From 3a2280fd6b0fb52d4a96bfb87144305f412e5c7b Mon Sep 17 00:00:00 2001 From: Simone Rota Date: Sun, 26 Mar 2006 01:27:54 +0000 Subject: [PATCH] [security] xpdf: updated to 3.1pl2 --- xpdf/.md5sum | 2 +- xpdf/Pkgfile | 2 +- xpdf/xpdf-3.01pl1.patch | 168 -------------- xpdf/xpdf-3.01pl2.patch | 471 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 473 insertions(+), 170 deletions(-) delete mode 100644 xpdf/xpdf-3.01pl1.patch create mode 100644 xpdf/xpdf-3.01pl2.patch diff --git a/xpdf/.md5sum b/xpdf/.md5sum index ff6c95fc9..48184dc32 100644 --- a/xpdf/.md5sum +++ b/xpdf/.md5sum @@ -1,2 +1,2 @@ e004c69c7dddef165d768b1362b44268 xpdf-3.01.tar.gz -4184783da2885ecde3c2256de5144555 xpdf-3.01pl1.patch +8f1f5d37153c7e98f794f18d0b80fc25 xpdf-3.01pl2.patch diff --git a/xpdf/Pkgfile b/xpdf/Pkgfile index 3ae30d281..291e60558 100644 --- a/xpdf/Pkgfile +++ b/xpdf/Pkgfile @@ -5,7 +5,7 @@ # Depends on: lesstif, t1lib name=xpdf -version=3.01pl1 +version=3.01pl2 release=1 source=(ftp://ftp.foolabs.com/pub/xpdf/$name-3.01.tar.gz \ $name-$version.patch) diff --git a/xpdf/xpdf-3.01pl1.patch b/xpdf/xpdf-3.01pl1.patch deleted file mode 100644 index 8b038ad56..000000000 --- a/xpdf/xpdf-3.01pl1.patch +++ /dev/null @@ -1,168 +0,0 @@ -diff -c -r xpdf-3.01-orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc -*** xpdf-3.01-orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 ---- xpdf-3.01/xpdf/JPXStream.cc Thu Nov 3 16:50:39 2005 -*************** -*** 783,789 **** - int segType; - GBool haveSIZ, haveCOD, haveQCD, haveSOT; - Guint precinctSize, style; -! Guint segLen, capabilities, comp, i, j, r; - - //----- main header - haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; ---- 783,789 ---- - int segType; - GBool haveSIZ, haveCOD, haveQCD, haveSOT; - Guint precinctSize, style; -! Guint segLen, capabilities, nTiles, comp, i, j, r; - - //----- main header - haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; -*************** -*** 818,825 **** - / img.xTileSize; - img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) - / img.yTileSize; -! img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, -! sizeof(JPXTile)); - for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { - img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps, - sizeof(JPXTileComp)); ---- 818,830 ---- - / img.xTileSize; - img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) - / img.yTileSize; -! nTiles = img.nXTiles * img.nYTiles; -! // check for overflow before allocating memory -! if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { -! error(getPos(), "Bad tile count in JPX SIZ marker segment"); -! return gFalse; -! } -! img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile)); - for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { - img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps, - sizeof(JPXTileComp)); -diff -c -r xpdf-3.01-orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc -*** xpdf-3.01-orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 ---- xpdf-3.01/xpdf/Stream.cc Thu Nov 3 16:50:39 2005 -*************** -*** 401,418 **** - - StreamPredictor::StreamPredictor(Stream *strA, int predictorA, - int widthA, int nCompsA, int nBitsA) { - str = strA; - predictor = predictorA; - width = widthA; - nComps = nCompsA; - nBits = nBitsA; - - nVals = width * nComps; - pixBytes = (nComps * nBits + 7) >> 3; -! rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; - predLine = (Guchar *)gmalloc(rowBytes); - memset(predLine, 0, rowBytes); - predIdx = rowBytes; - } - - StreamPredictor::~StreamPredictor() { ---- 401,433 ---- - - StreamPredictor::StreamPredictor(Stream *strA, int predictorA, - int widthA, int nCompsA, int nBitsA) { -+ int totalBits; -+ - str = strA; - predictor = predictorA; - width = widthA; - nComps = nCompsA; - nBits = nBitsA; -+ predLine = NULL; -+ ok = gFalse; - - nVals = width * nComps; -+ totalBits = nVals * nBits; -+ if (totalBits == 0 || -+ (totalBits / nBits) / nComps != width || -+ totalBits + 7 < 0) { -+ return; -+ } - pixBytes = (nComps * nBits + 7) >> 3; -! rowBytes = ((totalBits + 7) >> 3) + pixBytes; -! if (rowBytes < 0) { -! return; -! } - predLine = (Guchar *)gmalloc(rowBytes); - memset(predLine, 0, rowBytes); - predIdx = rowBytes; -+ -+ ok = gTrue; - } - - StreamPredictor::~StreamPredictor() { -*************** -*** 1004,1009 **** ---- 1019,1028 ---- - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -*************** -*** 2899,2904 **** ---- 2918,2931 ---- - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream", prec); -+ return gFalse; -+ } -+ if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream", prec); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -*************** -*** 3827,3832 **** ---- 3854,3863 ---- - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -diff -c -r xpdf-3.01-orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h -*** xpdf-3.01-orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 ---- xpdf-3.01/xpdf/Stream.h Thu Nov 3 16:50:39 2005 -*************** -*** 232,237 **** ---- 232,239 ---- - - ~StreamPredictor(); - -+ GBool isOk() { return ok; } -+ - int lookChar(); - int getChar(); - -*************** -*** 249,254 **** ---- 251,257 ---- - int rowBytes; // bytes per line - Guchar *predLine; // line buffer - int predIdx; // current index in predLine -+ GBool ok; - }; - - //------------------------------------------------------------------------ diff --git a/xpdf/xpdf-3.01pl2.patch b/xpdf/xpdf-3.01pl2.patch new file mode 100644 index 000000000..3ea3cb8c9 --- /dev/null +++ b/xpdf/xpdf-3.01pl2.patch @@ -0,0 +1,471 @@ +diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c +*** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005 +--- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006 +*************** +*** 11,16 **** +--- 11,17 ---- + #include + #include + #include ++ #include + #include "gmem.h" + + #ifdef DEBUG_MEM +*************** +*** 63,69 **** + int lst; + unsigned long *trl, *p; + +! if (size == 0) + return NULL; + size1 = gMemDataSize(size); + if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { +--- 64,70 ---- + int lst; + unsigned long *trl, *p; + +! if (size <= 0) + return NULL; + size1 = gMemDataSize(size); + if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { +*************** +*** 86,92 **** + #else + void *p; + +! if (size == 0) + return NULL; + if (!(p = malloc(size))) { + fprintf(stderr, "Out of memory\n"); +--- 87,93 ---- + #else + void *p; + +! if (size <= 0) + return NULL; + if (!(p = malloc(size))) { + fprintf(stderr, "Out of memory\n"); +*************** +*** 102,108 **** + void *q; + int oldSize; + +! if (size == 0) { + if (p) + gfree(p); + return NULL; +--- 103,109 ---- + void *q; + int oldSize; + +! if (size <= 0) { + if (p) + gfree(p); + return NULL; +*************** +*** 120,126 **** + #else + void *q; + +! if (size == 0) { + if (p) + free(p); + return NULL; +--- 121,127 ---- + #else + void *q; + +! if (size <= 0) { + if (p) + free(p); + return NULL; +*************** +*** 140,147 **** + void *gmallocn(int nObjs, int objSize) { + int n; + + n = nObjs * objSize; +! if (objSize == 0 || n / objSize != nObjs) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +--- 141,151 ---- + void *gmallocn(int nObjs, int objSize) { + int n; + ++ if (nObjs == 0) { ++ return NULL; ++ } + n = nObjs * objSize; +! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +*************** +*** 151,158 **** + void *greallocn(void *p, int nObjs, int objSize) { + int n; + + n = nObjs * objSize; +! if (objSize == 0 || n / objSize != nObjs) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +--- 155,168 ---- + void *greallocn(void *p, int nObjs, int objSize) { + int n; + ++ if (nObjs == 0) { ++ if (p) { ++ gfree(p); ++ } ++ return NULL; ++ } + n = nObjs * objSize; +! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc +*** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006 +*************** +*** 13,18 **** +--- 13,19 ---- + #endif + + #include ++ #include + #include "GList.h" + #include "Error.h" + #include "JArithmeticDecoder.h" +*************** +*** 681,686 **** +--- 682,691 ---- + w = wA; + h = hA; + line = (wA + 7) >> 3; ++ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ++ data = NULL; ++ return; ++ } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); + data[h * line] = 0; +*************** +*** 692,697 **** +--- 697,706 ---- + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; ++ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ++ data = NULL; ++ return; ++ } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); + memcpy(data, bitmap->data, h * line); +*************** +*** 720,726 **** + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +! if (newH <= h) { + return; + } + // need to allocate one extra guard byte for use in combine() +--- 729,735 ---- + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { + return; + } + // need to allocate one extra guard byte for use in combine() +*************** +*** 2294,2299 **** +--- 2303,2316 ---- + !readUWord(&stepX) || !readUWord(&stepY)) { + goto eofError; + } ++ if (w == 0 || h == 0 || w >= INT_MAX / h) { ++ error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); ++ return; ++ } ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad grid size in JBIG2 halftone segment"); ++ return; ++ } + + // get pattern dictionary + if (nRefSegs != 1) { +diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc +*** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006 +*************** +*** 12,17 **** +--- 12,18 ---- + #pragma implementation + #endif + ++ #include + #include "gmem.h" + #include "Error.h" + #include "JArithmeticDecoder.h" +*************** +*** 818,823 **** +--- 819,830 ---- + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; ++ // check for overflow before allocating memory ++ if (img.nXTiles <= 0 || img.nYTiles <= 0 || ++ img.nXTiles >= INT_MAX / img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } + img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, + sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { +diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc +*** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006 +*************** +*** 15,20 **** +--- 15,21 ---- + #include + #include + #include ++ #include + #ifndef WIN32 + #include + #endif +*************** +*** 406,418 **** +--- 407,432 ---- + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + + nVals = width * nComps; ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX / nBits || ++ width >= INT_MAX / nComps / nBits || ++ nVals * nBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ if (rowBytes <= 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +*************** +*** 1004,1009 **** +--- 1018,1027 ---- + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +*************** +*** 1259,1264 **** +--- 1277,1285 ---- + if (columns < 1) { + columns = 1; + } ++ if (columns + 4 <= 0) { ++ columns = INT_MAX - 4; ++ } + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +*************** +*** 2899,2904 **** +--- 2920,2930 ---- + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ numComps = 0; ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +*************** +*** 2925,2930 **** +--- 2951,2961 ---- + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ numComps = 0; ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +*************** +*** 2947,2952 **** +--- 2978,2988 ---- + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ scanInfo.numComps = 0; ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +*************** +*** 3041,3046 **** +--- 3077,3083 ---- + numACHuffTables = index+1; + tbl = &acHuffTables[index]; + } else { ++ index &= 0x0f; + if (index >= numDCHuffTables) + numDCHuffTables = index+1; + tbl = &dcHuffTables[index]; +*************** +*** 3827,3832 **** +--- 3864,3873 ---- + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h +*** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006 +*************** +*** 232,237 **** +--- 232,239 ---- + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +*************** +*** 249,254 **** +--- 251,257 ---- + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------ +*************** +*** 527,533 **** + short getWhiteCode(); + short getBlackCode(); + short lookBits(int n); +! void eatBits(int n) { inputBits -= n; } + }; + + //------------------------------------------------------------------------ +--- 530,536 ---- + short getWhiteCode(); + short getBlackCode(); + short lookBits(int n); +! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } + }; + + //------------------------------------------------------------------------ +diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc +*** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006 +*************** +*** 186,192 **** + } + + void SplashXPathScanner::computeIntersections(int y) { +! SplashCoord ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +--- 186,192 ---- + } + + void SplashXPathScanner::computeIntersections(int y) { +! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +*************** +*** 236,254 **** + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +! if (ySegMin <= y) { +! // intersection with top edge +! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; + } else { +! // x coord of segment endpoint with min y coord +! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; + } +! if (ySegMax >= y + 1) { +! // intersection with bottom edge +! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +! } else { +! // x coord of segment endpoint with max y coord +! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; + } + } + if (xx0 < xx1) { +--- 236,262 ---- + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +! if (seg->x0 < seg->x1) { +! xSegMin = seg->x0; +! xSegMax = seg->x1; + } else { +! xSegMin = seg->x1; +! xSegMax = seg->x0; + } +! // intersection with top edge +! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; +! // intersection with bottom edge +! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +! // the segment may not actually extend to the top and/or bottom edges +! if (xx0 < xSegMin) { +! xx0 = xSegMin; +! } else if (xx0 > xSegMax) { +! xx0 = xSegMax; +! } +! if (xx1 < xSegMin) { +! xx1 = xSegMin; +! } else if (xx1 > xSegMax) { +! xx1 = xSegMax; + } + } + if (xx0 < xx1) {