head 1.3; access; symbols pkgsrc-2013Q2:1.3.0.36 pkgsrc-2013Q2-base:1.3 pkgsrc-2012Q4:1.3.0.34 pkgsrc-2012Q4-base:1.3 pkgsrc-2011Q4:1.3.0.32 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q2:1.3.0.30 pkgsrc-2011Q2-base:1.3 pkgsrc-2009Q4:1.3.0.28 pkgsrc-2009Q4-base:1.3 pkgsrc-2008Q4:1.3.0.26 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.24 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.22 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.20 pkgsrc-2008Q2-base:1.3 pkgsrc-2008Q1:1.3.0.18 pkgsrc-2008Q1-base:1.3 pkgsrc-2007Q4:1.3.0.16 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.14 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.3.0.12 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.3.0.10 pkgsrc-2007Q1-base:1.3 pkgsrc-2006Q4:1.3.0.8 pkgsrc-2006Q4-base:1.3 pkgsrc-2006Q3:1.3.0.6 pkgsrc-2006Q3-base:1.3 pkgsrc-2006Q2:1.3.0.4 pkgsrc-2006Q2-base:1.3 pkgsrc-2006Q1:1.3.0.2 pkgsrc-2006Q1-base:1.3 pkgsrc-2005Q4:1.1.0.2 pkgsrc-2005Q4-base:1.1; locks; strict; comment @# @; 1.3 date 2006.03.29.17.20.09; author joerg; state dead; branches; next 1.2; 1.2 date 2006.01.22.23.13.33; author tron; state Exp; branches; next 1.1; 1.1 date 2005.12.18.20.05.32; author dillo; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2006.01.23.10.35.16; author salo; state Exp; branches; next ; desc @@ 1.3 log @Update xpdf to 3.01 patch level 2. The patch level addresses a number of vulnerabilities reported and adds at least some constraint checks not done before. @ text @$NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $ --- xpdf/Stream.cc.orig 2006-01-22 23:03:34.000000000 +0000 +++ xpdf/Stream.cc 2006-01-22 23:03:00.000000000 +0000 @@@@ -15,6 +15,7 @@@@ #include #include #include +#include #ifndef WIN32 #include #endif @@@@ -401,8 +402,6 @@@@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, int widthA, int nCompsA, int nBitsA) { - int totalBits; - str = strA; predictor = predictorA; width = widthA; @@@@ -411,15 +410,17 @@@@ predLine = NULL; ok = gFalse; + if (width <= 0 || nComps <= 0 || nBits <= 0 || + nComps >= INT_MAX/nBits || + width >= INT_MAX/nComps/nBits) { + return; + } nVals = width * nComps; - totalBits = nVals * nBits; - if (totalBits == 0 || - (totalBits / nBits) / nComps != width || - totalBits + 7 < 0) { + if (nVals * nBits + 7 <= 0) { return; } pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((totalBits + 7) >> 3) + pixBytes; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; if (rowBytes < 0) { return; } @@@@ -1275,7 +1276,7 @@@@ endOfLine = endOfLineA; byteAlign = byteAlignA; columns = columnsA; - if (columns < 1) { + if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) { columns = 1; } rows = rowsA; @@@@ -2922,10 +2923,6 @@@@ error(getPos(), "Bad number of components in DCT stream", prec); return gFalse; } - if (numComps <= 0 || numComps > 4) { - error(getPos(), "Bad number of components in DCT stream", prec); - return gFalse; - } if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse; @@@@ -2952,6 +2949,10 @@@@ height = read16(); width = read16(); numComps = str->getChar(); + if (numComps <= 0 || numComps > 4) { + error(getPos(), "Bad number of components in DCT stream", prec); + return gFalse; + } if (prec != 8) { error(getPos(), "Bad DCT precision %d", prec); return gFalse; @@@@ -2974,6 +2975,10 @@@@ length = read16() - 2; scanInfo.numComps = str->getChar(); + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { + error(getPos(), "Bad number of components in DCT stream"); + return gFalse; + } --length; if (length != 2 * scanInfo.numComps + 3) { error(getPos(), "Bad DCT scan info block"); @@@@ -3058,12 +3063,12 @@@@ while (length > 0) { index = str->getChar(); --length; - if ((index & 0x0f) >= 4) { + if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { error(getPos(), "Bad DCT Huffman table"); return gFalse; } if (index & 0x10) { - index &= 0x0f; + index &= 0x03; if (index >= numACHuffTables) numACHuffTables = index+1; tbl = &acHuffTables[index]; @ 1.2 log @Apply security fix for SA18303 taken from Fedora Core 4. Bump package revision because of this fix. @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @Fix vulnerability CAN-2005-3191. Patch provided by jlam. Bump PKGREVISION to 2. @ text @d3 56 a58 6 --- xpdf/Stream.cc.orig 2005-12-15 22:53:25.000000000 -0500 +++ xpdf/Stream.cc @@@@ -2919,11 +2919,7 @@@@ GBool DCTStream::readBaselineSOF() { width = read16(); numComps = str->getChar(); if (numComps <= 0 || numComps > 4) { d62 2 a63 3 - if (numComps <= 0 || numComps > 4) { - error(getPos(), "Bad number of components in DCT stream", prec); + error(getPos(), "Bad number of components %d in DCT stream", numComps); d65 1 a65 3 } if (prec != 8) { @@@@ -2952,6 +2948,10 @@@@ GBool DCTStream::readProgressiveSOF() { d70 1 a70 1 + error(getPos(), "Bad number of components %d in DCT stream", numComps); d76 26 @ 1.1.2.1 log @Pullup ticket 1053 - requested by Matthias Scheler security fix for xpdf Revisions pulled up: - pkgsrc/print/xpdf/Makefile 1.52 - pkgsrc/print/xpdf/distinfo 1.25 - pkgsrc/print/xpdf/patches/patch-ao 1.3 - pkgsrc/print/xpdf/patches/patch-aq 1.1 - pkgsrc/print/xpdf/patches/patch-at 1.2 Module Name: pkgsrc Committed By: tron Date: Sun Jan 22 23:13:33 UTC 2006 Modified Files: pkgsrc/print/xpdf: Makefile distinfo pkgsrc/print/xpdf/patches: patch-at Added Files: pkgsrc/print/xpdf/patches: patch-ao patch-aq Log Message: Apply security fix for SA18303 taken from Fedora Core 4. Bump package revision because of this fix. @ text @d1 1 a1 1 $NetBSD: patch-at,v 1.2 2006/01/22 23:13:33 tron Exp $ d3 6 a8 56 --- xpdf/Stream.cc.orig 2006-01-22 23:03:34.000000000 +0000 +++ xpdf/Stream.cc 2006-01-22 23:03:00.000000000 +0000 @@@@ -15,6 +15,7 @@@@ #include #include #include +#include #ifndef WIN32 #include #endif @@@@ -401,8 +402,6 @@@@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, int widthA, int nCompsA, int nBitsA) { - int totalBits; - str = strA; predictor = predictorA; width = widthA; @@@@ -411,15 +410,17 @@@@ predLine = NULL; ok = gFalse; + if (width <= 0 || nComps <= 0 || nBits <= 0 || + nComps >= INT_MAX/nBits || + width >= INT_MAX/nComps/nBits) { + return; + } nVals = width * nComps; - totalBits = nVals * nBits; - if (totalBits == 0 || - (totalBits / nBits) / nComps != width || - totalBits + 7 < 0) { + if (nVals * nBits + 7 <= 0) { return; } pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((totalBits + 7) >> 3) + pixBytes; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; if (rowBytes < 0) { return; } @@@@ -1275,7 +1276,7 @@@@ endOfLine = endOfLineA; byteAlign = byteAlignA; columns = columnsA; - if (columns < 1) { + if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) { columns = 1; } rows = rowsA; @@@@ -2922,10 +2923,6 @@@@ error(getPos(), "Bad number of components in DCT stream", prec); return gFalse; } - if (numComps <= 0 || numComps > 4) { d12 5 d18 1 a18 3 error(getPos(), "Bad DCT precision %d", prec); return gFalse; @@@@ -2952,6 +2949,10 @@@@ d23 1 a23 1 + error(getPos(), "Bad number of components in DCT stream", prec); a28 26 @@@@ -2974,6 +2975,10 @@@@ length = read16() - 2; scanInfo.numComps = str->getChar(); + if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { + error(getPos(), "Bad number of components in DCT stream"); + return gFalse; + } --length; if (length != 2 * scanInfo.numComps + 3) { error(getPos(), "Bad DCT scan info block"); @@@@ -3058,12 +3063,12 @@@@ while (length > 0) { index = str->getChar(); --length; - if ((index & 0x0f) >= 4) { + if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { error(getPos(), "Bad DCT Huffman table"); return gFalse; } if (index & 0x10) { - index &= 0x0f; + index &= 0x03; if (index >= numACHuffTables) numACHuffTables = index+1; tbl = &acHuffTables[index]; @