add security patch

svn path=/nixpkgs/trunk/; revision=5591
This commit is contained in:
Armijn Hemel 2006-07-05 14:00:05 +00:00
parent a4d3fde9d5
commit d511baa7d9
2 changed files with 472 additions and 0 deletions

View File

@ -25,4 +25,5 @@ stdenv.mkDerivation {
"--with-freetype2-includes=${freetype}/include/freetype2"
] else []);
patches = [./xpdf-3.01pl2.patch];
}

View File

@ -0,0 +1,471 @@
diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c
*** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005
--- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006
***************
*** 11,16 ****
--- 11,17 ----
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
+ #include <limits.h>
#include "gmem.h"
#ifdef DEBUG_MEM
***************
*** 63,69 ****
int lst;
unsigned long *trl, *p;
! if (size == 0)
return NULL;
size1 = gMemDataSize(size);
if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
--- 64,70 ----
int lst;
unsigned long *trl, *p;
! if (size <= 0)
return NULL;
size1 = gMemDataSize(size);
if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
***************
*** 86,92 ****
#else
void *p;
! if (size == 0)
return NULL;
if (!(p = malloc(size))) {
fprintf(stderr, "Out of memory\n");
--- 87,93 ----
#else
void *p;
! if (size <= 0)
return NULL;
if (!(p = malloc(size))) {
fprintf(stderr, "Out of memory\n");
***************
*** 102,108 ****
void *q;
int oldSize;
! if (size == 0) {
if (p)
gfree(p);
return NULL;
--- 103,109 ----
void *q;
int oldSize;
! if (size <= 0) {
if (p)
gfree(p);
return NULL;
***************
*** 120,126 ****
#else
void *q;
! if (size == 0) {
if (p)
free(p);
return NULL;
--- 121,127 ----
#else
void *q;
! if (size <= 0) {
if (p)
free(p);
return NULL;
***************
*** 140,147 ****
void *gmallocn(int nObjs, int objSize) {
int n;
n = nObjs * objSize;
! if (objSize == 0 || n / objSize != nObjs) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
--- 141,151 ----
void *gmallocn(int nObjs, int objSize) {
int n;
+ if (nObjs == 0) {
+ return NULL;
+ }
n = nObjs * objSize;
! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
***************
*** 151,158 ****
void *greallocn(void *p, int nObjs, int objSize) {
int n;
n = nObjs * objSize;
! if (objSize == 0 || n / objSize != nObjs) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
--- 155,168 ----
void *greallocn(void *p, int nObjs, int objSize) {
int n;
+ if (nObjs == 0) {
+ if (p) {
+ gfree(p);
+ }
+ return NULL;
+ }
n = nObjs * objSize;
! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc
*** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006
***************
*** 13,18 ****
--- 13,19 ----
#endif
#include <stdlib.h>
+ #include <limits.h>
#include "GList.h"
#include "Error.h"
#include "JArithmeticDecoder.h"
***************
*** 681,686 ****
--- 682,691 ----
w = wA;
h = hA;
line = (wA + 7) >> 3;
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ data = NULL;
+ return;
+ }
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
data[h * line] = 0;
***************
*** 692,697 ****
--- 697,706 ----
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ data = NULL;
+ return;
+ }
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
***************
*** 720,726 ****
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
! if (newH <= h) {
return;
}
// need to allocate one extra guard byte for use in combine()
--- 729,735 ----
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
return;
}
// need to allocate one extra guard byte for use in combine()
***************
*** 2294,2299 ****
--- 2303,2316 ----
!readUWord(&stepX) || !readUWord(&stepY)) {
goto eofError;
}
+ if (w == 0 || h == 0 || w >= INT_MAX / h) {
+ error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+ return;
+ }
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad grid size in JBIG2 halftone segment");
+ return;
+ }
// get pattern dictionary
if (nRefSegs != 1) {
diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc
*** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006
***************
*** 12,17 ****
--- 12,18 ----
#pragma implementation
#endif
+ #include <limits.h>
#include "gmem.h"
#include "Error.h"
#include "JArithmeticDecoder.h"
***************
*** 818,823 ****
--- 819,830 ----
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
+ // check for overflow before allocating memory
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
+ img.nXTiles >= INT_MAX / img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc
*** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006
***************
*** 15,20 ****
--- 15,21 ----
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+ #include <limits.h>
#ifndef WIN32
#include <unistd.h>
#endif
***************
*** 406,418 ****
--- 407,432 ----
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
nVals = width * nComps;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX / nBits ||
+ width >= INT_MAX / nComps / nBits ||
+ nVals * nBits + 7 < 0) {
+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ if (rowBytes <= 0) {
+ return;
+ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
+
+ ok = gTrue;
}
StreamPredictor::~StreamPredictor() {
***************
*** 1004,1009 ****
--- 1018,1027 ----
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
***************
*** 1259,1264 ****
--- 1277,1285 ----
if (columns < 1) {
columns = 1;
}
+ if (columns + 4 <= 0) {
+ columns = INT_MAX - 4;
+ }
rows = rowsA;
endOfBlock = endOfBlockA;
black = blackA;
***************
*** 2899,2904 ****
--- 2920,2930 ----
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ numComps = 0;
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
***************
*** 2925,2930 ****
--- 2951,2961 ----
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ numComps = 0;
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
***************
*** 2947,2952 ****
--- 2978,2988 ----
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ scanInfo.numComps = 0;
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
***************
*** 3041,3046 ****
--- 3077,3083 ----
numACHuffTables = index+1;
tbl = &acHuffTables[index];
} else {
+ index &= 0x0f;
if (index >= numDCHuffTables)
numDCHuffTables = index+1;
tbl = &dcHuffTables[index];
***************
*** 3827,3832 ****
--- 3864,3873 ----
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h
*** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005
--- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006
***************
*** 232,237 ****
--- 232,239 ----
~StreamPredictor();
+ GBool isOk() { return ok; }
+
int lookChar();
int getChar();
***************
*** 249,254 ****
--- 251,257 ----
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
+ GBool ok;
};
//------------------------------------------------------------------------
***************
*** 527,533 ****
short getWhiteCode();
short getBlackCode();
short lookBits(int n);
! void eatBits(int n) { inputBits -= n; }
};
//------------------------------------------------------------------------
--- 530,536 ----
short getWhiteCode();
short getBlackCode();
short lookBits(int n);
! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; }
};
//------------------------------------------------------------------------
diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc
*** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005
--- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006
***************
*** 186,192 ****
}
void SplashXPathScanner::computeIntersections(int y) {
! SplashCoord ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
--- 186,192 ----
}
void SplashXPathScanner::computeIntersections(int y) {
! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
***************
*** 236,254 ****
} else if (seg->flags & splashXPathVert) {
xx0 = xx1 = seg->x0;
} else {
! if (ySegMin <= y) {
! // intersection with top edge
! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
} else {
! // x coord of segment endpoint with min y coord
! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
}
! if (ySegMax >= y + 1) {
! // intersection with bottom edge
! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
! } else {
! // x coord of segment endpoint with max y coord
! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
}
}
if (xx0 < xx1) {
--- 236,262 ----
} else if (seg->flags & splashXPathVert) {
xx0 = xx1 = seg->x0;
} else {
! if (seg->x0 < seg->x1) {
! xSegMin = seg->x0;
! xSegMax = seg->x1;
} else {
! xSegMin = seg->x1;
! xSegMax = seg->x0;
}
! // intersection with top edge
! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
! // intersection with bottom edge
! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
! // the segment may not actually extend to the top and/or bottom edges
! if (xx0 < xSegMin) {
! xx0 = xSegMin;
! } else if (xx0 > xSegMax) {
! xx0 = xSegMax;
! }
! if (xx1 < xSegMin) {
! xx1 = xSegMin;
! } else if (xx1 > xSegMax) {
! xx1 = xSegMax;
}
}
if (xx0 < xx1) {