[c];
++  if (ptr==NULL) {
++    Warning("unable to draw glyph %d, skipping",c);
++    return(0);
++  }
+ #ifdef DEBUG
+   switch (currentfont->type) {
+   case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n  VF CHAR:\t")); break;
+@@ -90,15 +96,15 @@
+   case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n  FT CHAR:\t")); break;
+   default: DEBUG_PRINT(DEBUG_DVI,("\n  NO CHAR:\t"))
+   }
+-  if (isprint(c))
++  if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
+     DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
+   DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,
+ 			 dvi_stack->hh,dvi_stack->vv,ptr?ptr->tfmw:0));
+ #endif
+   if (currentfont->type==FONT_TYPE_VF) {
+-    return(SetVF(c));
++    return(SetVF(ptr));
+   } else {
+-    if (ptr!=NULL && ptr->data == NULL) 
++    if (ptr->data == NULL) 
+       switch(currentfont->type) {
+       case FONT_TYPE_PK:	LoadPK(c, ptr); break;
+ #ifdef HAVE_LIBT1
+@@ -111,8 +117,8 @@
+ 	Fatal("undefined fonttype %d",currentfont->type);
+       }
+     if (page_imagep != NULL)
+-      return(SetGlyph(c, dvi_stack->hh, dvi_stack->vv));
+-    else if (ptr!=NULL) {
++      return(SetGlyph(ptr, dvi_stack->hh, dvi_stack->vv));
++    else {
+       /* Expand bounding box if necessary */
+       min(x_min,dvi_stack->hh - ptr->xOffset/shrinkfactor);
+       min(y_min,dvi_stack->vv - ptr->yOffset/shrinkfactor);
+
diff --git a/graphics/dvipng/patches/patch-ab b/graphics/dvipng/patches/patch-ab
new file mode 100644
index 00000000000..a2ec732a119
--- /dev/null
+++ b/graphics/dvipng/patches/patch-ab
@@ -0,0 +1,18 @@
+$NetBSD: patch-ab,v 1.1 2010/05/17 20:21:38 tez Exp $
+CVE-2010-0829
+
+--- dvipng.h	2009-10-10 02:29:09 +0000
++++ dvipng.h	2010-04-27 09:34:06 +0000
+@@ -387,9 +387,9 @@
+ void      WriteImage(char*, int);
+ void      LoadPK(int32_t, register struct char_entry *);
+ int32_t   SetChar(int32_t);
+-dviunits  SetGlyph(int32_t c, int32_t hh,int32_t vv);
++dviunits  SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
+ void      Gamma(double gamma);
+-int32_t   SetVF(int32_t);
++int32_t   SetVF(struct char_entry *ptr);
+ int32_t   SetRule(int32_t, int32_t, int32_t, int32_t);
+ void      SetSpecial(char *, int32_t, int32_t);
+ void      BeginVFMacro(struct font_entry*);
+
diff --git a/graphics/dvipng/patches/patch-ac b/graphics/dvipng/patches/patch-ac
new file mode 100644
index 00000000000..77d7639dcb9
--- /dev/null
+++ b/graphics/dvipng/patches/patch-ac
@@ -0,0 +1,31 @@
+$NetBSD: patch-ac,v 1.1 2010/05/17 20:21:38 tez Exp $
+CVE-2010-0829
+
+--- set.c	2008-06-11 23:05:01 +0000
++++ set.c	2010-04-27 09:34:06 +0000
+@@ -203,23 +203,13 @@
+   }
+ }
+ 
+-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
++dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv)
+ /* gdImageChar can only do monochrome glyphs */
+ {
+-  register struct char_entry *ptr;
+   int dst_alpha,dst_weight,tot_weight,alpha;
+   int x,y,pos=0;
+   int bgColor,pixelgrey,pixelcolor;
+ 
+-  if (c<0 || c>LASTFNTCHAR) {
+-    Warning("glyph index too large (%d), skipping",c);
+-    return(0);
+-  }
+-  ptr=currentfont->chr[c];
+-  if (ptr==NULL) {
+-    Warning("unable to draw glyph %d, skipping",c);
+-    return(0);
+-  }
+   hh -= ptr->xOffset/shrinkfactor;
+   vv -= ptr->yOffset/shrinkfactor;
+   /* Initialize persistent color cache. Perhaps this should be in
+
diff --git a/graphics/dvipng/patches/patch-ad b/graphics/dvipng/patches/patch-ad
new file mode 100644
index 00000000000..34af543dc38
--- /dev/null
+++ b/graphics/dvipng/patches/patch-ad
@@ -0,0 +1,19 @@
+$NetBSD: patch-ad,v 1.1 2010/05/17 20:21:39 tez Exp $
+CVE-2010-0829
+
+--- vf.c	2008-06-11 23:05:01 +0000
++++ vf.c	2010-04-27 09:34:06 +0000
+@@ -27,11 +27,10 @@
+ #define VF_ID 202
+ #define LONG_CHAR 242
+ 
+-int32_t SetVF(int32_t c) 
++int32_t SetVF(struct char_entry* ptr) 
+ {
+   struct font_entry* currentvf;
+   unsigned char *command,*end;
+-  struct char_entry* ptr=currentfont->chr[c];
+ 
+   currentvf=currentfont;
+   BeginVFMacro(currentvf);
+