diff options
author | seb <seb@pkgsrc.org> | 2005-12-15 01:00:51 +0000 |
---|---|---|
committer | seb <seb@pkgsrc.org> | 2005-12-15 01:00:51 +0000 |
commit | a6a1ec704eeac6a30cec390b956fbab7e1367ff9 (patch) | |
tree | ea005893d3d0f137dee226fe45e47ba65e06c8c8 /print/poppler/patches/patch-ab | |
parent | efd2ef1d39336fdb420731fb6efb4ee2ed928ed3 (diff) | |
download | pkgsrc-a6a1ec704eeac6a30cec390b956fbab7e1367ff9.tar.gz |
Pullup ticket 955 - requested by Lubomir Sedlacik
security fix via patch for print/poppler
Module Name: pkgsrc
Committed By: salo
Date: Sun Dec 11 05:08:50 UTC 2005
Modified Files:
pkgsrc/print/poppler: Makefile distinfo
Added Files:
pkgsrc/print/poppler/patches: patch-aa patch-ab patch-ac
Log Message:
Security fixes for CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193.
Patches from xpdf.
Diffstat (limited to 'print/poppler/patches/patch-ab')
-rw-r--r-- | print/poppler/patches/patch-ab | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/print/poppler/patches/patch-ab b/print/poppler/patches/patch-ab new file mode 100644 index 00000000000..8bc8ef73bc9 --- /dev/null +++ b/print/poppler/patches/patch-ab @@ -0,0 +1,31 @@ +$NetBSD: patch-ab,v 1.1.2.2 2005/12/15 01:00:51 seb Exp $ + +Security fix for CVE-2005-3193. + +--- poppler/JPXStream.cc.orig 2005-03-03 20:46:03.000000000 +0100 ++++ poppler/JPXStream.cc 2005-12-11 06:14:42.000000000 +0100 +@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le + int segType; + GBool haveSIZ, haveCOD, haveQCD, haveSOT; + Guint precinctSize, style; +- Guint segLen, capabilities, comp, i, j, r; ++ Guint segLen, capabilities, nTiles, comp, i, j, r; + + //----- main header + haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; +@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * +- sizeof(JPXTile)); ++ nTiles = img.nXTiles * img.nYTiles; ++ // check for overflow before allocating memory ++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * + sizeof(JPXTileComp)); |