summaryrefslogtreecommitdiff
path: root/print
diff options
context:
space:
mode:
authorHiroki Sato <hrs@FreeBSD.org>2004-10-29 00:46:43 +0000
committerHiroki Sato <hrs@FreeBSD.org>2004-10-29 00:46:43 +0000
commitd9a5f05c58b66e7fb2d41cd02d7a1b55b045b4c1 (patch)
tree9ca493e09c98ca657fcae6b5d4737c56648da587 /print
parentFix file name for size in distinfo (diff)
Security update to libxpdf.
CVE ID: CAN-2004-0888
Notes
Notes: svn path=/head/; revision=120445
Diffstat (limited to 'print')
-rw-r--r--print/teTeX-base/Makefile2
-rw-r--r--print/teTeX-base/files/patch-CAN-2004-088890
2 files changed, 91 insertions, 1 deletions
diff --git a/print/teTeX-base/Makefile b/print/teTeX-base/Makefile
index 98f3bd25266c..df3af1f1f18e 100644
--- a/print/teTeX-base/Makefile
+++ b/print/teTeX-base/Makefile
@@ -7,7 +7,7 @@
PORTNAME= teTeX-base
PORTVERSION= 2.0.2
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= print
MASTER_SITES= ftp://sunsite.informatik.rwth-aachen.de/pub/comp/tex/teTeX/2.0/distrib/ \
${MASTER_SITE_TEX_CTAN}
diff --git a/print/teTeX-base/files/patch-CAN-2004-0888 b/print/teTeX-base/files/patch-CAN-2004-0888
new file mode 100644
index 000000000000..63d9260a9fa3
--- /dev/null
+++ b/print/teTeX-base/files/patch-CAN-2004-0888
@@ -0,0 +1,90 @@
+--- libs/xpdf/xpdf/Catalog.cc.orig Mon Nov 4 07:15:36 2002
++++ libs/xpdf/xpdf/Catalog.cc Fri Oct 29 09:18:17 2004
+@@ -22,6 +22,7 @@
+ #include "Error.h"
+ #include "Link.h"
+ #include "Catalog.h"
++#include <limits.h>
+
+ //------------------------------------------------------------------------
+ // Catalog
+@@ -63,6 +64,12 @@
+ }
+ pagesSize = numPages0 = obj.getInt();
+ obj.free();
++ if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
++ (pagesSize >= INT_MAX / sizeof(Ref))) {
++ error(-1, "Invalid 'pagesSize'");
++ ok = gFalse;
++ return;
++ }
+ pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+ for (i = 0; i < pagesSize; ++i) {
+@@ -190,6 +197,11 @@
+ }
+ if (start >= pagesSize) {
+ pagesSize += 32;
++ if ((pagesSize >= INT_MAX/sizeof(Page *)) ||
++ (pagesSize >= INT_MAX/sizeof(Ref))) {
++ error(-1, "Invalid 'pagesSize' parameter.");
++ goto err3;
++ }
+ pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ for (j = pagesSize - 32; j < pagesSize; ++j) {
+--- libs/xpdf/xpdf/XRef.cc.orig Mon Nov 4 07:15:37 2002
++++ libs/xpdf/xpdf/XRef.cc Fri Oct 29 09:18:17 2004
+@@ -28,6 +28,7 @@
+ #include "Error.h"
+ #include "ErrorCodes.h"
+ #include "XRef.h"
++#include <limits.h>
+
+ //------------------------------------------------------------------------
+
+@@ -76,6 +77,11 @@
+
+ // trailer is ok - read the xref table
+ } else {
++ if ( size >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'size' inside xref table.");
++ ok = gFalse;
++ return;
++ }
+ entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+ for (i = 0; i < size; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -267,6 +273,10 @@
+ // table size
+ if (first + n > size) {
+ newSize = size + 256;
++ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
++ error(-1, "Invalid 'newSize'");
++ goto err2;
++ }
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -410,6 +420,10 @@
+ if (!strncmp(p, "obj", 3)) {
+ if (num >= size) {
+ newSize = (num + 1 + 255) & ~255;
++ if (newSize >= INT_MAX / sizeof(XRefEntry)) {
++ error(-1, "Invalid 'obj' parameters.");
++ return gFalse;
++ }
+ entries = (XRefEntry *)
+ grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+@@ -431,6 +445,10 @@
+ } else if (!strncmp(p, "endstream", 9)) {
+ if (streamEndsLen == streamEndsSize) {
+ streamEndsSize += 64;
++ if (streamEndsSize >= INT_MAX/sizeof(int)) {
++ error(-1, "Invalid 'endstream' parameter.");
++ return gFalse;
++ }
+ streamEnds = (Guint *)grealloc(streamEnds,
+ streamEndsSize * sizeof(int));
+ }