[subversion-commit] SVN tetex commit + diffs: r386 -
tetex-bin/trunk/debian/patches
Frank Küster
frank at costa.debian.org
Thu Dec 8 16:12:45 UTC 2005
Author: frank
Date: 2005-12-08 16:12:43 +0000 (Thu, 08 Dec 2005)
New Revision: 386
Modified:
tetex-bin/trunk/debian/patches/patch-CAN-2004-0888
tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3
Log:
fix patch CVE-... according to Martin Pitt's ubuntu patch, and port some anti-optimization code from 2.0.2's patch CAN-2004-0888 to ours.
Modified: tetex-bin/trunk/debian/patches/patch-CAN-2004-0888
===================================================================
--- tetex-bin/trunk/debian/patches/patch-CAN-2004-0888 2005-12-08 13:32:41 UTC (rev 385)
+++ tetex-bin/trunk/debian/patches/patch-CAN-2004-0888 2005-12-08 16:12:43 UTC (rev 386)
@@ -4,14 +4,14 @@
Index: tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc
===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/Catalog.cc 2005-10-06 15:03:59.011332464 +0200
-+++ tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc 2005-10-06 15:04:41.153814298 +0200
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Catalog.cc 2005-12-08 17:01:46.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc 2005-12-08 17:04:56.000000000 +0100
@@ -64,6 +64,12 @@
}
pagesSize = numPages0 = (int)obj.getNum();
obj.free();
-+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
-+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
++ if (pagesSize >= INT_MAX/sizeof(Page *) ||
++ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
@@ -23,8 +23,8 @@
}
if (start >= pagesSize) {
pagesSize += 32;
-+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
-+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
++ if (pagesSize >= INT_MAX/sizeof(Page *) ||
++ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
@@ -33,13 +33,13 @@
for (j = pagesSize - 32; j < pagesSize; ++j) {
Index: tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc
===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/XRef.cc 2005-10-06 15:03:59.011332464 +0200
-+++ tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc 2005-10-06 15:04:41.155814083 +0200
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/XRef.cc 2005-12-08 17:01:46.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc 2005-12-08 17:12:03.000000000 +0100
@@ -718,6 +718,10 @@
error(-1, "Bad object number");
return gFalse;
}
-+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ if (newSize >=INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
Modified: tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3
===================================================================
--- tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3 2005-12-08 13:32:41 UTC (rev 385)
+++ tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3 2005-12-08 16:12:43 UTC (rev 386)
@@ -1,28 +1,39 @@
-Index: tetex-bin-3.0/libs/xpdf/xpdf/Stream.h
+Index: tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc
===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.h 2005-12-07 14:10:04.000000000 +0100
-+++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.h 2005-12-08 13:09:27.000000000 +0100
-@@ -233,6 +233,8 @@
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/JPXStream.cc 2005-12-08 17:01:26.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc 2005-12-08 17:01:33.000000000 +0100
+@@ -666,7 +666,8 @@
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
++ Guint allocSize;
- ~StreamPredictor();
-
-+ GBool isOk() { return ok; }
-+
- int lookChar();
- int getChar();
-
-@@ -250,6 +252,7 @@
- int rowBytes; // bytes per line
- Guchar *predLine; // line buffer
- int predIdx; // current index in predLine
-+ GBool ok;
- };
-
- //------------------------------------------------------------------------
+ //----- main header
+ haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +702,15 @@
+ / img.xTileSize;
+ img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+- sizeof(JPXTile));
++ nTiles = img.nXTiles * img.nYTiles;
++ allocSize = nTiles * sizeof(JPXTile);
++ // check for overflow before allocating memory
++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles ||
++ allocSize / sizeof(JPXTile) != nTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles = (JPXTile *)gmalloc(allocSize);
+ for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ sizeof(JPXTileComp));
Index: tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc
===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.cc 2005-12-07 14:10:04.000000000 +0100
-+++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc 2005-12-08 13:11:14.000000000 +0100
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.cc 2005-12-08 17:01:26.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc 2005-12-08 17:01:33.000000000 +0100
@@ -407,18 +407,33 @@
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
@@ -102,32 +113,24 @@
} else {
pred = NULL;
}
-Index: tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc
+Index: tetex-bin-3.0/libs/xpdf/xpdf/Stream.h
===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/JPXStream.cc 2005-12-07 14:10:04.000000000 +0100
-+++ tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc 2005-12-08 13:09:27.000000000 +0100
-@@ -666,7 +666,7 @@
- int segType;
- GBool haveSIZ, haveCOD, haveQCD, haveSOT;
- Guint precinctSize, style;
-- Guint segLen, capabilities, comp, i, j, r;
-+ Guint segLen, capabilities, nTiles, comp, i, j, r;
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.h 2005-12-08 17:01:26.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.h 2005-12-08 17:01:33.000000000 +0100
+@@ -233,6 +233,8 @@
- //----- main header
- haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -701,8 +701,13 @@
- / img.xTileSize;
- img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
- / img.yTileSize;
-- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-- sizeof(JPXTile));
-+ nTiles = img.nXTiles * img.nYTiles;
-+ // check for overflow before allocating memory
-+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
-+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
-+ return gFalse;
-+ }
-+ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
- for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
- img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
- sizeof(JPXTileComp));
+ ~StreamPredictor();
+
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+
+@@ -250,6 +252,7 @@
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+
+ //------------------------------------------------------------------------
More information about the Pkg-tetex-commits
mailing list