Pullup ticket 955 - requested by Lubomir Sedlacik

security fix via patch for print/poppler

   Module Name:	pkgsrc
   Committed By:	salo
   Date:		Sun Dec 11 05:08:50 UTC 2005

   Modified Files:
   	pkgsrc/print/poppler: Makefile distinfo
   Added Files:
   	pkgsrc/print/poppler/patches: patch-aa patch-ab patch-ac

   Log Message:
   Security fixes for CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193.
   Patches from xpdf.

1 files changed, 31 insertions, 0 deletions

diff --git a/print/poppler/patches/patch-ab b/print/poppler/patches/patch-ab
new file mode 100644
index 00000000000..8bc8ef73bc9
--- /dev/null
+++ b/print/poppler/patches/patch-ab
@@ -0,0 +1,31 @@
+$NetBSD: patch-ab,v 1.1.2.2 2005/12/15 01:00:51 seb Exp $
+
+Security fix for CVE-2005-3193.
+
+--- poppler/JPXStream.cc.orig	2005-03-03 20:46:03.000000000 +0100
++++ poppler/JPXStream.cc	2005-12-11 06:14:42.000000000 +0100
+@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-				     sizeof(JPXTile));
++      nTiles = img.nXTiles * img.nYTiles;
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++        error(getPos(), "Bad tile count in JPX SIZ marker segment");
++        return gFalse;
++      }
++      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ 							sizeof(JPXTileComp));