head	1.1;
access;
symbols
	pkgsrc-2013Q2:1.1.0.40
	pkgsrc-2013Q2-base:1.1
	pkgsrc-2012Q4:1.1.0.38
	pkgsrc-2012Q4-base:1.1
	pkgsrc-2011Q4:1.1.0.36
	pkgsrc-2011Q4-base:1.1
	pkgsrc-2011Q2:1.1.0.34
	pkgsrc-2011Q2-base:1.1
	pkgsrc-2009Q4:1.1.0.32
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2008Q4:1.1.0.30
	pkgsrc-2008Q4-base:1.1
	pkgsrc-2008Q3:1.1.0.28
	pkgsrc-2008Q3-base:1.1
	cube-native-xorg:1.1.0.26
	cube-native-xorg-base:1.1
	pkgsrc-2008Q2:1.1.0.24
	pkgsrc-2008Q2-base:1.1
	pkgsrc-2008Q1:1.1.0.22
	pkgsrc-2008Q1-base:1.1
	pkgsrc-2007Q4:1.1.0.20
	pkgsrc-2007Q4-base:1.1
	pkgsrc-2007Q3:1.1.0.18
	pkgsrc-2007Q3-base:1.1
	pkgsrc-2007Q2:1.1.0.16
	pkgsrc-2007Q2-base:1.1
	pkgsrc-2007Q1:1.1.0.14
	pkgsrc-2007Q1-base:1.1
	pkgsrc-2006Q4:1.1.0.12
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.10
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.8
	pkgsrc-2006Q2-base:1.1
	pkgsrc-2006Q1:1.1.0.6
	pkgsrc-2006Q1-base:1.1
	pkgsrc-2005Q4:1.1.0.4
	pkgsrc-2005Q4-base:1.1
	pkgsrc-2005Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2005.12.12.23.04.02;	author seb;	state dead;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2005.12.12.23.04.02;	author seb;	state Exp;
branches;
next	;


desc
@@


1.1
log
@file patch-ac was initially added on branch pkgsrc-2005Q3.
@
text
@@


1.1.2.1
log
@Pullup ticket 953 - requested by Lubomir Sedlacik
security fix via patch for print/gpdf
@
text
@a0 31
$NetBSD$

Security fix for CVE-2005-3193.

--- xpdf/JPXStream.cc.orig	2004-05-17 20:11:49.000000000 +0200
+++ xpdf/JPXStream.cc	2005-12-11 05:08:28.000000000 +0100
@@@@ -666,7 +666,7 @@@@ GBool JPXStream::readCodestream(Guint le
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
-  Guint segLen, capabilities, comp, i, j, r;
+  Guint segLen, capabilities, nTiles, comp, i, j, r;
 
   //----- main header
   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@@@ -701,8 +701,13 @@@@ GBool JPXStream::readCodestream(Guint le
 	            / img.xTileSize;
       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
 	            / img.yTileSize;
-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-				     sizeof(JPXTile));
+      nTiles = img.nXTiles * img.nYTiles;
+      // check for overflow before allocating memory
+      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+        error(getPos(), "Bad tile count in JPX SIZ marker segment");
+        return gFalse;
+      }
+      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
 							sizeof(JPXTileComp));
@