From ec20f730d64e5ee2746e2b45dea1e31b8e482cad Mon Sep 17 00:00:00 2001 From: kei Date: Sun, 16 Jan 2005 08:35:08 +0000 Subject: applied patches pulled from xpdf-3.00pl2.patch. this should fix security problems described in CAN-2004-0888. pointed out by Thomas Klausner. --- print/teTeX-bin/distinfo | 4 +++- print/teTeX-bin/patches/patch-ah | 15 +++++++++++++++ print/teTeX-bin/patches/patch-ai | 16 ++++++++++++++++ 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 print/teTeX-bin/patches/patch-ah create mode 100644 print/teTeX-bin/patches/patch-ai (limited to 'print/teTeX-bin') diff --git a/print/teTeX-bin/distinfo b/print/teTeX-bin/distinfo index 27d00c8b643..49ec127ea0c 100644 --- a/print/teTeX-bin/distinfo +++ b/print/teTeX-bin/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.7 2004/10/22 19:32:35 jmmv Exp $ +$NetBSD: distinfo,v 1.8 2005/01/16 08:35:08 kei Exp $ SHA1 (teTeX/tetex-src-2.0.2.tar.gz) = 6445206b14d659458ee352df78d2c2daf8e88ab3 Size (teTeX/tetex-src-2.0.2.tar.gz) = 11745933 bytes @@ -9,5 +9,7 @@ SHA1 (patch-ad) = 377f52b45ea66b88f682aaa7f0dd72dee8f986fb SHA1 (patch-ae) = 68825699db129b82f476c37ba3b6e20a8831ad6e SHA1 (patch-af) = d5fd0e1b30b1ea9fd96fe5983088df5a723f04b7 SHA1 (patch-ag) = a6fd35e0cfbe4041abebb3e64ae825dcc4ec1dda +SHA1 (patch-ah) = b028d996fcbf602f94b93b51a04578d893dd972c +SHA1 (patch-ai) = b8c34c089b1c3730f57915fddd63762dea2f3435 SHA1 (patch-ap) = 40543e9a2fb87d296557f3a8bd9a7207b2331a8e SHA1 (patch-aq) = f90ed07b2de340c55c6d987fdaa59d7ed6d46e0f diff --git a/print/teTeX-bin/patches/patch-ah b/print/teTeX-bin/patches/patch-ah new file mode 100644 index 00000000000..0fb3b54e858 --- /dev/null +++ b/print/teTeX-bin/patches/patch-ah @@ -0,0 +1,15 @@ +$NetBSD: patch-ah,v 1.3 2005/01/16 08:35:08 kei Exp $ + +--- libs/xpdf/xpdf/Gfx.cc.orig 2005-01-04 16:23:02.000000000 +0900 ++++ libs/xpdf/xpdf/Gfx.cc 2005-01-04 16:27:39.000000000 +0900 +@@ -2381,7 +2381,9 @@ + haveMask = gFalse; + dict->lookup("Mask", &maskObj); + if (maskObj.isArray()) { +- for (i = 0; i < maskObj.arrayGetLength(); ++i) { ++ for (i = 0; ++ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; ++ ++i) { + maskObj.arrayGet(i, &obj1); + maskColors[i] = obj1.getInt(); + obj1.free(); diff --git a/print/teTeX-bin/patches/patch-ai b/print/teTeX-bin/patches/patch-ai new file mode 100644 index 00000000000..88c388e42e3 --- /dev/null +++ b/print/teTeX-bin/patches/patch-ai @@ -0,0 +1,16 @@ +$NetBSD: patch-ai,v 1.3 2005/01/16 08:35:08 kei Exp $ + +--- libs/xpdf/xpdf/GfxState.cc.orig 2005-01-04 16:27:49.000000000 +0900 ++++ libs/xpdf/xpdf/GfxState.cc 2005-01-04 16:30:39.000000000 +0900 +@@ -708,6 +708,11 @@ + } + nCompsA = obj2.getInt(); + obj2.free(); ++ if (nCompsA > gfxColorMaxComps) { ++ error(-1, "ICCBased color space with too many (%d > %d) components", ++ nCompsA, gfxColorMaxComps); ++ nCompsA = gfxColorMaxComps; ++ } + if (dict->lookup("Alternate", &obj2)->isNull() || + !(altA = GfxColorSpace::parse(&obj2))) { + switch (nCompsA) { -- cgit v1.2.3