Security fix for CAN-2005-2097.

"A vulnerability has been reported in Xpdf, which can be exploited by
malicious people to cause a DoS (Denial of Service) on a vulnerable system."

http://secunia.com/advisories/16374/

Patches from Ubuntu and RedHat.

2 files changed, 64 insertions, 0 deletions

diff --git a/print/xpdf/patches/patch-ar b/print/xpdf/patches/patch-ar
new file mode 100644
index 00000000000..f5cdc2ae497
--- /dev/null
+++ b/print/xpdf/patches/patch-ar
@@ -0,0 +1,34 @@
+$NetBSD: patch-ar,v 1.1 2005/08/12 12:27:30 salo Exp $
+
+Fix for CAN-2005-2097, from Ubuntu and RedHat.
+
+--- fofi/FoFiTrueType.cc.orig	2004-01-22 02:26:44.000000000 +0100
++++ fofi/FoFiTrueType.cc	2005-08-12 13:49:51.000000000 +0200
+@@ -1343,6 +1343,27 @@
+     return;
+   }
+ 
++  // make sure the loca table is sane (correct length and entries are
++  // in bounds)
++  i = seekTable("loca");
++  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
++    parsedOk = gFalse;
++    return;
++  }
++  for (j = 0; j <= nGlyphs; ++j) {
++    if (locaFmt) {
++      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
++    } else {
++      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
++    }
++    if (pos < 0 || pos > len) {
++      parsedOk = gFalse;
++    }
++  }
++  if (!parsedOk) {
++    return;
++  }
++
+   // read the post table
+   readPostTable();
+   if (!parsedOk) {
diff --git a/print/xpdf/patches/patch-as b/print/xpdf/patches/patch-as
new file mode 100644
index 00000000000..49803fadd3c
--- /dev/null
+++ b/print/xpdf/patches/patch-as
@@ -0,0 +1,30 @@
+$NetBSD: patch-as,v 1.1 2005/08/12 12:27:30 salo Exp $
+
+Fix for CAN-2005-2097, from Ubuntu and RedHat.
+
+--- xpdf/SplashOutputDev.cc.orig	2004-01-22 02:26:45.000000000 +0100
++++ xpdf/SplashOutputDev.cc	2005-08-12 13:54:26.000000000 +0200
+@@ -621,16 +621,19 @@
+       }
+       break;
+     case fontTrueType:
+-      if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
+-	goto err2;
+-      }
++      if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+       codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
++	n = 256;
+       delete ff;
++      } else {
++	codeToGID = NULL;
++	n = 0;
++      }
+       if (!(fontFile = fontEngine->loadTrueTypeFont(
+ 			   id,
+ 			   fileName->getCString(),
+ 			   fileName == tmpFileName,
+-			   codeToGID, 256))) {
++			   codeToGID, n))) {
+ 	error(-1, "Couldn't create a font for '%s'",
+ 	      gfxFont->getName() ? gfxFont->getName()->getCString()
+ 	                         : "(unnamed)");