summaryrefslogtreecommitdiff
path: root/print/poppler/patches/patch-aa
diff options
context:
space:
mode:
Diffstat (limited to 'print/poppler/patches/patch-aa')
-rw-r--r--print/poppler/patches/patch-aa31
1 files changed, 31 insertions, 0 deletions
diff --git a/print/poppler/patches/patch-aa b/print/poppler/patches/patch-aa
new file mode 100644
index 00000000000..b22536acc49
--- /dev/null
+++ b/print/poppler/patches/patch-aa
@@ -0,0 +1,31 @@
+$NetBSD: patch-aa,v 1.3 2005/12/11 05:08:50 salo Exp $
+
+Security fix for CVE-2005-3193.
+
+--- poppler/JPXStream.cc.orig 2005-03-03 20:46:03.000000000 +0100
++++ poppler/JPXStream.cc 2005-12-11 05:58:51.000000000 +0100
+@@ -666,7 +666,7 @@
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
+
+ //----- main header
+ haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +701,13 @@
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+- sizeof(JPXTile));
++ nTiles = img.nXTiles * img.nYTiles;
++ // check for overflow before allocating memory
++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ sizeof(JPXTileComp));
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-04 14:27:31 +0000