head	1.5;
access;
symbols
	pkgsrc-2013Q2:1.5.0.8
	pkgsrc-2013Q2-base:1.5
	pkgsrc-2012Q4:1.5.0.6
	pkgsrc-2012Q4-base:1.5
	pkgsrc-2011Q4:1.5.0.4
	pkgsrc-2011Q4-base:1.5
	pkgsrc-2011Q2:1.5.0.2
	pkgsrc-2011Q2-base:1.5
	pkgsrc-2010Q2:1.4.0.2
	pkgsrc-2010Q2-base:1.4
	pkgsrc-2010Q1:1.3.0.2
	pkgsrc-2009Q4:1.1.0.4
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2009Q3:1.1.0.2
	pkgsrc-2009Q3-base:1.1;
locks; strict;
comment	@# @;


1.5
date	2010.09.13.04.40.12;	author minskim;	state dead;
branches;
next	1.4;

1.4
date	2010.06.08.15.17.05;	author minskim;	state Exp;
branches;
next	1.3;

1.3
date	2010.04.20.17.07.28;	author minskim;	state Exp;
branches
	1.3.2.1;
next	1.2;

1.2
date	2010.01.16.03.47.31;	author minskim;	state dead;
branches;
next	1.1;

1.1
date	2009.07.15.18.56.44;	author roy;	state Exp;
branches;
next	;

1.3.2.1
date	2010.04.20.17.07.28;	author tron;	state dead;
branches;
next	1.3.2.2;

1.3.2.2
date	2010.04.20.21.26.19;	author tron;	state Exp;
branches;
next	1.3.2.3;

1.3.2.3
date	2010.06.08.18.22.06;	author tron;	state Exp;
branches;
next	;


desc
@@


1.5
log
@Update dvipsk to 5.99.

Changes:
  * config.ps: include cid-base.map.
  * bug fixes.
@
text
@$NetBSD: patch-ab,v 1.4 2010/06/08 15:17:05 minskim Exp $

- CVE-2010-0739
- CVE-2010-1440

--- dospecial.c.orig	2009-06-23 09:46:14.000000000 +0000
+++ dospecial.c
@@@@ -333,7 +333,11 @@@@ predospecial(integer numbytes, Boolean s
    int j ;
    static int omega_specials = 0;
 
-   if (nextstring + numbytes > maxstring) {
+   if (numbytes < 0 || numbytes > maxstring - nextstring) {
+      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
+         error("! Integer overflow in predospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
       maxstring = nextstring + 2 * numbytes + 700 ;
    }
@@@@ -918,7 +922,11 @@@@ bbdospecial(int nbytes)
    char seen[NKEYS] ;
    float valseen[NKEYS] ;
 
-   if (nextstring + nbytes > maxstring) {
+   if (nbytes < 0 || nbytes > maxstring - nextstring) {
+      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
+	 error("! Integer overflow in bbdospecial");
+	 exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
       maxstring = nextstring + 2 * nbytes + 700 ;
    }
@


1.4
log
@Fix CVE-2010-1440.  Patch from TeX Live repository.

  Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX
  Live 2009 and earlier, and teTeX, allow remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary
  code via a special command in a DVI file, related to the (1)
  predospecial and (2) bbdospecial functions, a different
  vulnerability than CVE-2010-0739.
@
text
@d1 1
a1 1
$NetBSD$
@


1.3
log
@Avoid integer overflow (CVE-2010-0739).

Patch from TeX Live repository (Revision 17559).
@
text
@d3 3
d8 2
a9 1
@@@@ -334,6 +334,12 @@@@ predospecial(integer numbytes, Boolean s
d12 3
a14 4
    if (nextstring + numbytes > maxstring) {
+      if (numbytes < 0
+          || (numbytes > 0 && 2 > INT_MAX / numbytes)
+          || 2 * numbytes > 1000 + 2 * numbytes) {
d21 13
@


1.3.2.1
log
@file patch-ab was added on branch pkgsrc-2010Q1 on 2010-04-20 21:26:19 +0000
@
text
@d1 17
@


1.3.2.2
log
@Pullup ticket #3084 - requested by minskim
print/dvipsk: security patch

Revisions pulled up:
- print/dvipsk/Makefile				1.5
- print/dvipsk/distinfo				1.4
- print/dvipsk/patches/patch-ab			1.3
---
Module Name:    pkgsrc
Committed By:   minskim
Date:           Tue Apr 20 17:07:28 UTC 2010

Modified Files:
        pkgsrc/print/dvipsk: Makefile distinfo
Added Files:
        pkgsrc/print/dvipsk/patches: patch-ab

Log Message:
Avoid integer overflow (CVE-2010-0739).

Patch from TeX Live repository (Revision 17559).
@
text
@a0 17
$NetBSD$

--- dospecial.c.orig	2009-06-23 09:46:14.000000000 +0000
+++ dospecial.c
@@@@ -334,6 +334,12 @@@@ predospecial(integer numbytes, Boolean s
    static int omega_specials = 0;
 
    if (nextstring + numbytes > maxstring) {
+      if (numbytes < 0
+          || (numbytes > 0 && 2 > INT_MAX / numbytes)
+          || 2 * numbytes > 1000 + 2 * numbytes) {
+         error("! Integer overflow in predospecial");
+         exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
       maxstring = nextstring + 2 * numbytes + 700 ;
    }
@


1.3.2.3
log
@Pullup ticket #3143 - requested by minskim
print/dvipsk: security patch

Revisions pulled up:
- print/dvipsk/Makefile				1.6
- print/dvipsk/distinfo				1.5
- print/dvipsk/patches/patch-ab			1.4
---
Module Name:	pkgsrc
Committed By:	minskim
Date:		Tue Jun  8 15:17:05 UTC 2010

Modified Files:
	pkgsrc/print/dvipsk: Makefile distinfo
	pkgsrc/print/dvipsk/patches: patch-ab

Log Message:
Fix CVE-2010-1440.  Patch from TeX Live repository.

  Multiple integer overflows in dvipsk/dospecial.c in dvips in TeX
  Live 2009 and earlier, and teTeX, allow remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary
  code via a special command in a DVI file, related to the (1)
  predospecial and (2) bbdospecial functions, a different
  vulnerability than CVE-2010-0739.
@
text
@a2 3
- CVE-2010-0739
- CVE-2010-1440

d5 1
a5 2
@@@@ -333,7 +333,11 @@@@ predospecial(integer numbytes, Boolean s
    int j ;
d8 4
a11 3
-   if (nextstring + numbytes > maxstring) {
+   if (numbytes < 0 || numbytes > maxstring - nextstring) {
+      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
a17 13
@@@@ -918,7 +922,11 @@@@ bbdospecial(int nbytes)
    char seen[NKEYS] ;
    float valseen[NKEYS] ;
 
-   if (nextstring + nbytes > maxstring) {
+   if (nbytes < 0 || nbytes > maxstring - nextstring) {
+      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
+	 error("! Integer overflow in bbdospecial");
+	 exit(1);
+      }
       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
       maxstring = nextstring + 2 * nbytes + 700 ;
    }
@


1.2
log
@Update dvipsk to 5.98.

Major changes:
    * dvips.texi (Configuration file commands): document -G,
      including its obsolesence.
    * Master/texmf/dvips/tetex/config.pdf: remove the G setting,
      now actively problematic.
@
text
@d1 1
a1 1
$NetBSD: patch-ab,v 1.1 2009/07/15 18:56:44 roy Exp $
d3 4
a6 23
Rename getline to texlive_getline to avoid conflict with system getline.

--- afm2tfm.c.orig	2009-07-15 19:52:45.000000000 +0100
+++ afm2tfm.c	2009-07-15 19:54:08.000000000 +0100
@@@@ -260,7 +260,7 @@@@
 }
 
 int
-getline P1H(void) {
+texlive_getline P1H(void) {
    register char *p ;
    register int c ;
 
@@@@ -615,7 +615,7 @@@@
    ai = newchar() ;
    ai->adobenum = -1 ;
    ai->adobename = "||" ; /* boundary character name */
-   while (getline()) {
+   while (texlive_getline()) {
       switch(interest(paramstring())) {
 case FontName:
          fontname = paramnewstring() ;
@@@@ -1891,7 +1891,7 @@@@
d8 10
a17 16
    while (1) {
       while (param == 0 || *param == 0) {
-         if (getline() == 0)
+         if (texlive_getline() == 0)
             error("! premature end in encoding file") ;
          for (p=buffer; *p; p++)
             if (*p == '%') {
@@@@ -1982,7 +1982,7 @@@@
       p = gettoken() ;
       if (strcmp(p, "]"))
          error("! token 258 in encoding must be make-array (])") ;
-      while (getline()) {
+      while (texlive_getline()) {
          for (p=buffer; *p; p++)
             if (*p == '%') {
                if (ignoreligkern == 0)
@


1.1
log
@Fix compiling with systems that provide their own getline
@
text
@d1 1
a1 1
$NetBSD$
@