add patches from upstream to fix security issues in the dvi-backend

(CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643)
The dvi backend is only built with the (non-default) "dvi" option.

6 files changed, 94 insertions, 1 deletions

diff --git a/print/evince/distinfo b/print/evince/distinfo
index 4dcfc1e1b38..573ed03d84f 100644
--- a/print/evince/distinfo
+++ b/print/evince/distinfo
@@ -1,5 +1,10 @@
-$NetBSD: distinfo,v 1.30 2010/07/06 15:35:07 drochner Exp $
+$NetBSD: distinfo,v 1.31 2011/01/10 20:16:55 drochner Exp $
 
 SHA1 (evince-2.30.3.tar.bz2) = 381730a6fc66bbd823edbd0aa50b480e5d40f130
 RMD160 (evince-2.30.3.tar.bz2) = 67b5a9ba2da16f20946447cfcbd482505b2f4fc0
 Size (evince-2.30.3.tar.bz2) = 2180874 bytes
+SHA1 (patch-ba) = d4a76caf461fb4734c05025bc8c00f2549c22e19
+SHA1 (patch-bb) = e4ef54ccb32414e335110167b4bc0363969aa612
+SHA1 (patch-bc) = 36bcaf9ecb6ac88f18272926b8fbb410f981edd9
+SHA1 (patch-bd) = 0922d241c81a9f4bb1c7056e97921299a9705160
+SHA1 (patch-be) = 3e3825b79eab8333ba42b3777ac8ad543409a857
diff --git a/print/evince/patches/patch-ba b/print/evince/patches/patch-ba
new file mode 100644
index 00000000000..ceee9d0b784
--- /dev/null
+++ b/print/evince/patches/patch-ba
@@ -0,0 +1,13 @@
+$NetBSD: patch-ba,v 1.1 2011/01/10 20:16:56 drochner Exp $
+
+--- backend/dvi/mdvi-lib/afmparse.c.orig	2009-04-24 07:24:16.000000000 +0000
++++ backend/dvi/mdvi-lib/afmparse.c
+@@ -160,7 +160,7 @@ static char *token(FILE *stream)
+     
+     idx = 0;
+     while (ch != EOF && ch != ' ' && ch != lineterm 
+-           && ch != '\t' && ch != ':' && ch != ';') 
++           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
+     {
+         ident[idx++] = ch;
+         ch = fgetc(stream);
diff --git a/print/evince/patches/patch-bb b/print/evince/patches/patch-bb
new file mode 100644
index 00000000000..75fcc0fd35f
--- /dev/null
+++ b/print/evince/patches/patch-bb
@@ -0,0 +1,15 @@
+$NetBSD: patch-bb,v 1.1 2011/01/10 20:16:56 drochner Exp $
+
+--- backend/dvi/mdvi-lib/dviread.c.orig	2010-07-14 07:54:39.000000000 +0000
++++ backend/dvi/mdvi-lib/dviread.c
+@@ -1537,6 +1537,10 @@ int	special(DviContext *dvi, int opcode)
+ 	Int32	arg;
+ 	
+ 	arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
++	if (arg <= 0) {
++		dvierr(dvi, _("malformed special length\n"));
++		return -1;
++	}
+ 	s = mdvi_malloc(arg + 1);
+ 	dread(dvi, s, arg);
+ 	s[arg] = 0;
diff --git a/print/evince/patches/patch-bc b/print/evince/patches/patch-bc
new file mode 100644
index 00000000000..3fee437e186
--- /dev/null
+++ b/print/evince/patches/patch-bc
@@ -0,0 +1,29 @@
+$NetBSD: patch-bc,v 1.1 2011/01/10 20:16:56 drochner Exp $
+
+--- backend/dvi/mdvi-lib/pk.c.orig	2010-07-14 07:54:39.000000000 +0000
++++ backend/dvi/mdvi-lib/pk.c
+@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unuse
+ 			}
+ 			if(feof(p))
+ 				break;
++
++			/* Although the PK format support bigger char codes,
++                         * XeTeX and other extended TeX engines support charcodes up to
++                         * 65536, while normal TeX engine supports only charcode up to 255.*/
++			if (cc < 0 || cc > 65536) {
++				mdvi_error (_("%s: unexpected charcode (%d)\n"),
++					    font->fontname,cc);
++				goto error;
++			} 
+ 			if(cc < loc)
+ 				loc = cc;
+ 			if(cc > hic)
+@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unuse
+ 	}
+ 
+ 	/* resize font char data */
+-	if(loc > 0 || hic < maxch-1) {
++	if(loc > 0 && hic < maxch-1) {
+ 		memmove(font->chars, font->chars + loc, 
+ 			(hic - loc + 1) * sizeof(DviFontChar));
+ 		font->chars = xresize(font->chars,
diff --git a/print/evince/patches/patch-bd b/print/evince/patches/patch-bd
new file mode 100644
index 00000000000..f6e7de951e5
--- /dev/null
+++ b/print/evince/patches/patch-bd
@@ -0,0 +1,14 @@
+$NetBSD: patch-bd,v 1.1 2011/01/10 20:16:56 drochner Exp $
+
+--- backend/dvi/mdvi-lib/tfmfile.c.orig	2010-07-14 07:54:39.000000000 +0000
++++ backend/dvi/mdvi-lib/tfmfile.c
+@@ -172,7 +172,8 @@ int	tfm_load_file(const char *filename, 
+ 	/* We read the entire TFM file into core */
+ 	if(fstat(fileno(in), &st) < 0)
+ 		return -1;
+-	if(st.st_size == 0)
++	/* according to the spec, TFM files are smaller than 16K */
++	if(st.st_size == 0 || st.st_size >= 16384)
+ 		goto bad_tfm;
+ 
+ 	/* allocate a word-aligned buffer to hold the file */
diff --git a/print/evince/patches/patch-be b/print/evince/patches/patch-be
new file mode 100644
index 00000000000..42f156d5467
--- /dev/null
+++ b/print/evince/patches/patch-be
@@ -0,0 +1,17 @@
+$NetBSD: patch-be,v 1.1 2011/01/10 20:16:56 drochner Exp $
+
+--- backend/dvi/mdvi-lib/vf.c.orig	2010-07-14 07:54:39.000000000 +0000
++++ backend/dvi/mdvi-lib/vf.c
+@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *param
+ 			cc = fuget1(p);
+ 			tfm = fuget3(p);
+ 		}
++		if (cc < 0 || cc > 65536) {
++			/* TeX engines do not support char codes bigger than 65535 */
++			mdvi_error(_("(vf) %s: unexpected character %d\n"),
++				   font->fontname, cc);
++			goto error;
++		}
+ 		if(loc < 0 || cc < loc)
+ 			loc = cc;
+ 		if(hic < 0 || cc > hic)