From 770ccf26c6e57020e8a78df93ab8ce47a013e04f Mon Sep 17 00:00:00 2001
From: kei <kei@pkgsrc.org>
Date: Mon, 17 Jan 2005 12:19:13 +0000
Subject: fixed CAN-2004-0888.  Since xpdf included with teTeX is 2.01, so this
 back-ported fix is pulled from FreeBSD ports collection.  Hiroki Sato noticed
 and helped me a lot.

---
 print/teTeX-bin/distinfo         |  4 ++-
 print/teTeX-bin/patches/patch-aj | 37 ++++++++++++++++++++++++++
 print/teTeX-bin/patches/patch-ak | 57 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 print/teTeX-bin/patches/patch-aj
 create mode 100644 print/teTeX-bin/patches/patch-ak

(limited to 'print/teTeX-bin')

diff --git a/print/teTeX-bin/distinfo b/print/teTeX-bin/distinfo
index 49ec127ea0c..caf64969c68 100644
--- a/print/teTeX-bin/distinfo
+++ b/print/teTeX-bin/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2005/01/16 08:35:08 kei Exp $
+$NetBSD: distinfo,v 1.9 2005/01/17 12:19:13 kei Exp $
 
 SHA1 (teTeX/tetex-src-2.0.2.tar.gz) = 6445206b14d659458ee352df78d2c2daf8e88ab3
 Size (teTeX/tetex-src-2.0.2.tar.gz) = 11745933 bytes
@@ -11,5 +11,7 @@ SHA1 (patch-af) = d5fd0e1b30b1ea9fd96fe5983088df5a723f04b7
 SHA1 (patch-ag) = a6fd35e0cfbe4041abebb3e64ae825dcc4ec1dda
 SHA1 (patch-ah) = b028d996fcbf602f94b93b51a04578d893dd972c
 SHA1 (patch-ai) = b8c34c089b1c3730f57915fddd63762dea2f3435
+SHA1 (patch-aj) = 933ce880af54f2049c7f795621c2c237742026da
+SHA1 (patch-ak) = ef7f151fb786e6fe288d904bb0804fe2d9bfce40
 SHA1 (patch-ap) = 40543e9a2fb87d296557f3a8bd9a7207b2331a8e
 SHA1 (patch-aq) = f90ed07b2de340c55c6d987fdaa59d7ed6d46e0f
diff --git a/print/teTeX-bin/patches/patch-aj b/print/teTeX-bin/patches/patch-aj
new file mode 100644
index 00000000000..e47294b51a8
--- /dev/null
+++ b/print/teTeX-bin/patches/patch-aj
@@ -0,0 +1,37 @@
+$NetBSD: patch-aj,v 1.3 2005/01/17 12:19:13 kei Exp $
+
+--- libs/xpdf/xpdf/Catalog.cc.orig	Mon Nov  4 07:15:36 2002
++++ libs/xpdf/xpdf/Catalog.cc	Fri Oct 29 09:18:17 2004
+@@ -22,6 +22,7 @@
+ #include "Error.h"
+ #include "Link.h"
+ #include "Catalog.h"
++#include <limits.h>
+ 
+ //------------------------------------------------------------------------
+ // Catalog
+@@ -63,6 +64,12 @@
+   }
+   pagesSize = numPages0 = obj.getInt();
+   obj.free();
++  if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
++      (pagesSize >= INT_MAX / sizeof(Ref))) {
++    error(-1, "Invalid 'pagesSize'");
++    ok = gFalse;
++    return;
++  }
+   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+   for (i = 0; i < pagesSize; ++i) {
+@@ -190,6 +197,11 @@
+       }
+       if (start >= pagesSize) {
+ 	pagesSize += 32;
++	if ((pagesSize >= INT_MAX/sizeof(Page *)) ||
++	    (pagesSize >= INT_MAX/sizeof(Ref))) {
++	  error(-1, "Invalid 'pagesSize' parameter.");
++	  goto err3;
++	}
+ 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ 	for (j = pagesSize - 32; j < pagesSize; ++j) {
diff --git a/print/teTeX-bin/patches/patch-ak b/print/teTeX-bin/patches/patch-ak
new file mode 100644
index 00000000000..0ccffa4a2e7
--- /dev/null
+++ b/print/teTeX-bin/patches/patch-ak
@@ -0,0 +1,57 @@
+$NetBSD: patch-ak,v 1.3 2005/01/17 12:19:13 kei Exp $
+
+--- libs/xpdf/xpdf/XRef.cc.orig	Mon Nov  4 07:15:37 2002
++++ libs/xpdf/xpdf/XRef.cc	Fri Oct 29 09:18:17 2004
+@@ -28,6 +28,7 @@
+ #include "Error.h"
+ #include "ErrorCodes.h"
+ #include "XRef.h"
++#include <limits.h>
+ 
+ //------------------------------------------------------------------------
+ 
+@@ -76,6 +77,11 @@
+ 
+   // trailer is ok - read the xref table
+   } else {
++    if ( size >= INT_MAX/sizeof(XRefEntry)) {
++      error(-1, "Invalid 'size' inside xref table.");
++      ok = gFalse;
++      return;
++    }
+     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+     for (i = 0; i < size; ++i) {
+       entries[i].offset = 0xffffffff;
+@@ -267,6 +273,10 @@
+     // table size
+     if (first + n > size) {
+       newSize = size + 256;
++      if (newSize >= INT_MAX/sizeof(XRefEntry)) {
++	error(-1, "Invalid 'newSize'");
++	goto err2;
++      }
+       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+       for (i = size; i < newSize; ++i) {
+ 	entries[i].offset = 0xffffffff;
+@@ -410,6 +420,10 @@
+ 	    if (!strncmp(p, "obj", 3)) {
+ 	      if (num >= size) {
+ 		newSize = (num + 1 + 255) & ~255;
++		if (newSize >= INT_MAX / sizeof(XRefEntry)) {
++		  error(-1, "Invalid 'obj' parameters.");
++		  return gFalse;
++		}
+ 		entries = (XRefEntry *)
+ 		            grealloc(entries, newSize * sizeof(XRefEntry));
+ 		for (i = size; i < newSize; ++i) {
+@@ -431,6 +445,10 @@
+     } else if (!strncmp(p, "endstream", 9)) {
+       if (streamEndsLen == streamEndsSize) {
+ 	streamEndsSize += 64;
++  	if (streamEndsSize >= INT_MAX/sizeof(int)) {
++  	  error(-1, "Invalid 'endstream' parameter.");
++  	  return gFalse;
++  	}
+ 	streamEnds = (Guint *)grealloc(streamEnds,
+ 				       streamEndsSize * sizeof(int));
+       }
-- 
cgit v1.2.3