From 6227fc222161a00f9af7f283cc11de6b385e5e32 Mon Sep 17 00:00:00 2001
From: tron <tron>
Date: Sun, 22 Jan 2006 23:13:33 +0000
Subject: Apply security fix for SA18303 taken from Fedora Core 4. Bump package
 revision because of this fix.

---
 print/xpdf/Makefile         |   4 +-
 print/xpdf/distinfo         |   6 ++-
 print/xpdf/patches/patch-ao |  79 ++++++++++++++++++++++++++++++++++
 print/xpdf/patches/patch-aq |  32 ++++++++++++++
 print/xpdf/patches/patch-at | 101 ++++++++++++++++++++++++++++++++++++++------
 5 files changed, 204 insertions(+), 18 deletions(-)
 create mode 100644 print/xpdf/patches/patch-ao
 create mode 100644 print/xpdf/patches/patch-aq

(limited to 'print/xpdf')

diff --git a/print/xpdf/Makefile b/print/xpdf/Makefile
index 3034ac35573..96c6cc82599 100644
--- a/print/xpdf/Makefile
+++ b/print/xpdf/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.51 2006/01/22 22:01:11 ghen Exp $
+# $NetBSD: Makefile,v 1.52 2006/01/22 23:13:33 tron Exp $
 
 DISTNAME=	xpdf-3.01
 PKGNAME=	${DISTNAME}pl1
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	print
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/ \
 		${MASTER_SITE_SUNSITE:=apps/graphics/viewers/X/xpdf/} \
diff --git a/print/xpdf/distinfo b/print/xpdf/distinfo
index 986975141af..9592ca11cff 100644
--- a/print/xpdf/distinfo
+++ b/print/xpdf/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.24 2005/12/20 16:00:16 ghen Exp $
+$NetBSD: distinfo,v 1.25 2006/01/22 23:13:33 tron Exp $
 
 SHA1 (xpdf-3.01.tar.gz) = 472cbf0f3df4e20a3ab7ada2e704b4e10d1d385b
 RMD160 (xpdf-3.01.tar.gz) = d734065ce12db8d0c37d9d0ac0ca7c287be59442
@@ -20,6 +20,8 @@ SHA1 (patch-ak) = ed9506fd0cba7e350608cd40b1f794253f30e917
 SHA1 (patch-al) = b6e958b0592ac285b3ade90079c83da30db8a8b6
 SHA1 (patch-am) = 794ff952c749c8dab6f575d55602cdc7e7157fef
 SHA1 (patch-an) = 94ea208c43f4df1ac3a9bf01cc874d488ae49a9a
+SHA1 (patch-ao) = 9faff0cca36db1a8030e6cc0587e66105c9026b2
+SHA1 (patch-aq) = ab8d29fe9743711fd57fe5b0506c1dc31e65c40e
 SHA1 (patch-ar) = f3d320991e189a21244acd31ca5cc6cfdb18bd96
-SHA1 (patch-at) = 8827e22d0f3e341ed45ad92637b02a3a31f3168d
+SHA1 (patch-at) = ca00e6cf293e3683bda41d03b6b140175c992884
 SHA1 (patch-au) = af765089ee88369da0afef534f46ec50c5cc6d4f
diff --git a/print/xpdf/patches/patch-ao b/print/xpdf/patches/patch-ao
new file mode 100644
index 00000000000..52c236062ab
--- /dev/null
+++ b/print/xpdf/patches/patch-ao
@@ -0,0 +1,79 @@
+$NetBSD: patch-ao,v 1.3 2006/01/22 23:13:33 tron Exp $
+
+--- xpdf/JBIG2Stream.cc.orig	2005-08-17 06:34:31.000000000 +0100
++++ xpdf/JBIG2Stream.cc	2006-01-22 22:48:31.000000000 +0000
+@@ -7,6 +7,7 @@
+ //========================================================================
+ 
+ #include <aconf.h>
++#include <limits.h>
+ 
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -681,9 +682,15 @@
+   w = wA;
+   h = hA;
+   line = (wA + 7) >> 3;
+-  // need to allocate one extra guard byte for use in combine()
+-  data = (Guchar *)gmalloc(h * line + 1);
+-  data[h * line] = 0;
++
++  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++    data = NULL;
++  }
++  else {
++    // need to allocate one extra guard byte for use in combine()
++    data = (Guchar *)gmalloc(h * line + 1);
++    data[h * line] = 0;
++  }
+ }
+ 
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -692,6 +699,12 @@
+   w = bitmap->w;
+   h = bitmap->h;
+   line = bitmap->line;
++
++  if (h < 0 || line <= 0 || h >= INT_MAX / line) {
++    data = NULL;
++    return;
++  }
++ 
+   // need to allocate one extra guard byte for use in combine()
+   data = (Guchar *)gmalloc(h * line + 1);
+   memcpy(data, bitmap->data, h * line);
+@@ -720,7 +733,7 @@
+ }
+ 
+ void JBIG2Bitmap::expand(int newH, Guint pixel) {
+-  if (newH <= h) {
++  if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
+     return;
+   }
+   // need to allocate one extra guard byte for use in combine()
+@@ -2305,6 +2318,15 @@
+     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+     return;
+   }
++  if (gridH == 0 || gridW >= INT_MAX / gridH) {
++    error(getPos(), "Bad size in JBIG2 halftone segment");
++    return;
++  }
++  if (w == 0 || h >= INT_MAX / w) {
++     error(getPos(), "Bad size in JBIG2 bitmap segment");
++    return;
++  }
++
+   patternDict = (JBIG2PatternDict *)seg;
+   bpp = 0;
+   i = 1;
+@@ -2936,6 +2958,9 @@
+   JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
+   int x, y, pix;
+ 
++  if (w < 0 || h <= 0 || w >= INT_MAX / h)
++    return NULL;
++
+   bitmap = new JBIG2Bitmap(0, w, h);
+   bitmap->clearToZero();
+ 
diff --git a/print/xpdf/patches/patch-aq b/print/xpdf/patches/patch-aq
new file mode 100644
index 00000000000..26fca77eb60
--- /dev/null
+++ b/print/xpdf/patches/patch-aq
@@ -0,0 +1,32 @@
+$NetBSD: patch-aq,v 1.1 2006/01/22 23:13:33 tron Exp $
+
+--- xpdf/JPXStream.cc.orig	2006-01-22 22:52:51.000000000 +0000
++++ xpdf/JPXStream.cc	2006-01-22 22:48:31.000000000 +0000
+@@ -7,6 +7,7 @@
+ //========================================================================
+ 
+ #include <aconf.h>
++#include <limits.h>
+ 
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -818,13 +819,15 @@
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      nTiles = img.nXTiles * img.nYTiles;
+       // check for overflow before allocating memory
+-      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+-	error(getPos(), "Bad tile count in JPX SIZ marker segment");
+-	return gFalse;
++      if (img.nXTiles <= 0 || img.nYTiles <= 0 || 
++              img.nXTiles >= INT_MAX/img.nYTiles) {
++          error(getPos(), "Bad tile count in JPX SIZ marker segment");
++          return gFalse;
+       }
++      nTiles = img.nXTiles * img.nYTiles;
+       img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
++
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
+ 							 sizeof(JPXTileComp));
diff --git a/print/xpdf/patches/patch-at b/print/xpdf/patches/patch-at
index 1b020dc6867..abe8cbdd061 100644
--- a/print/xpdf/patches/patch-at
+++ b/print/xpdf/patches/patch-at
@@ -1,28 +1,101 @@
-$NetBSD: patch-at,v 1.1 2005/12/18 20:05:32 dillo Exp $
+$NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $
 
---- xpdf/Stream.cc.orig	2005-12-15 22:53:25.000000000 -0500
-+++ xpdf/Stream.cc
-@@ -2919,11 +2919,7 @@ GBool DCTStream::readBaselineSOF() {
-   width = read16();
-   numComps = str->getChar();
-   if (numComps <= 0 || numComps > 4) {
+--- xpdf/Stream.cc.orig	2006-01-22 23:03:34.000000000 +0000
++++ xpdf/Stream.cc	2006-01-22 23:03:00.000000000 +0000
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -401,8 +402,6 @@
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
+-  int totalBits;
+-
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+@@ -411,15 +410,17 @@
+   predLine = NULL;
+   ok = gFalse;
+ 
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps >= INT_MAX/nBits ||
++      width >= INT_MAX/nComps/nBits) {
++    return;
++  }
+   nVals = width * nComps;
+-  totalBits = nVals * nBits;
+-  if (totalBits == 0 ||
+-      (totalBits / nBits) / nComps != width ||
+-      totalBits + 7 < 0) {
++  if (nVals * nBits + 7 <= 0) {
+     return;
+   }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+   if (rowBytes < 0) {
+     return;
+   }
+@@ -1275,7 +1276,7 @@
+   endOfLine = endOfLineA;
+   byteAlign = byteAlignA;
+   columns = columnsA;
+-  if (columns < 1) {
++  if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
+     columns = 1;
+   }
+   rows = rowsA;
+@@ -2922,10 +2923,6 @@
+     error(getPos(), "Bad number of components in DCT stream", prec);
+     return gFalse;
+   }
+-  if (numComps <= 0 || numComps > 4) {
 -    error(getPos(), "Bad number of components in DCT stream", prec);
 -    return gFalse;
 -  }
--  if (numComps <= 0 || numComps > 4) {
--    error(getPos(), "Bad number of components in DCT stream", prec);
-+    error(getPos(), "Bad number of components %d in DCT stream", numComps);
-     return gFalse;
-   }
    if (prec != 8) {
-@@ -2952,6 +2948,10 @@ GBool DCTStream::readProgressiveSOF() {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2952,6 +2949,10 @@
    height = read16();
    width = read16();
    numComps = str->getChar();
 +  if (numComps <= 0 || numComps > 4) {
-+    error(getPos(), "Bad number of components %d in DCT stream", numComps);
++    error(getPos(), "Bad number of components in DCT stream", prec);
 +    return gFalse;
 +  }
    if (prec != 8) {
      error(getPos(), "Bad DCT precision %d", prec);
      return gFalse;
+@@ -2974,6 +2975,10 @@
+ 
+   length = read16() - 2;
+   scanInfo.numComps = str->getChar();
++  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream");
++    return gFalse;
++  }
+   --length;
+   if (length != 2 * scanInfo.numComps + 3) {
+     error(getPos(), "Bad DCT scan info block");
+@@ -3058,12 +3063,12 @@
+   while (length > 0) {
+     index = str->getChar();
+     --length;
+-    if ((index & 0x0f) >= 4) {
++    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+       error(getPos(), "Bad DCT Huffman table");
+       return gFalse;
+     }
+     if (index & 0x10) {
+-      index &= 0x0f;
++      index &= 0x03;
+       if (index >= numACHuffTables)
+ 	numACHuffTables = index+1;
+       tbl = &acHuffTables[index];
-- 
cgit v1.2.3