diff options
| author | tron <tron@pkgsrc.org> | 2010-06-08 18:22:06 +0000 |
|---|---|---|
| committer | tron <tron@pkgsrc.org> | 2010-06-08 18:22:06 +0000 |
| commit | efa1973a8513d4c9efb5765214b1c4e74461ad33 (patch) | |
| tree | 44973f12899095b1a92afdf67c4a7efef7c66396 /print/dvipsk/patches/patch-ab | |
| parent | 1c481b4473f20d74cb0bdeb6dd0bf21c6d446a64 (diff) | |
| download | pkgsrc-efa1973a8513d4c9efb5765214b1c4e74461ad33.tar.gz | |
Pullup ticket #3143 - requested by minskim
print/dvipsk: security patch
Revisions pulled up:
- print/dvipsk/Makefile 1.6
- print/dvipsk/distinfo 1.5
- print/dvipsk/patches/patch-ab 1.4
---
Module Name: pkgsrc
Committed By: minskim
Date: Tue Jun 8 15:17:05 UTC 2010
Modified Files:
pkgsrc/print/dvipsk: Makefile distinfo
pkgsrc/print/dvipsk/patches: patch-ab
Log Message:
Fix CVE-2010-1440. Patch from TeX Live repository.
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX
Live 2009 and earlier, and teTeX, allow remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via a special command in a DVI file, related to the (1)
predospecial and (2) bbdospecial functions, a different
vulnerability than CVE-2010-0739.
Diffstat (limited to 'print/dvipsk/patches/patch-ab')
| -rw-r--r-- | print/dvipsk/patches/patch-ab | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/print/dvipsk/patches/patch-ab b/print/dvipsk/patches/patch-ab index 7d3bac81ccb..d5988885391 100644 --- a/print/dvipsk/patches/patch-ab +++ b/print/dvipsk/patches/patch-ab @@ -1,17 +1,33 @@ -$NetBSD: patch-ab,v 1.3.2.2 2010/04/20 21:26:19 tron Exp $ +$NetBSD: patch-ab,v 1.3.2.3 2010/06/08 18:22:06 tron Exp $ + +- CVE-2010-0739 +- CVE-2010-1440 --- dospecial.c.orig 2009-06-23 09:46:14.000000000 +0000 +++ dospecial.c -@@ -334,6 +334,12 @@ predospecial(integer numbytes, Boolean s +@@ -333,7 +333,11 @@ predospecial(integer numbytes, Boolean s + int j ; static int omega_specials = 0; - if (nextstring + numbytes > maxstring) { -+ if (numbytes < 0 -+ || (numbytes > 0 && 2 > INT_MAX / numbytes) -+ || 2 * numbytes > 1000 + 2 * numbytes) { +- if (nextstring + numbytes > maxstring) { ++ if (numbytes < 0 || numbytes > maxstring - nextstring) { ++ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { + error("! Integer overflow in predospecial"); + exit(1); + } p = nextstring = mymalloc(1000 + 2 * numbytes) ; maxstring = nextstring + 2 * numbytes + 700 ; } +@@ -918,7 +922,11 @@ bbdospecial(int nbytes) + char seen[NKEYS] ; + float valseen[NKEYS] ; + +- if (nextstring + nbytes > maxstring) { ++ if (nbytes < 0 || nbytes > maxstring - nextstring) { ++ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { ++ error("! Integer overflow in bbdospecial"); ++ exit(1); ++ } + p = nextstring = mymalloc(1000 + 2 * nbytes) ; + maxstring = nextstring + 2 * nbytes + 700 ; + } |