kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update xpdf to 3.01 patch level 2. The patch level addresses a number of

Browse source 
vulnerabilities reported and adds at least some constraint checks not
done before.
This commit is contained in:
joerg 2006-03-29 17:20:09 +00:00
parent 19b807398e
commit 9ad2ba16ec
5 changed files with 9 additions and 194 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
print/xpdf/Makefile
View file

@ -1,15 +1,14 @@
# $NetBSD: Makefile,v 1.54 2006/03/04 21:30:32 jlam Exp $
# $NetBSD: Makefile,v 1.55 2006/03/29 17:20:09 joerg Exp $
DISTNAME= xpdf-3.01
PKGNAME= ${DISTNAME}pl1
PKGREVISION= 5
PKGNAME= ${DISTNAME}pl2
CATEGORIES= print
MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \
${MASTER_SITE_SUNSITE:=apps/graphics/viewers/X/xpdf/} \
http://gd.tuwien.ac.at/publishing/xpdf/
PATCH_SITES= ${MASTER_SITES}
PATCHFILES= xpdf-3.01pl1.patch
PATCHFILES= xpdf-3.01pl2.patch
PATCH_DIST_STRIP= -p1
MAINTAINER= pkgsrc-users@NetBSD.org

12
print/xpdf/distinfo
View file

@ -1,11 +1,11 @@
$NetBSD: distinfo,v 1.25 2006/01/22 23:13:33 tron Exp $
$NetBSD: distinfo,v 1.26 2006/03/29 17:20:09 joerg Exp $
SHA1 (xpdf-3.01.tar.gz) = 472cbf0f3df4e20a3ab7ada2e704b4e10d1d385b
RMD160 (xpdf-3.01.tar.gz) = d734065ce12db8d0c37d9d0ac0ca7c287be59442
Size (xpdf-3.01.tar.gz) = 599778 bytes
SHA1 (xpdf-3.01pl1.patch) = b8906e23b8de6c49f9e50aedaa160f17ea040f08
RMD160 (xpdf-3.01pl1.patch) = 123403a98df5d8191ac1f7b3780fb6c6e0bf344f
Size (xpdf-3.01pl1.patch) = 4936 bytes
SHA1 (xpdf-3.01pl2.patch) = c04ce1cc5ef30aa47ea528124d2ffbd840d22472
RMD160 (xpdf-3.01pl2.patch) = 5425c78f300b6e6eadf7a68327849c7f91b42b9f
Size (xpdf-3.01pl2.patch) = 12097 bytes
SHA1 (patch-aa) = 6664207f59076a2612cf4141b7ab4b072b404e3a
SHA1 (patch-ab) = fd4205c477ee4ac7660b8c1a707ea7b528ac4f90
SHA1 (patch-ac) = 6fa74df05e01510c792eb2b20f670e6903f30aa2
@ -20,8 +20,6 @@ SHA1 (patch-ak) = ed9506fd0cba7e350608cd40b1f794253f30e917
SHA1 (patch-al) = b6e958b0592ac285b3ade90079c83da30db8a8b6
SHA1 (patch-am) = 794ff952c749c8dab6f575d55602cdc7e7157fef
SHA1 (patch-an) = 94ea208c43f4df1ac3a9bf01cc874d488ae49a9a
SHA1 (patch-ao) = 9faff0cca36db1a8030e6cc0587e66105c9026b2
SHA1 (patch-aq) = ab8d29fe9743711fd57fe5b0506c1dc31e65c40e
SHA1 (patch-ao) = 3bd1be205e87cdbe3f2329e932c540185a7c3d09
SHA1 (patch-ar) = f3d320991e189a21244acd31ca5cc6cfdb18bd96
SHA1 (patch-at) = ca00e6cf293e3683bda41d03b6b140175c992884
SHA1 (patch-au) = af765089ee88369da0afef534f46ec50c5cc6d4f

51
print/xpdf/patches/patch-ao
View file

@ -1,56 +1,7 @@
$NetBSD: patch-ao,v 1.3 2006/01/22 23:13:33 tron Exp $
$NetBSD: patch-ao,v 1.4 2006/03/29 17:20:09 joerg Exp $
--- xpdf/JBIG2Stream.cc.orig 2005-08-17 06:34:31.000000000 +0100
+++ xpdf/JBIG2Stream.cc 2006-01-22 22:48:31.000000000 +0000
@@ -7,6 +7,7 @@
//========================================================================
#include <aconf.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -681,9 +682,15 @@
w = wA;
h = hA;
line = (wA + 7) >> 3;
- // need to allocate one extra guard byte for use in combine()
- data = (Guchar *)gmalloc(h * line + 1);
- data[h * line] = 0;
+
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ data = NULL;
+ }
+ else {
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+ data[h * line] = 0;
+ }
}
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -692,6 +699,12 @@
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ data = NULL;
+ return;
+ }
+
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
@@ -720,7 +733,7 @@
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
return;
}
// need to allocate one extra guard byte for use in combine()
@@ -2305,6 +2318,15 @@
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;

32
print/xpdf/patches/patch-aq
View file

@ -1,32 +0,0 @@
$NetBSD: patch-aq,v 1.1 2006/01/22 23:13:33 tron Exp $
--- xpdf/JPXStream.cc.orig 2006-01-22 22:52:51.000000000 +0000
+++ xpdf/JPXStream.cc 2006-01-22 22:48:31.000000000 +0000
@@ -7,6 +7,7 @@
//========================================================================
#include <aconf.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -818,13 +819,15 @@
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
- nTiles = img.nXTiles * img.nYTiles;
// check for overflow before allocating memory
- if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
- error(getPos(), "Bad tile count in JPX SIZ marker segment");
- return gFalse;
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
+ img.nXTiles >= INT_MAX/img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
}
+ nTiles = img.nXTiles * img.nYTiles;
img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
+
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
sizeof(JPXTileComp));

101
print/xpdf/patches/patch-at
View file

@ -1,101 +0,0 @@
$NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $
--- xpdf/Stream.cc.orig 2006-01-22 23:03:34.000000000 +0000
+++ xpdf/Stream.cc 2006-01-22 23:03:00.000000000 +0000
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+#include <limits.h>
#ifndef WIN32
#include <unistd.h>
#endif
@@ -401,8 +402,6 @@
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
int widthA, int nCompsA, int nBitsA) {
- int totalBits;
-
str = strA;
predictor = predictorA;
width = widthA;
@@ -411,15 +410,17 @@
predLine = NULL;
ok = gFalse;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX/nBits ||
+ width >= INT_MAX/nComps/nBits) {
+ return;
+ }
nVals = width * nComps;
- totalBits = nVals * nBits;
- if (totalBits == 0 ||
- (totalBits / nBits) / nComps != width ||
- totalBits + 7 < 0) {
+ if (nVals * nBits + 7 <= 0) {
return;
}
pixBytes = (nComps * nBits + 7) >> 3;
- rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+ rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
if (rowBytes < 0) {
return;
}
@@ -1275,7 +1276,7 @@
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
- if (columns < 1) {
+ if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
columns = 1;
}
rows = rowsA;
@@ -2922,10 +2923,6 @@
error(getPos(), "Bad number of components in DCT stream", prec);
return gFalse;
}
- if (numComps <= 0 || numComps > 4) {
- error(getPos(), "Bad number of components in DCT stream", prec);
- return gFalse;
- }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2952,6 +2949,10 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2974,6 +2975,10 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
@@ -3058,12 +3063,12 @@
while (length > 0) {
index = str->getChar();
--length;
- if ((index & 0x0f) >= 4) {
+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
error(getPos(), "Bad DCT Huffman table");
return gFalse;
}
if (index & 0x10) {
- index &= 0x0f;
+ index &= 0x03;
if (index >= numACHuffTables)
numACHuffTables = index+1;
tbl = &acHuffTables[index];