Incorporate fixes for vulnerabilities reported in SA17916 and SA18329,

bump package revision.

6 files changed, 262 insertions, 3 deletions

diff --git a/print/teTeX3-bin/Makefile b/print/teTeX3-bin/Makefile
index b82fa5e38d5..1372786a976 100644
--- a/print/teTeX3-bin/Makefile
+++ b/print/teTeX3-bin/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.12 2006/01/09 11:59:55 tron Exp $
+# $NetBSD: Makefile,v 1.13 2006/01/24 21:51:36 tron Exp $
 
 DISTNAME=	tetex-src-3.0
 PKGNAME=	${DISTNAME:C/tetex/teTeX/:C/src/bin/}
-PKGREVISION=	5
+PKGREVISION=	6
 CATEGORIES=	print
 MASTER_SITES=	${MASTER_SITE_TEX_CTAN:=systems/unix/teTeX/3.0/distrib/}
 
diff --git a/print/teTeX3-bin/distinfo b/print/teTeX3-bin/distinfo
index 18594d13346..0cdc9789dbc 100644
--- a/print/teTeX3-bin/distinfo
+++ b/print/teTeX3-bin/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2006/01/09 11:59:55 tron Exp $
+$NetBSD: distinfo,v 1.4 2006/01/24 21:51:36 tron Exp $
 
 SHA1 (teTeX/tetex-src-3.0.tar.gz) = 7637789f7f4929694aed1b89820f5bad4753e8fc
 RMD160 (teTeX/tetex-src-3.0.tar.gz) = 15a139f5f36993e4ed3583260e175cfb13ce7bcc
@@ -9,6 +9,10 @@ SHA1 (patch-ac) = af7d8c65cece55b7f37e7cf3c99c85e75cb911a1
 SHA1 (patch-ad) = 23d8e8729bc10748cceba5be3272484ab50f34e6
 SHA1 (patch-ae) = 68825699db129b82f476c37ba3b6e20a8831ad6e
 SHA1 (patch-af) = d5fd0e1b30b1ea9fd96fe5983088df5a723f04b7
+SHA1 (patch-ag) = 7cafd77044dabc5a8ac3094fb8685211d81e3262
+SHA1 (patch-ah) = 5f65fab7570c0971f044b50cb996af89c493b98e
+SHA1 (patch-ai) = b3def9f08a8684e5ac78434ddc4863146133b236
 SHA1 (patch-aj) = e9e62bdb9f956f0f8a9dc4fe9988309b7c6aa767
 SHA1 (patch-ak) = ba06c10c1151173e04f3a6cc44d44a89f1933bb8
+SHA1 (patch-al) = e1fc74bd6ea05176dfac4e99958f0e1281b89b3b
 SHA1 (patch-ap) = 0ca7341b416842fbc00a935d6cfdb0531c4169ba
diff --git a/print/teTeX3-bin/patches/patch-ag b/print/teTeX3-bin/patches/patch-ag
new file mode 100644
index 00000000000..0f86bcf9092
--- /dev/null
+++ b/print/teTeX3-bin/patches/patch-ag
@@ -0,0 +1,38 @@
+$NetBSD: patch-ag,v 1.1 2006/01/24 21:51:36 tron Exp $
+
+--- libs/xpdf/xpdf/JPXStream.cc.orig	2004-01-22 01:26:45.000000000 +0000
++++ libs/xpdf/xpdf/JPXStream.cc	2006-01-24 18:32:17.000000000 +0000
+@@ -7,6 +7,7 @@
+ //========================================================================
+ 
+ #include <aconf.h>
++#include <limits.h>
+ 
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +702,14 @@
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-				     sizeof(JPXTile));
++      // check for overflow before allocating memory
++      if (img.nXTiles <= 0 || img.nYTiles <= 0 || 
++              img.nXTiles >= INT_MAX/img.nYTiles) {
++          error(getPos(), "Bad tile count in JPX SIZ marker segment");
++          return gFalse;
++      }
++      nTiles = img.nXTiles * img.nYTiles;
++      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ 							sizeof(JPXTileComp));
diff --git a/print/teTeX3-bin/patches/patch-ah b/print/teTeX3-bin/patches/patch-ah
new file mode 100644
index 00000000000..1dc70c0ff48
--- /dev/null
+++ b/print/teTeX3-bin/patches/patch-ah
@@ -0,0 +1,21 @@
+$NetBSD: patch-ah,v 1.1 2006/01/24 21:51:36 tron Exp $
+
+--- libs/xpdf/xpdf/Stream.h.orig	2004-01-22 01:26:45.000000000 +0000
++++ libs/xpdf/xpdf/Stream.h	2006-01-24 18:44:04.000000000 +0000
+@@ -233,6 +233,8 @@
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -250,6 +252,7 @@
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------
diff --git a/print/teTeX3-bin/patches/patch-ai b/print/teTeX3-bin/patches/patch-ai
new file mode 100644
index 00000000000..a4f4e6fd965
--- /dev/null
+++ b/print/teTeX3-bin/patches/patch-ai
@@ -0,0 +1,75 @@
+$NetBSD: patch-ai,v 1.1 2006/01/24 21:51:36 tron Exp $
+
+--- libs/xpdf/xpdf/JBIG2Stream.cc.orig	2004-01-22 01:26:45.000000000 +0000
++++ libs/xpdf/xpdf/JBIG2Stream.cc	2006-01-24 18:51:43.000000000 +0000
+@@ -7,6 +7,7 @@
+ //========================================================================
+ 
+ #include <aconf.h>
++#include <limits.h>
+ 
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -681,7 +682,13 @@
+   w = wA;
+   h = hA;
+   line = (wA + 7) >> 3;
+-  data = (Guchar *)gmalloc(h * line);
++
++  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++    data = NULL;
++  }
++  else {
++    data = (Guchar *)gmalloc(h * line);
++  }
+ }
+ 
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -690,6 +697,12 @@
+   w = bitmap->w;
+   h = bitmap->h;
+   line = bitmap->line;
++
++  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++    data = NULL;
++    return;
++  }
++
+   data = (Guchar *)gmalloc(h * line);
+   memcpy(data, bitmap->data, h * line);
+ }
+@@ -716,7 +729,7 @@
+ }
+ 
+ void JBIG2Bitmap::expand(int newH, Guint pixel) {
+-  if (newH <= h) {
++  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
+     return;
+   }
+   data = (Guchar *)grealloc(data, newH * line);
+@@ -2256,6 +2269,15 @@
+     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+     return;
+   }
++  if (gridH == 0 || gridW >= INT_MAX / gridH) {
++    error(getPos(), "Bad size in JBIG2 halftone segment");
++    return;
++  }
++  if (w == 0 || h >= INT_MAX / w) {
++     error(getPos(), "Bad size in JBIG2 bitmap segment");
++    return;
++  }
++
+   patternDict = (JBIG2PatternDict *)seg;
+   bpp = 0;
+   i = 1;
+@@ -2887,6 +2909,9 @@
+   JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
+   int x, y, pix;
+ 
++  if (w < 0 || h <= 0 || w >= INT_MAX / h)
++    return NULL;
++
+   bitmap = new JBIG2Bitmap(0, w, h);
+   bitmap->clearToZero();
+ 
diff --git a/print/teTeX3-bin/patches/patch-al b/print/teTeX3-bin/patches/patch-al
new file mode 100644
index 00000000000..700095b579f
--- /dev/null
+++ b/print/teTeX3-bin/patches/patch-al
@@ -0,0 +1,121 @@
+$NetBSD: patch-al,v 1.1 2006/01/24 21:51:36 tron Exp $
+
+--- libs/xpdf/xpdf/Stream.cc.orig	2004-01-22 01:26:45.000000000 +0000
++++ libs/xpdf/xpdf/Stream.cc	2006-01-24 21:37:45.000000000 +0000
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -412,13 +413,28 @@
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps >= INT_MAX/nBits ||
++      width >= INT_MAX/nComps/nBits) {
++    return;
++  }
+   nVals = width * nComps;
++  if (nVals * nBits + 7 <= 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1028,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -1260,6 +1280,9 @@
+   endOfLine = endOfLineA;
+   byteAlign = byteAlignA;
+   columns = columnsA;
++  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
++    columns = 1;
++  }
+   rows = rowsA;
+   endOfBlock = endOfBlockA;
+   black = blackA;
+@@ -2897,6 +2920,10 @@
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2923,6 +2950,10 @@
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2945,6 +2976,10 @@
+ 
+   length = read16() - 2;
+   scanInfo.numComps = str->getChar();
++  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream");
++    return gFalse;
++  }
+   --length;
+   if (length != 2 * scanInfo.numComps + 3) {
+     error(getPos(), "Bad DCT scan info block");
+@@ -3019,12 +3054,12 @@
+   while (length > 0) {
+     index = str->getChar();
+     --length;
+-    if ((index & 0x0f) >= 4) {
++    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+       error(getPos(), "Bad DCT Huffman table");
+       return gFalse;
+     }
+     if (index & 0x10) {
+-      index &= 0x0f;
++      index &= 0x03;
+       if (index >= numACHuffTables)
+ 	numACHuffTables = index+1;
+       tbl = &acHuffTables[index];
+@@ -3255,6 +3290,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }