From e72e3d602167a03e38603aa37f6e7fb38762fbc9 Mon Sep 17 00:00:00 2001 From: tron Date: Sun, 22 Jan 2006 23:13:33 +0000 Subject: Apply security fix for SA18303 taken from Fedora Core 4. Bump package revision because of this fix. --- print/xpdf/Makefile | 4 +- print/xpdf/distinfo | 6 ++- print/xpdf/patches/patch-ao | 79 ++++++++++++++++++++++++++++++++++ print/xpdf/patches/patch-aq | 32 ++++++++++++++ print/xpdf/patches/patch-at | 101 ++++++++++++++++++++++++++++++++++++++------ 5 files changed, 204 insertions(+), 18 deletions(-) create mode 100644 print/xpdf/patches/patch-ao create mode 100644 print/xpdf/patches/patch-aq (limited to 'print/xpdf') diff --git a/print/xpdf/Makefile b/print/xpdf/Makefile index 3034ac35573..96c6cc82599 100644 --- a/print/xpdf/Makefile +++ b/print/xpdf/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.51 2006/01/22 22:01:11 ghen Exp $ +# $NetBSD: Makefile,v 1.52 2006/01/22 23:13:33 tron Exp $ DISTNAME= xpdf-3.01 PKGNAME= ${DISTNAME}pl1 -PKGREVISION= 3 +PKGREVISION= 4 CATEGORIES= print MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \ ${MASTER_SITE_SUNSITE:=apps/graphics/viewers/X/xpdf/} \ diff --git a/print/xpdf/distinfo b/print/xpdf/distinfo index 986975141af..9592ca11cff 100644 --- a/print/xpdf/distinfo +++ b/print/xpdf/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.24 2005/12/20 16:00:16 ghen Exp $ +$NetBSD: distinfo,v 1.25 2006/01/22 23:13:33 tron Exp $ SHA1 (xpdf-3.01.tar.gz) = 472cbf0f3df4e20a3ab7ada2e704b4e10d1d385b RMD160 (xpdf-3.01.tar.gz) = d734065ce12db8d0c37d9d0ac0ca7c287be59442 @@ -20,6 +20,8 @@ SHA1 (patch-ak) = ed9506fd0cba7e350608cd40b1f794253f30e917 SHA1 (patch-al) = b6e958b0592ac285b3ade90079c83da30db8a8b6 SHA1 (patch-am) = 794ff952c749c8dab6f575d55602cdc7e7157fef SHA1 (patch-an) = 94ea208c43f4df1ac3a9bf01cc874d488ae49a9a +SHA1 (patch-ao) = 9faff0cca36db1a8030e6cc0587e66105c9026b2 +SHA1 (patch-aq) = ab8d29fe9743711fd57fe5b0506c1dc31e65c40e SHA1 (patch-ar) = f3d320991e189a21244acd31ca5cc6cfdb18bd96 -SHA1 (patch-at) = 8827e22d0f3e341ed45ad92637b02a3a31f3168d +SHA1 (patch-at) = ca00e6cf293e3683bda41d03b6b140175c992884 SHA1 (patch-au) = af765089ee88369da0afef534f46ec50c5cc6d4f diff --git a/print/xpdf/patches/patch-ao b/print/xpdf/patches/patch-ao new file mode 100644 index 00000000000..52c236062ab --- /dev/null +++ b/print/xpdf/patches/patch-ao @@ -0,0 +1,79 @@ +$NetBSD: patch-ao,v 1.3 2006/01/22 23:13:33 tron Exp $ + +--- xpdf/JBIG2Stream.cc.orig 2005-08-17 06:34:31.000000000 +0100 ++++ xpdf/JBIG2Stream.cc 2006-01-22 22:48:31.000000000 +0000 +@@ -7,6 +7,7 @@ + //======================================================================== + + #include ++#include + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -681,9 +682,15 @@ + w = wA; + h = hA; + line = (wA + 7) >> 3; +- // need to allocate one extra guard byte for use in combine() +- data = (Guchar *)gmalloc(h * line + 1); +- data[h * line] = 0; ++ ++ if (h < 0 || line <= 0 || h >= INT_MAX / line) { ++ data = NULL; ++ } ++ else { ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)gmalloc(h * line + 1); ++ data[h * line] = 0; ++ } + } + + JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): +@@ -692,6 +699,12 @@ + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; ++ ++ if (h < 0 || line <= 0 || h >= INT_MAX / line) { ++ data = NULL; ++ return; ++ } ++ + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); + memcpy(data, bitmap->data, h * line); +@@ -720,7 +733,7 @@ + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +- if (newH <= h) { ++ if (newH <= h || line <= 0 || newH >= INT_MAX / line) { + return; + } + // need to allocate one extra guard byte for use in combine() +@@ -2305,6 +2318,15 @@ + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad size in JBIG2 halftone segment"); ++ return; ++ } ++ if (w == 0 || h >= INT_MAX / w) { ++ error(getPos(), "Bad size in JBIG2 bitmap segment"); ++ return; ++ } ++ + patternDict = (JBIG2PatternDict *)seg; + bpp = 0; + i = 1; +@@ -2936,6 +2958,9 @@ + JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; + int x, y, pix; + ++ if (w < 0 || h <= 0 || w >= INT_MAX / h) ++ return NULL; ++ + bitmap = new JBIG2Bitmap(0, w, h); + bitmap->clearToZero(); + diff --git a/print/xpdf/patches/patch-aq b/print/xpdf/patches/patch-aq new file mode 100644 index 00000000000..26fca77eb60 --- /dev/null +++ b/print/xpdf/patches/patch-aq @@ -0,0 +1,32 @@ +$NetBSD: patch-aq,v 1.1 2006/01/22 23:13:33 tron Exp $ + +--- xpdf/JPXStream.cc.orig 2006-01-22 22:52:51.000000000 +0000 ++++ xpdf/JPXStream.cc 2006-01-22 22:48:31.000000000 +0000 +@@ -7,6 +7,7 @@ + //======================================================================== + + #include ++#include + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -818,13 +819,15 @@ + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- nTiles = img.nXTiles * img.nYTiles; + // check for overflow before allocating memory +- if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { +- error(getPos(), "Bad tile count in JPX SIZ marker segment"); +- return gFalse; ++ if (img.nXTiles <= 0 || img.nYTiles <= 0 || ++ img.nXTiles >= INT_MAX/img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; + } ++ nTiles = img.nXTiles * img.nYTiles; + img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile)); ++ + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps, + sizeof(JPXTileComp)); diff --git a/print/xpdf/patches/patch-at b/print/xpdf/patches/patch-at index 1b020dc6867..abe8cbdd061 100644 --- a/print/xpdf/patches/patch-at +++ b/print/xpdf/patches/patch-at @@ -1,28 +1,101 @@ -$NetBSD: patch-at,v 1.1 2005/12/18 20:05:32 dillo Exp $ +$NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $ ---- xpdf/Stream.cc.orig 2005-12-15 22:53:25.000000000 -0500 -+++ xpdf/Stream.cc -@@ -2919,11 +2919,7 @@ GBool DCTStream::readBaselineSOF() { - width = read16(); - numComps = str->getChar(); - if (numComps <= 0 || numComps > 4) { +--- xpdf/Stream.cc.orig 2006-01-22 23:03:34.000000000 +0000 ++++ xpdf/Stream.cc 2006-01-22 23:03:00.000000000 +0000 +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #ifndef WIN32 + #include + #endif +@@ -401,8 +402,6 @@ + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { +- int totalBits; +- + str = strA; + predictor = predictorA; + width = widthA; +@@ -411,15 +410,17 @@ + predLine = NULL; + ok = gFalse; + ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX/nBits || ++ width >= INT_MAX/nComps/nBits) { ++ return; ++ } + nVals = width * nComps; +- totalBits = nVals * nBits; +- if (totalBits == 0 || +- (totalBits / nBits) / nComps != width || +- totalBits + 7 < 0) { ++ if (nVals * nBits + 7 <= 0) { + return; + } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; + if (rowBytes < 0) { + return; + } +@@ -1275,7 +1276,7 @@ + endOfLine = endOfLineA; + byteAlign = byteAlignA; + columns = columnsA; +- if (columns < 1) { ++ if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) { + columns = 1; + } + rows = rowsA; +@@ -2922,10 +2923,6 @@ + error(getPos(), "Bad number of components in DCT stream", prec); + return gFalse; + } +- if (numComps <= 0 || numComps > 4) { - error(getPos(), "Bad number of components in DCT stream", prec); - return gFalse; - } -- if (numComps <= 0 || numComps > 4) { -- error(getPos(), "Bad number of components in DCT stream", prec); -+ error(getPos(), "Bad number of components %d in DCT stream", numComps); - return gFalse; - } if (prec != 8) { -@@ -2952,6 +2948,10 @@ GBool DCTStream::readProgressiveSOF() { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2952,6 +2949,10 @@ height = read16(); width = read16(); numComps = str->getChar(); + if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components %d in DCT stream", numComps); ++ error(getPos(), "Bad number of components in DCT stream", prec); + return gFalse; + } if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse; +@@ -2974,6 +2975,10 @@ + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +@@ -3058,12 +3063,12 @@ + while (length > 0) { + index = str->getChar(); + --length; +- if ((index & 0x0f) >= 4) { ++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { + error(getPos(), "Bad DCT Huffman table"); + return gFalse; + } + if (index & 0x10) { +- index &= 0x0f; ++ index &= 0x03; + if (index >= numACHuffTables) + numACHuffTables = index+1; + tbl = &acHuffTables[index]; -- cgit v1.2.3