summaryrefslogtreecommitdiff
path: root/print
diff options
context:
space:
mode:
authortron <tron@pkgsrc.org>2006-01-22 23:13:33 +0000
committertron <tron@pkgsrc.org>2006-01-22 23:13:33 +0000
commitdfbeb47005e8f127ddf3f7b0e4ad55ebad32e6c8 (patch)
treed5c72ee8a4fd1b825be49774d81cea190a518f07 /print
parent74925d06863e03b83333fc7560ab4fe883da93fc (diff)
downloadpkgsrc-dfbeb47005e8f127ddf3f7b0e4ad55ebad32e6c8.tar.gz
Apply security fix for SA18303 taken from Fedora Core 4.
Bump package revision because of this fix.
Diffstat (limited to 'print')
-rw-r--r--print/xpdf/Makefile4
-rw-r--r--print/xpdf/distinfo6
-rw-r--r--print/xpdf/patches/patch-ao79
-rw-r--r--print/xpdf/patches/patch-aq32
-rw-r--r--print/xpdf/patches/patch-at101
5 files changed, 204 insertions, 18 deletions
diff --git a/print/xpdf/Makefile b/print/xpdf/Makefile
index 3034ac35573..96c6cc82599 100644
--- a/print/xpdf/Makefile
+++ b/print/xpdf/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.51 2006/01/22 22:01:11 ghen Exp $
+# $NetBSD: Makefile,v 1.52 2006/01/22 23:13:33 tron Exp $
DISTNAME= xpdf-3.01
PKGNAME= ${DISTNAME}pl1
-PKGREVISION= 3
+PKGREVISION= 4
CATEGORIES= print
MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \
${MASTER_SITE_SUNSITE:=apps/graphics/viewers/X/xpdf/} \
diff --git a/print/xpdf/distinfo b/print/xpdf/distinfo
index 986975141af..9592ca11cff 100644
--- a/print/xpdf/distinfo
+++ b/print/xpdf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2005/12/20 16:00:16 ghen Exp $
+$NetBSD: distinfo,v 1.25 2006/01/22 23:13:33 tron Exp $
SHA1 (xpdf-3.01.tar.gz) = 472cbf0f3df4e20a3ab7ada2e704b4e10d1d385b
RMD160 (xpdf-3.01.tar.gz) = d734065ce12db8d0c37d9d0ac0ca7c287be59442
@@ -20,6 +20,8 @@ SHA1 (patch-ak) = ed9506fd0cba7e350608cd40b1f794253f30e917
SHA1 (patch-al) = b6e958b0592ac285b3ade90079c83da30db8a8b6
SHA1 (patch-am) = 794ff952c749c8dab6f575d55602cdc7e7157fef
SHA1 (patch-an) = 94ea208c43f4df1ac3a9bf01cc874d488ae49a9a
+SHA1 (patch-ao) = 9faff0cca36db1a8030e6cc0587e66105c9026b2
+SHA1 (patch-aq) = ab8d29fe9743711fd57fe5b0506c1dc31e65c40e
SHA1 (patch-ar) = f3d320991e189a21244acd31ca5cc6cfdb18bd96
-SHA1 (patch-at) = 8827e22d0f3e341ed45ad92637b02a3a31f3168d
+SHA1 (patch-at) = ca00e6cf293e3683bda41d03b6b140175c992884
SHA1 (patch-au) = af765089ee88369da0afef534f46ec50c5cc6d4f
diff --git a/print/xpdf/patches/patch-ao b/print/xpdf/patches/patch-ao
new file mode 100644
index 00000000000..52c236062ab
--- /dev/null
+++ b/print/xpdf/patches/patch-ao
@@ -0,0 +1,79 @@
+$NetBSD: patch-ao,v 1.3 2006/01/22 23:13:33 tron Exp $
+
+--- xpdf/JBIG2Stream.cc.orig 2005-08-17 06:34:31.000000000 +0100
++++ xpdf/JBIG2Stream.cc 2006-01-22 22:48:31.000000000 +0000
+@@ -7,6 +7,7 @@
+ //========================================================================
+
+ #include <aconf.h>
++#include <limits.h>
+
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -681,9 +682,15 @@
+ w = wA;
+ h = hA;
+ line = (wA + 7) >> 3;
+- // need to allocate one extra guard byte for use in combine()
+- data = (Guchar *)gmalloc(h * line + 1);
+- data[h * line] = 0;
++
++ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++ data = NULL;
++ }
++ else {
++ // need to allocate one extra guard byte for use in combine()
++ data = (Guchar *)gmalloc(h * line + 1);
++ data[h * line] = 0;
++ }
+ }
+
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -692,6 +699,12 @@
+ w = bitmap->w;
+ h = bitmap->h;
+ line = bitmap->line;
++
++ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++ data = NULL;
++ return;
++ }
++
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+ memcpy(data, bitmap->data, h * line);
+@@ -720,7 +733,7 @@
+ }
+
+ void JBIG2Bitmap::expand(int newH, Guint pixel) {
+- if (newH <= h) {
++ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
+ return;
+ }
+ // need to allocate one extra guard byte for use in combine()
+@@ -2305,6 +2318,15 @@
+ error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+ return;
+ }
++ if (gridH == 0 || gridW >= INT_MAX / gridH) {
++ error(getPos(), "Bad size in JBIG2 halftone segment");
++ return;
++ }
++ if (w == 0 || h >= INT_MAX / w) {
++ error(getPos(), "Bad size in JBIG2 bitmap segment");
++ return;
++ }
++
+ patternDict = (JBIG2PatternDict *)seg;
+ bpp = 0;
+ i = 1;
+@@ -2936,6 +2958,9 @@
+ JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
+ int x, y, pix;
+
++ if (w < 0 || h <= 0 || w >= INT_MAX / h)
++ return NULL;
++
+ bitmap = new JBIG2Bitmap(0, w, h);
+ bitmap->clearToZero();
+
diff --git a/print/xpdf/patches/patch-aq b/print/xpdf/patches/patch-aq
new file mode 100644
index 00000000000..26fca77eb60
--- /dev/null
+++ b/print/xpdf/patches/patch-aq
@@ -0,0 +1,32 @@
+$NetBSD: patch-aq,v 1.1 2006/01/22 23:13:33 tron Exp $
+
+--- xpdf/JPXStream.cc.orig 2006-01-22 22:52:51.000000000 +0000
++++ xpdf/JPXStream.cc 2006-01-22 22:48:31.000000000 +0000
+@@ -7,6 +7,7 @@
+ //========================================================================
+
+ #include <aconf.h>
++#include <limits.h>
+
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -818,13 +819,15 @@
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- nTiles = img.nXTiles * img.nYTiles;
+ // check for overflow before allocating memory
+- if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+- error(getPos(), "Bad tile count in JPX SIZ marker segment");
+- return gFalse;
++ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
++ img.nXTiles >= INT_MAX/img.nYTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
+ }
++ nTiles = img.nXTiles * img.nYTiles;
+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
++
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
+ sizeof(JPXTileComp));
diff --git a/print/xpdf/patches/patch-at b/print/xpdf/patches/patch-at
index 1b020dc6867..abe8cbdd061 100644
--- a/print/xpdf/patches/patch-at
+++ b/print/xpdf/patches/patch-at
@@ -1,28 +1,101 @@
-$NetBSD: patch-at,v 1.1 2005/12/18 20:05:32 dillo Exp $
+$NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $
---- xpdf/Stream.cc.orig 2005-12-15 22:53:25.000000000 -0500
-+++ xpdf/Stream.cc
-@@ -2919,11 +2919,7 @@ GBool DCTStream::readBaselineSOF() {
- width = read16();
- numComps = str->getChar();
- if (numComps <= 0 || numComps > 4) {
+--- xpdf/Stream.cc.orig 2006-01-22 23:03:34.000000000 +0000
++++ xpdf/Stream.cc 2006-01-22 23:03:00.000000000 +0000
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -401,8 +402,6 @@
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
+- int totalBits;
+-
+ str = strA;
+ predictor = predictorA;
+ width = widthA;
+@@ -411,15 +410,17 @@
+ predLine = NULL;
+ ok = gFalse;
+
++ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++ nComps >= INT_MAX/nBits ||
++ width >= INT_MAX/nComps/nBits) {
++ return;
++ }
+ nVals = width * nComps;
+- totalBits = nVals * nBits;
+- if (totalBits == 0 ||
+- (totalBits / nBits) / nComps != width ||
+- totalBits + 7 < 0) {
++ if (nVals * nBits + 7 <= 0) {
+ return;
+ }
+ pixBytes = (nComps * nBits + 7) >> 3;
+- rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ if (rowBytes < 0) {
+ return;
+ }
+@@ -1275,7 +1276,7 @@
+ endOfLine = endOfLineA;
+ byteAlign = byteAlignA;
+ columns = columnsA;
+- if (columns < 1) {
++ if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
+ columns = 1;
+ }
+ rows = rowsA;
+@@ -2922,10 +2923,6 @@
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
+- if (numComps <= 0 || numComps > 4) {
- error(getPos(), "Bad number of components in DCT stream", prec);
- return gFalse;
- }
-- if (numComps <= 0 || numComps > 4) {
-- error(getPos(), "Bad number of components in DCT stream", prec);
-+ error(getPos(), "Bad number of components %d in DCT stream", numComps);
- return gFalse;
- }
if (prec != 8) {
-@@ -2952,6 +2948,10 @@ GBool DCTStream::readProgressiveSOF() {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2952,6 +2949,10 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ error(getPos(), "Bad number of components %d in DCT stream", numComps);
++ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
+@@ -2974,6 +2975,10 @@
+
+ length = read16() - 2;
+ scanInfo.numComps = str->getChar();
++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length != 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3058,12 +3063,12 @@
+ while (length > 0) {
+ index = str->getChar();
+ --length;
+- if ((index & 0x0f) >= 4) {
++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+ error(getPos(), "Bad DCT Huffman table");
+ return gFalse;
+ }
+ if (index & 0x10) {
+- index &= 0x0f;
++ index &= 0x03;
+ if (index >= numACHuffTables)
+ numACHuffTables = index+1;
+ tbl = &acHuffTables[index];