diff options
author | Hiroki Sato <hrs@FreeBSD.org> | 2004-10-29 00:46:43 +0000 |
---|---|---|
committer | Hiroki Sato <hrs@FreeBSD.org> | 2004-10-29 00:46:43 +0000 |
commit | d9a5f05c58b66e7fb2d41cd02d7a1b55b045b4c1 (patch) | |
tree | 9ca493e09c98ca657fcae6b5d4737c56648da587 /print | |
parent | Fix file name for size in distinfo (diff) |
Security update to libxpdf.
CVE ID: CAN-2004-0888
Notes
Notes:
svn path=/head/; revision=120445
Diffstat (limited to 'print')
-rw-r--r-- | print/teTeX-base/Makefile | 2 | ||||
-rw-r--r-- | print/teTeX-base/files/patch-CAN-2004-0888 | 90 |
2 files changed, 91 insertions, 1 deletions
diff --git a/print/teTeX-base/Makefile b/print/teTeX-base/Makefile index 98f3bd25266c..df3af1f1f18e 100644 --- a/print/teTeX-base/Makefile +++ b/print/teTeX-base/Makefile @@ -7,7 +7,7 @@ PORTNAME= teTeX-base PORTVERSION= 2.0.2 -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES= print MASTER_SITES= ftp://sunsite.informatik.rwth-aachen.de/pub/comp/tex/teTeX/2.0/distrib/ \ ${MASTER_SITE_TEX_CTAN} diff --git a/print/teTeX-base/files/patch-CAN-2004-0888 b/print/teTeX-base/files/patch-CAN-2004-0888 new file mode 100644 index 000000000000..63d9260a9fa3 --- /dev/null +++ b/print/teTeX-base/files/patch-CAN-2004-0888 @@ -0,0 +1,90 @@ +--- libs/xpdf/xpdf/Catalog.cc.orig Mon Nov 4 07:15:36 2002 ++++ libs/xpdf/xpdf/Catalog.cc Fri Oct 29 09:18:17 2004 +@@ -22,6 +22,7 @@ + #include "Error.h" + #include "Link.h" + #include "Catalog.h" ++#include <limits.h> + + //------------------------------------------------------------------------ + // Catalog +@@ -63,6 +64,12 @@ + } + pagesSize = numPages0 = obj.getInt(); + obj.free(); ++ if ((pagesSize >= INT_MAX / sizeof(Page *)) || ++ (pagesSize >= INT_MAX / sizeof(Ref))) { ++ error(-1, "Invalid 'pagesSize'"); ++ ok = gFalse; ++ return; ++ } + pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); + pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); + for (i = 0; i < pagesSize; ++i) { +@@ -190,6 +197,11 @@ + } + if (start >= pagesSize) { + pagesSize += 32; ++ if ((pagesSize >= INT_MAX/sizeof(Page *)) || ++ (pagesSize >= INT_MAX/sizeof(Ref))) { ++ error(-1, "Invalid 'pagesSize' parameter."); ++ goto err3; ++ } + pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); + pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); + for (j = pagesSize - 32; j < pagesSize; ++j) { +--- libs/xpdf/xpdf/XRef.cc.orig Mon Nov 4 07:15:37 2002 ++++ libs/xpdf/xpdf/XRef.cc Fri Oct 29 09:18:17 2004 +@@ -28,6 +28,7 @@ + #include "Error.h" + #include "ErrorCodes.h" + #include "XRef.h" ++#include <limits.h> + + //------------------------------------------------------------------------ + +@@ -76,6 +77,11 @@ + + // trailer is ok - read the xref table + } else { ++ if ( size >= INT_MAX/sizeof(XRefEntry)) { ++ error(-1, "Invalid 'size' inside xref table."); ++ ok = gFalse; ++ return; ++ } + entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); + for (i = 0; i < size; ++i) { + entries[i].offset = 0xffffffff; +@@ -267,6 +273,10 @@ + // table size + if (first + n > size) { + newSize = size + 256; ++ if (newSize >= INT_MAX/sizeof(XRefEntry)) { ++ error(-1, "Invalid 'newSize'"); ++ goto err2; ++ } + entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); + for (i = size; i < newSize; ++i) { + entries[i].offset = 0xffffffff; +@@ -410,6 +420,10 @@ + if (!strncmp(p, "obj", 3)) { + if (num >= size) { + newSize = (num + 1 + 255) & ~255; ++ if (newSize >= INT_MAX / sizeof(XRefEntry)) { ++ error(-1, "Invalid 'obj' parameters."); ++ return gFalse; ++ } + entries = (XRefEntry *) + grealloc(entries, newSize * sizeof(XRefEntry)); + for (i = size; i < newSize; ++i) { +@@ -431,6 +445,10 @@ + } else if (!strncmp(p, "endstream", 9)) { + if (streamEndsLen == streamEndsSize) { + streamEndsSize += 64; ++ if (streamEndsSize >= INT_MAX/sizeof(int)) { ++ error(-1, "Invalid 'endstream' parameter."); ++ return gFalse; ++ } + streamEnds = (Guint *)grealloc(streamEnds, + streamEndsSize * sizeof(int)); + } |