head 1.1; access; symbols pkgsrc-2013Q2:1.1.0.40 pkgsrc-2013Q2-base:1.1 pkgsrc-2012Q4:1.1.0.38 pkgsrc-2012Q4-base:1.1 pkgsrc-2011Q4:1.1.0.36 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q2:1.1.0.34 pkgsrc-2011Q2-base:1.1 pkgsrc-2009Q4:1.1.0.32 pkgsrc-2009Q4-base:1.1 pkgsrc-2008Q4:1.1.0.30 pkgsrc-2008Q4-base:1.1 pkgsrc-2008Q3:1.1.0.28 pkgsrc-2008Q3-base:1.1 cube-native-xorg:1.1.0.26 cube-native-xorg-base:1.1 pkgsrc-2008Q2:1.1.0.24 pkgsrc-2008Q2-base:1.1 pkgsrc-2008Q1:1.1.0.22 pkgsrc-2008Q1-base:1.1 pkgsrc-2007Q4:1.1.0.20 pkgsrc-2007Q4-base:1.1 pkgsrc-2007Q3:1.1.0.18 pkgsrc-2007Q3-base:1.1 pkgsrc-2007Q2:1.1.0.16 pkgsrc-2007Q2-base:1.1 pkgsrc-2007Q1:1.1.0.14 pkgsrc-2007Q1-base:1.1 pkgsrc-2006Q4:1.1.0.12 pkgsrc-2006Q4-base:1.1 pkgsrc-2006Q3:1.1.0.10 pkgsrc-2006Q3-base:1.1 pkgsrc-2006Q2:1.1.0.8 pkgsrc-2006Q2-base:1.1 pkgsrc-2006Q1:1.1.0.6 pkgsrc-2006Q1-base:1.1 pkgsrc-2005Q4:1.1.0.4 pkgsrc-2005Q4-base:1.1 pkgsrc-2005Q3:1.1.0.2; locks; strict; comment @# @; 1.1 date 2005.12.12.23.04.02; author seb; state dead; branches 1.1.2.1; next ; 1.1.2.1 date 2005.12.12.23.04.02; author seb; state Exp; branches; next ; desc @@ 1.1 log @file patch-ad was initially added on branch pkgsrc-2005Q3. @ text @@ 1.1.2.1 log @Pullup ticket 953 - requested by Lubomir Sedlacik security fix via patch for print/gpdf @ text @a0 78 $NetBSD$ Security fix for CVE-2005-3191 and CVE-2005-3192. --- xpdf/Stream.cc.orig 2004-05-17 21:37:57.000000000 +0200 +++ xpdf/Stream.cc 2005-12-11 05:10:04.000000000 +0100 @@@@ -407,18 +407,33 @@@@ void ImageStream::skipLine() { StreamPredictor::StreamPredictor(Stream *strA, int predictorA, int widthA, int nCompsA, int nBitsA) { + int totalBits; + str = strA; predictor = predictorA; width = widthA; nComps = nCompsA; nBits = nBitsA; + predLine = NULL; + ok = gFalse; nVals = width * nComps; + totalBits = nVals * nBits; + if (totalBits == 0 || + (totalBits / nBits) / nComps != width || + totalBits + 7 < 0) { + return; + } pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; + rowBytes = ((totalBits + 7) >> 3) + pixBytes; + if (rowBytes < 0) { + return; + } predLine = (Guchar *)gmalloc(rowBytes); memset(predLine, 0, rowBytes); predIdx = rowBytes; + + ok = gTrue; } StreamPredictor::~StreamPredictor() { @@@@ -1012,6 +1027,10 @@@@ LZWStream::LZWStream(Stream *strA, int p FilterStream(strA) { if (predictor != 1) { pred = new StreamPredictor(this, predictor, columns, colors, bits); + if (!pred->isOk()) { + delete pred; + pred = NULL; + } } else { pred = NULL; } @@@@ -2897,6 +2916,14 @@@@ GBool DCTStream::readBaselineSOF() { height = read16(); width = read16(); numComps = str->getChar(); + if (numComps <= 0 || numComps > 4) { + error(getPos(), "Bad number of components in DCT stream", prec); + return gFalse; + } + if (numComps <= 0 || numComps > 4) { + error(getPos(), "Bad number of components in DCT stream", prec); + return gFalse; + } if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse; @@@@ -3255,6 +3282,10 @@@@ FlateStream::FlateStream(Stream *strA, i FilterStream(strA) { if (predictor != 1) { pred = new StreamPredictor(this, predictor, columns, colors, bits); + if (!pred->isOk()) { + delete pred; + pred = NULL; + } } else { pred = NULL; } @