From 2483500823f80d36d0b0f3c200a4ead6d8dc5402 Mon Sep 17 00:00:00 2001 From: jlam Date: Sat, 17 Dec 2005 04:22:55 +0000 Subject: Fix for the following security advisories which affect cups-1.1.x: CAN-2005-3191 CAN-2005-3192 The fixes were largely copied from xpdf-3.01pl1.patch from foolabs.com; however, patch-be for Stream.cxx also includes a proper fix for CAN-2005-3191 which was only partially fixed in the foolabs.com patch. Bump the PKGREVISION to 4. --- print/cups/Makefile | 4 +-- print/cups/distinfo | 4 ++- print/cups/patches/patch-be | 84 +++++++++++++++++++++++++++++++++++++++++++++ print/cups/patches/patch-bf | 21 ++++++++++++ 4 files changed, 110 insertions(+), 3 deletions(-) create mode 100644 print/cups/patches/patch-be create mode 100644 print/cups/patches/patch-bf (limited to 'print/cups') diff --git a/print/cups/Makefile b/print/cups/Makefile index e45f17e8a4c..4caace2ee98 100644 --- a/print/cups/Makefile +++ b/print/cups/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.100 2005/12/05 23:55:16 rillig Exp $ +# $NetBSD: Makefile,v 1.101 2005/12/17 04:22:55 jlam Exp $ # # The CUPS author is very good about taking back changes into the main # CUPS distribution. The correct place to send patches or bug-fixes is: @@ -6,7 +6,7 @@ DISTNAME= cups-${DIST_VERS}-source PKGNAME= cups-${VERS} -PKGREVISION= 3 +PKGREVISION= 4 BASE_VERS= 1.1.23 DIST_VERS= ${BASE_VERS} VERS= ${DIST_VERS:S/-/./g} diff --git a/print/cups/distinfo b/print/cups/distinfo index 94bf209cf69..064712383ce 100644 --- a/print/cups/distinfo +++ b/print/cups/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.34 2005/12/03 01:41:56 joerg Exp $ +$NetBSD: distinfo,v 1.35 2005/12/17 04:22:55 jlam Exp $ SHA1 (cups-1.1.23-source.tar.bz2) = 32d5bfb44c4edc1b54ccb014b5a44499295c6c5c RMD160 (cups-1.1.23-source.tar.bz2) = 255ec4c22422b14f2367d69f3ec7e590dc46bea5 @@ -12,3 +12,5 @@ SHA1 (patch-at) = aa36ec591164675b889d2cf32e4d754e9b6db94f SHA1 (patch-au) = ab43911c1b27b250a257c67d1d34066237e4da98 SHA1 (patch-av) = 33437f71e0b6443b172246f1962f9d2eebbd8f11 SHA1 (patch-aw) = f9a83423eac1a631b67e10911e0ef9e111da9b84 +SHA1 (patch-be) = f9b4733f1d5ea28066fc0f0272b5e2b5f9881108 +SHA1 (patch-bf) = 50d42bcdf3b103e2c5828baa2661ec1c87c7da1c diff --git a/print/cups/patches/patch-be b/print/cups/patches/patch-be new file mode 100644 index 00000000000..70727aa81b9 --- /dev/null +++ b/print/cups/patches/patch-be @@ -0,0 +1,84 @@ +$NetBSD: patch-be,v 1.1 2005/12/17 04:22:55 jlam Exp $ + +--- pdftops/Stream.cxx.orig 2004-02-02 17:41:09.000000000 -0500 ++++ pdftops/Stream.cxx +@@ -404,18 +404,34 @@ void ImageStream::skipLine() { + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { ++ int totalBits; ++ + str = strA; + predictor = predictorA; + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + + nVals = width * nComps; ++ totalBits = nVals * nBits; ++ if (totalBits == 0 || ++ (totalBits / nBits) / nComps != width || ++ totalBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } ++ + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -991,6 +1007,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -2891,6 +2911,10 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components %d in DCT stream", numComps); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2917,6 +2941,10 @@ GBool DCTStream::readProgressiveSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components %d in DCT stream", numComps); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -3249,6 +3277,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } diff --git a/print/cups/patches/patch-bf b/print/cups/patches/patch-bf new file mode 100644 index 00000000000..21a5b67506a --- /dev/null +++ b/print/cups/patches/patch-bf @@ -0,0 +1,21 @@ +$NetBSD: patch-bf,v 1.1 2005/12/17 04:22:55 jlam Exp $ + +--- pdftops/Stream.h.orig 2004-02-02 17:41:09.000000000 -0500 ++++ pdftops/Stream.h +@@ -231,6 +231,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -248,6 +250,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; // flag for proper initialization + }; + + //------------------------------------------------------------------------ -- cgit v1.2.3