print/xpdf/patches/patch-aq


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

$NetBSD: patch-aq,v 1.4 2011/10/27 02:35:41 tez Exp $

Fix arbitrary code execution with embedded fonts (CVE-2008-1693).

--- xpdf/Object.h.orig	2011-08-15 16:08:53.000000000 -0500
+++ xpdf/Object.h	2011-10-26 20:48:41.411023600 -0500
@@ -68,17 +68,18 @@
 //------------------------------------------------------------------------
 
 #ifdef DEBUG_MEM
-#define initObj(t) ++numAlloc[type = t]
+#define initObj(t) zeroUnion(); ++numAlloc[type = t]
 #else
-#define initObj(t) type = t
+#define initObj(t) zeroUnion(); type = t
 #endif
 
 class Object {
 public:
-
+  // attempt to clear the anonymous union
+  void zeroUnion() { this->name = NULL; }
   // Default constructor.
   Object():
-    type(objNone) {}
+    type(objNone) { zeroUnion(); }
 
   // Initialize an object.
   Object *initBool(GBool boolnA)
@@ -220,16 +221,16 @@
 #include "Array.h"
 
 inline int Object::arrayGetLength()
-  { return array->getLength(); }
+  { if (type != objArray) return 0; return array->getLength(); }
 
 inline void Object::arrayAdd(Object *elem)
-  { array->add(elem); }
+  { if (type == objArray) array->add(elem); }
 
 inline Object *Object::arrayGet(int i, Object *obj)
-  { return array->get(i, obj); }
+  { if (type != objArray) return obj->initNull(); return array->get(i, obj); }
 
 inline Object *Object::arrayGetNF(int i, Object *obj)
-  { return array->getNF(i, obj); }
+  { if (type != objArray) return obj->initNull(); return array->getNF(i, obj); }
 
 //------------------------------------------------------------------------
 // Dict accessors.
@@ -238,31 +239,31 @@
 #include "Dict.h"
 
 inline int Object::dictGetLength()
-  { return dict->getLength(); }
+  { if (type != objDict) return 0; return dict->getLength(); }
 
 inline void Object::dictAdd(char *key, Object *val)
-  { dict->add(key, val); }
+  { if (type == objDict) dict->add(key, val); }
 
 inline GBool Object::dictIs(const char *dictType)
-  { return dict->is(dictType); }
+  { return (type == objDict) && dict->is(dictType); }
 
 inline GBool Object::isDict(const char *dictType)
   { return type == objDict && dictIs(dictType); }
 
 inline Object *Object::dictLookup(const char *key, Object *obj, int recursion)
-  { return dict->lookup(key, obj, recursion); }
+  { if (type != objDict) return obj->initNull(); return dict->lookup(key, obj, recursion); }
 
 inline Object *Object::dictLookupNF(const char *key, Object *obj)
-  { return dict->lookupNF(key, obj); }
+  { if (type != objDict) return obj->initNull(); return dict->lookupNF(key, obj); }
 
 inline char *Object::dictGetKey(int i)
-  { return dict->getKey(i); }
+  { if (type != objDict) return NULL; return dict->getKey(i); }
 
 inline Object *Object::dictGetVal(int i, Object *obj)
-  { return dict->getVal(i, obj); }
+  { if (type != objDict) return obj->initNull(); return dict->getVal(i, obj); }
 
 inline Object *Object::dictGetValNF(int i, Object *obj)
-  { return dict->getValNF(i, obj); }
+  { if (type != objDict) return obj->initNull(); return dict->getValNF(i, obj); }
 
 //------------------------------------------------------------------------
 // Stream accessors.
@@ -271,33 +272,33 @@
 #include "Stream.h"
 
 inline GBool Object::streamIs(char *dictType)
-  { return stream->getDict()->is(dictType); }
+  { return (type == objStream) && stream->getDict()->is(dictType); }
 
 inline GBool Object::isStream(char *dictType)
-  { return type == objStream && streamIs(dictType); }
+  { return (type == objStream) && streamIs(dictType); }
 
 inline void Object::streamReset()
-  { stream->reset(); }
+  { if (type == objStream) stream->reset(); }
 
 inline void Object::streamClose()
-  { stream->close(); }
+  { if (type == objStream) stream->close(); }
 
 inline int Object::streamGetChar()
-  { return stream->getChar(); }
+  { if (type != objStream) return EOF; return stream->getChar(); }
 
 inline int Object::streamLookChar()
-  { return stream->lookChar(); }
+  { if (type != objStream) return EOF; return stream->lookChar(); }
 
 inline char *Object::streamGetLine(char *buf, int size)
-  { return stream->getLine(buf, size); }
+  { if (type != objStream) return NULL; return stream->getLine(buf, size); }
 
 inline Guint Object::streamGetPos()
-  { return stream->getPos(); }
+  { if (type != objStream) return 0; return stream->getPos(); }
 
 inline void Object::streamSetPos(Guint pos, int dir)
-  { stream->setPos(pos, dir); }
+  { if (type == objStream) stream->setPos(pos, dir); }
 
 inline Dict *Object::streamGetDict()
-  { return stream->getDict(); }
+  { if (type != objStream) return NULL; return stream->getDict(); }
 
 #endif