opt/cups/cups-CAN-2005-2097.patch

diff -Nru cups-1.1.23.orig/pdftops/Catalog.cxx cups-1.1.23/pdftops/Catalog.cxx
--- cups-1.1.23.orig/pdftops/Catalog.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/Catalog.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -64,8 +64,8 @@
   }
   pagesSize = numPages0 = (int)obj.getNum();
   obj.free();
-  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
-      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
     error(-1, "Invalid 'pagesSize'");
     ok = gFalse;
     return;
@@ -197,7 +197,8 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
-        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize) {
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+           pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
           error(-1, "Invalid 'pagesSize' parameter.");
           goto err3;
         }
diff -Nru cups-1.1.23.orig/pdftops/Decrypt.cxx cups-1.1.23/pdftops/Decrypt.cxx
--- cups-1.1.23.orig/pdftops/Decrypt.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/Decrypt.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -130,13 +130,19 @@
   Guchar *buf;
   Guchar test[32];
   Guchar fState[256];
-  Guchar tmpKey[16];
+  Guchar *tmpKey;
   Guchar fx, fy;
   int len, i, j;
   GBool ok;
 
+  // check whether we have non-zero keyLength
+  if ( !keyLength || keyLength > 16 ) {
+    return gFalse;
+  }
+
   // generate file key
   buf = (Guchar *)gmalloc(68 + fileID->getLength());
+  tmpKey = (Guchar *)gmalloc(keyLength * sizeof(Guchar));
   if (userPassword) {
     len = userPassword->getLength();
     if (len < 32) {
@@ -189,6 +195,7 @@
     ok = gFalse;
   }
 
+  gfree(tmpKey);
   gfree(buf);
   return ok;
 }
diff -Nru cups-1.1.23.orig/pdftops/FontFile.cxx cups-1.1.23/pdftops/FontFile.cxx
--- cups-1.1.23.orig/pdftops/FontFile.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/FontFile.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -18,6 +18,7 @@
 #include <stdarg.h>
 #include <string.h>
 #include <ctype.h>
+#include <error.h>
 #include "gmem.h"
 #include "GHash.h"
 #include "Error.h"
@@ -3572,6 +3573,9 @@
     } else {
       origLocaTable[i].pos = 2 * getUShort(pos + 2*i);
     }
+
+    if (origLocaTable[i].pos < 0 || origLocaTable[i].pos > len)
+      error (1, 0, "bad loca table pos value");
   }
   qsort(origLocaTable, nGlyphs + 1, sizeof(TrueTypeLoca), &cmpTrueTypeLocaPos);
   for (i = 0; i < nGlyphs; ++i) {
diff -Nru cups-1.1.23.orig/pdftops/XRef.cxx cups-1.1.23/pdftops/XRef.cxx
--- cups-1.1.23.orig/pdftops/XRef.cxx	2005-12-14 18:14:18.000000000 +0100
+++ cups-1.1.23/pdftops/XRef.cxx	2005-12-14 18:16:26.000000000 +0100
@@ -76,7 +76,7 @@
 
   // trailer is ok - read the xref table
   } else {
-    if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
       error(-1, "Invalid 'size' inside xref table.");
       ok = gFalse;
       errCode = errDamaged;
@@ -291,7 +291,7 @@
     // table size
     if (first + n > size) {
       newSize = first + n;
-      if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
         error(-1, "Invalid 'newSize'");
         goto err2;
       }
@@ -445,7 +445,7 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
-	        if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+	        if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
 	          error(-1, "Invalid 'obj' parameters.");
 	          return gFalse;
 	        }
@@ -470,7 +470,7 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
-        if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
           error(-1, "Invalid 'endstream' parameter.");
           return gFalse;
         }