diff options
| author | minskim <minskim@pkgsrc.org> | 2010-06-08 15:17:04 +0000 |
|---|---|---|
| committer | minskim <minskim@pkgsrc.org> | 2010-06-08 15:17:04 +0000 |
| commit | 5019b619f2a2001d71cb5f30dc1c35dcec048f0c (patch) | |
| tree | 2eae1a64a8ee899ee0543765c56b1e3cdf5d6610 /print/dvipsk/patches | |
| parent | 7e8338d758bc2f1c554d416837bf539816ccdb8a (diff) | |
| download | pkgsrc-5019b619f2a2001d71cb5f30dc1c35dcec048f0c.tar.gz | |
Fix CVE-2010-1440. Patch from TeX Live repository.
Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX
Live 2009 and earlier, and teTeX, allow remote attackers to cause a
denial of service (application crash) or possibly execute arbitrary
code via a special command in a DVI file, related to the (1)
predospecial and (2) bbdospecial functions, a different
vulnerability than CVE-2010-0739.
Diffstat (limited to 'print/dvipsk/patches')
| -rw-r--r-- | print/dvipsk/patches/patch-ab | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/print/dvipsk/patches/patch-ab b/print/dvipsk/patches/patch-ab index 22e51443e80..f1b3d73c971 100644 --- a/print/dvipsk/patches/patch-ab +++ b/print/dvipsk/patches/patch-ab @@ -1,17 +1,33 @@ -$NetBSD: patch-ab,v 1.3 2010/04/20 17:07:28 minskim Exp $ +$NetBSD: patch-ab,v 1.4 2010/06/08 15:17:05 minskim Exp $ + +- CVE-2010-0739 +- CVE-2010-1440 --- dospecial.c.orig 2009-06-23 09:46:14.000000000 +0000 +++ dospecial.c -@@ -334,6 +334,12 @@ predospecial(integer numbytes, Boolean s +@@ -333,7 +333,11 @@ predospecial(integer numbytes, Boolean s + int j ; static int omega_specials = 0; - if (nextstring + numbytes > maxstring) { -+ if (numbytes < 0 -+ || (numbytes > 0 && 2 > INT_MAX / numbytes) -+ || 2 * numbytes > 1000 + 2 * numbytes) { +- if (nextstring + numbytes > maxstring) { ++ if (numbytes < 0 || numbytes > maxstring - nextstring) { ++ if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { + error("! Integer overflow in predospecial"); + exit(1); + } p = nextstring = mymalloc(1000 + 2 * numbytes) ; maxstring = nextstring + 2 * numbytes + 700 ; } +@@ -918,7 +922,11 @@ bbdospecial(int nbytes) + char seen[NKEYS] ; + float valseen[NKEYS] ; + +- if (nextstring + nbytes > maxstring) { ++ if (nbytes < 0 || nbytes > maxstring - nextstring) { ++ if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { ++ error("! Integer overflow in bbdospecial"); ++ exit(1); ++ } + p = nextstring = mymalloc(1000 + 2 * nbytes) ; + maxstring = nextstring + 2 * nbytes + 700 ; + } |