opt/cups/cups-CAN-2005-2097.patch

diff -Nru cups-1.1.23.orig/pdftops/Catalog.cxx cups-1.1.23/pdftops/Catalog.cxx
--- cups-1.1.23.orig/pdftops/Catalog.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/Catalog.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -64,8 +64,8 @@
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
-  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
-      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
     error(-1, "Invalid 'pagesSize'");
     ok = gFalse;
     return;
@@ -197,7 +197,8 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
-        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize) {
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+           pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
           error(-1, "Invalid 'pagesSize' parameter.");
           goto err3;
         }
diff -Nru cups-1.1.23.orig/pdftops/Decrypt.cxx cups-1.1.23/pdftops/Decrypt.cxx
--- cups-1.1.23.orig/pdftops/Decrypt.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/Decrypt.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -130,13 +130,19 @@
   Guchar *buf;
   Guchar test[32];
   Guchar fState[256];
-  Guchar tmpKey[16];
+  Guchar *tmpKey;
   Guchar fx, fy;
   int len, i, j;
   GBool ok;
 
+  // check whether we have non-zero keyLength
+  if ( !keyLength || keyLength > 16 ) {
+    return gFalse;
+  }
+
   // generate file key
   buf = (Guchar *)gmalloc(68 + fileID->getLength());
+  tmpKey = (Guchar *)gmalloc(keyLength * sizeof(Guchar));
   if (userPassword) {
     len = userPassword->getLength();
     if (len < 32) {
@@ -189,6 +195,7 @@
     ok = gFalse;
   }
 
+  gfree(tmpKey);
   gfree(buf);
   return ok;
 }
diff -Nru cups-1.1.23.orig/pdftops/FontFile.cxx cups-1.1.23/pdftops/FontFile.cxx
--- cups-1.1.23.orig/pdftops/FontFile.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/FontFile.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -18,6 +18,7 @@
 #include <stdarg.h>
 #include <string.h>
 #include <ctype.h>
+#include <error.h>
 #include "gmem.h"
 #include "GHash.h"
 #include "Error.h"
@@ -3572,6 +3573,9 @@
     } else {
       origLocaTable[i].pos = 2 * getUShort(pos + 2*i);
     }
+
+    if (origLocaTable[i].pos < 0 || origLocaTable[i].pos > len)
+      error (1, 0, "bad loca table pos value");
   }
   qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos);
   for (i = 0; i < nGlyphs; ++i) {
diff -Nru cups-1.1.23.orig/pdftops/XRef.cxx cups-1.1.23/pdftops/XRef.cxx
--- cups-1.1.23.orig/pdftops/XRef.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/XRef.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -76,7 +76,7 @@
 
   // trailer is ok - read the xref table
   } else {
-    if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
       error(-1, "Invalid 'size' inside xref table.");
       ok = gFalse;
       errCode = errDamaged;
@@ -291,7 +291,7 @@
     // table size
     if (first + n > size) {
       newSize = first + n;
-      if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
         error(-1, "Invalid 'newSize'");
         goto err2;
       }
@@ -445,7 +445,7 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
-	        if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+	        if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
 	          error(-1, "Invalid 'obj' parameters.");
 	          return gFalse;
 	        }
@@ -470,7 +470,7 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
-        if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
           error(-1, "Invalid 'endstream' parameter.");
           return gFalse;
         }
create branch for 2.2 2006-02-23 15:26:10 +00:00			`diff -Nru cups-1.1.23.orig/pdftops/Catalog.cxx cups-1.1.23/pdftops/Catalog.cxx`
			`--- cups-1.1.23.orig/pdftops/Catalog.cxx 2005-12-14 18:14:18.000000000 +0100`
			`+++ cups-1.1.23/pdftops/Catalog.cxx 2005-12-14 18:16:26.000000000 +0100`
			`@@ -64,8 +64,8 @@`
			`}`
			`pagesSize = numPages0 = (int)obj.getNum();`
			`obj.free();`
			`- if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize \|\|`
			`- pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {`
			`+ if (pagesSize(int)sizeof(Page )/sizeof(Page *) != pagesSize \|\|`
			`+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {`
			`error(-1, "Invalid 'pagesSize'");`
			`ok = gFalse;`
			`return;`
			`@@ -197,7 +197,8 @@`
			`}`
			`if (start >= pagesSize) {`
			`pagesSize += 32;`
			`- if (pagesSizesizeof(Page )/sizeof(Page *) != pagesSize) {`
			`+ if (pagesSize(int)sizeof(Page )/sizeof(Page *) != pagesSize \|\|`
			`+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {`
			`error(-1, "Invalid 'pagesSize' parameter.");`
			`goto err3;`
			`}`
			`diff -Nru cups-1.1.23.orig/pdftops/Decrypt.cxx cups-1.1.23/pdftops/Decrypt.cxx`
			`--- cups-1.1.23.orig/pdftops/Decrypt.cxx 2005-12-14 18:14:18.000000000 +0100`
			`+++ cups-1.1.23/pdftops/Decrypt.cxx 2005-12-14 18:16:26.000000000 +0100`
			`@@ -130,13 +130,19 @@`
			`Guchar *buf;`
			`Guchar test[32];`
			`Guchar fState[256];`
			`- Guchar tmpKey[16];`
			`+ Guchar *tmpKey;`
			`Guchar fx, fy;`
			`int len, i, j;`
			`GBool ok;`

			`+ // check whether we have non-zero keyLength`
			`+ if ( !keyLength \|\| keyLength > 16 ) {`
			`+ return gFalse;`
			`+ }`
			`+`
			`// generate file key`
			`buf = (Guchar *)gmalloc(68 + fileID->getLength());`
			`+ tmpKey = (Guchar )gmalloc(keyLength sizeof(Guchar));`
			`if (userPassword) {`
			`len = userPassword->getLength();`
			`if (len < 32) {`
			`@@ -189,6 +195,7 @@`
			`ok = gFalse;`
			`}`

			`+ gfree(tmpKey);`
			`gfree(buf);`
			`return ok;`
			`}`
			`diff -Nru cups-1.1.23.orig/pdftops/FontFile.cxx cups-1.1.23/pdftops/FontFile.cxx`
			`--- cups-1.1.23.orig/pdftops/FontFile.cxx 2005-12-14 18:14:18.000000000 +0100`
			`+++ cups-1.1.23/pdftops/FontFile.cxx 2005-12-14 18:16:26.000000000 +0100`
			`@@ -18,6 +18,7 @@`
			`#include <stdarg.h>`
			`#include <string.h>`
			`#include <ctype.h>`
			`+#include <error.h>`
			`#include "gmem.h"`
			`#include "GHash.h"`
			`#include "Error.h"`
			`@@ -3572,6 +3573,9 @@`
			`} else {`
			`origLocaTable[i].pos = 2 * getUShort(pos + 2*i);`
			`}`
			`+`
			`+ if (origLocaTable[i].pos < 0 \|\| origLocaTable[i].pos > len)`
			`+ error (1, 0, "bad loca table pos value");`
			`}`
			`qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos);`
			`for (i = 0; i < nGlyphs; ++i) {`
			`diff -Nru cups-1.1.23.orig/pdftops/XRef.cxx cups-1.1.23/pdftops/XRef.cxx`
			`--- cups-1.1.23.orig/pdftops/XRef.cxx 2005-12-14 18:14:18.000000000 +0100`
			`+++ cups-1.1.23/pdftops/XRef.cxx 2005-12-14 18:16:26.000000000 +0100`
			`@@ -76,7 +76,7 @@`

			`// trailer is ok - read the xref table`
			`} else {`
			`- if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {`
			`+ if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) {`
			`error(-1, "Invalid 'size' inside xref table.");`
			`ok = gFalse;`
			`errCode = errDamaged;`
			`@@ -291,7 +291,7 @@`
			`// table size`
			`if (first + n > size) {`
			`newSize = first + n;`
			`- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {`
			`+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {`
			`error(-1, "Invalid 'newSize'");`
			`goto err2;`
			`}`
			`@@ -445,7 +445,7 @@`
			`if (!strncmp(p, "obj", 3)) {`
			`if (num >= size) {`
			`newSize = (num + 1 + 255) & ~255;`
			`- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {`
			`+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {`
			`error(-1, "Invalid 'obj' parameters.");`
			`return gFalse;`
			`}`
			`@@ -470,7 +470,7 @@`
			`} else if (!strncmp(p, "endstream", 9)) {`
			`if (streamEndsLen == streamEndsSize) {`
			`streamEndsSize += 64;`
			`- if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {`
			`+ if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {`
			`error(-1, "Invalid 'endstream' parameter.");`
			`return gFalse;`
			`}`