diff options
Diffstat (limited to 'app-text/ptex/files/xpdf-2.02pl1-CAN-2005-3191-3.patch')
| -rw-r--r-- | app-text/ptex/files/xpdf-2.02pl1-CAN-2005-3191-3.patch | 252 |
1 files changed, 0 insertions, 252 deletions
diff --git a/app-text/ptex/files/xpdf-2.02pl1-CAN-2005-3191-3.patch b/app-text/ptex/files/xpdf-2.02pl1-CAN-2005-3191-3.patch deleted file mode 100644 index 6e2531318df7..000000000000 --- a/app-text/ptex/files/xpdf-2.02pl1-CAN-2005-3191-3.patch +++ /dev/null @@ -1,252 +0,0 @@ -Index: xpdf-2.02pl1/xpdf/Stream.h -=================================================================== ---- xpdf-2.02pl1.orig/xpdf/Stream.h -+++ xpdf-2.02pl1/xpdf/Stream.h -@@ -225,6 +225,8 @@ public: - - ~StreamPredictor(); - -+ GBool isOk() { return ok; } -+ - int lookChar(); - int getChar(); - -@@ -242,6 +244,7 @@ private: - int rowBytes; // bytes per line - Guchar *predLine; // line buffer - int predIdx; // current index in predLine -+ GBool ok; - }; - - //------------------------------------------------------------------------ -Index: xpdf-2.02pl1/xpdf/Stream.cc -=================================================================== ---- xpdf-2.02pl1.orig/xpdf/Stream.cc -+++ xpdf-2.02pl1/xpdf/Stream.cc -@@ -15,6 +15,7 @@ - #include <stdio.h> - #include <stdlib.h> - #include <stddef.h> -+#include <limits.h> - #ifndef WIN32 - #include <unistd.h> - #endif -@@ -409,13 +410,28 @@ StreamPredictor::StreamPredictor(Stream - width = widthA; - nComps = nCompsA; - nBits = nBitsA; -+ predLine = NULL; -+ ok = gFalse; - -+ if (width <= 0 || nComps <= 0 || nBits <= 0 || -+ nComps >= INT_MAX/nBits || -+ width >= INT_MAX/nComps/nBits) { -+ return; -+ } - nVals = width * nComps; -+ if (nVals * nBits + 7 <= 0) { -+ return; -+ } - pixBytes = (nComps * nBits + 7) >> 3; - rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; -+ if (rowBytes < 0) { -+ return; -+ } - predLine = (Guchar *)gmalloc(rowBytes); - memset(predLine, 0, rowBytes); - predIdx = rowBytes; -+ -+ ok = gTrue; - } - - StreamPredictor::~StreamPredictor() { -@@ -981,6 +997,10 @@ LZWStream::LZWStream(Stream *strA, int p - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -@@ -1226,6 +1246,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s - endOfLine = endOfLineA; - byteAlign = byteAlignA; - columns = columnsA; -+ if (columns < 1 || columns >= INT_MAX / sizeof(short)) { -+ error(-1, "invalid number of columns"); -+ exit(1); -+ } - rows = rowsA; - endOfBlock = endOfBlockA; - black = blackA; -@@ -2864,6 +2888,11 @@ GBool DCTStream::readBaselineSOF() { - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ numComps = 0; -+ error(getPos(), "Bad number of components in DCT stream"); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -@@ -2890,6 +2919,11 @@ GBool DCTStream::readProgressiveSOF() { - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ numComps = 0; -+ error(getPos(), "Bad number of components in DCT stream"); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -@@ -2912,6 +2946,10 @@ GBool DCTStream::readScanInfo() { - - length = read16() - 2; - scanInfo.numComps = str->getChar(); -+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream"); -+ return gFalse; -+ } - --length; - if (length != 2 * scanInfo.numComps + 3) { - error(getPos(), "Bad DCT scan info block"); -@@ -2979,12 +3017,12 @@ GBool DCTStream::readHuffmanTables() { - while (length > 0) { - index = str->getChar(); - --length; -- if ((index & 0x0f) >= 4) { -+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { - error(getPos(), "Bad DCT Huffman table"); - return gFalse; - } - if (index & 0x10) { -- index &= 0x0f; -+ index &= 0x03; - if (index >= numACHuffTables) - numACHuffTables = index+1; - tbl = &acHuffTables[index]; -@@ -3072,9 +3110,11 @@ int DCTStream::readMarker() { - do { - do { - c = str->getChar(); -+ if(c == EOF) return EOF; - } while (c != 0xff); - do { - c = str->getChar(); -+ if(c == EOF) return EOF; - } while (c == 0xff); - } while (c == 0x00); - return c; -@@ -3182,6 +3222,10 @@ FlateStream::FlateStream(Stream *strA, i - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -Index: xpdf-2.02pl1/xpdf/JBIG2Stream.cc -=================================================================== ---- xpdf-2.02pl1.orig/xpdf/JBIG2Stream.cc -+++ xpdf-2.02pl1/xpdf/JBIG2Stream.cc -@@ -7,6 +7,7 @@ - //======================================================================== - - #include <aconf.h> -+#include <limits.h> - - #ifdef USE_GCC_PRAGMAS - #pragma implementation -@@ -1001,7 +1002,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, - w = wA; - h = hA; - line = (wA + 7) >> 3; -- data = (Guchar *)gmalloc(h * line); -+ -+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { -+ error(-1, "invalid width/height"); -+ data = NULL; -+ return; -+ } -+ -+ // need to allocate one extra guard byte for use in combine() -+ data = (Guchar *)gmalloc(h * line + 1); -+ data[h * line] = 0; - } - - JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): -@@ -1010,8 +1020,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, - w = bitmap->w; - h = bitmap->h; - line = bitmap->line; -- data = (Guchar *)gmalloc(h * line); -+ -+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { -+ error(-1, "invalid width/height"); -+ data = NULL; -+ return; -+ } -+ -+ // need to allocate one extra guard byte for use in combine() -+ data = (Guchar *)gmalloc(h * line + 1); - memcpy(data, bitmap->data, h * line); -+ data[h * line] = 0; - } - - JBIG2Bitmap::~JBIG2Bitmap() { -@@ -1036,10 +1055,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint - } - - void JBIG2Bitmap::expand(int newH, Guint pixel) { -- if (newH <= h) { -+ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1)/ line) { -+ error(-1, "invalid width/height"); -+ gfree(data); -+ data = NULL; - return; - } -- data = (Guchar *)grealloc(data, newH * line); -+ // need to allocate one extra guard byte for use in combine() -+ data = (Guchar *)grealloc(data, newH * line + 1); - if (pixel) { - memset(data + h * line, 0xff, (newH - h) * line); - } else { -@@ -2576,6 +2599,15 @@ void JBIG2Stream::readHalftoneRegionSeg( - error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); - return; - } -+ if (gridH == 0 || gridW >= INT_MAX / gridH) { -+ error(getPos(), "Bad size in JBIG2 halftone segment"); -+ return; -+ } -+ if (w == 0 || h >= INT_MAX / w) { -+ error(getPos(), "Bad size in JBIG2 bitmap segment"); -+ return; -+ } -+ - patternDict = (JBIG2PatternDict *)seg; - bpp = 0; - i = 1; -@@ -3205,6 +3237,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef - JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; - int x, y, pix; - -+ if (w < 0 || h <= 0 || w >= INT_MAX / h) { -+ error(-1, "invalid width/height"); -+ return NULL; -+ } -+ - bitmap = new JBIG2Bitmap(0, w, h); - bitmap->clearToZero(); - -# vim: syntax=diff |