security fixes for dvips, dviljk bug #198238 and libxpdf bug #196735; quote variables

Package-Manager: portage-2.1.3.19

6 files changed, 890 insertions, 8 deletions

diff --git a/app-text/tetex/ChangeLog b/app-text/tetex/ChangeLog
index 485a52c33f9e..e43a1bffd7ba 100644
--- a/app-text/tetex/ChangeLog
+++ b/app-text/tetex/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for app-text/tetex
 # Copyright 2002-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-text/tetex/ChangeLog,v 1.154 2007/09/08 01:13:26 beandog Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-text/tetex/ChangeLog,v 1.155 2007/11/07 23:05:19 aballier Exp $
+
+*tetex-3.0_p1-r5 (07 Nov 2007)
+
+  07 Nov 2007; Alexis Ballier <aballier@gentoo.org>
+  +files/tetex-3.0_p1-dvips_bufferoverflow.patch, +files/xpdf-3.02pl2.patch,
+  +tetex-3.0_p1-r5.ebuild:
+  security fixes for dvips, dviljk bug #198238 and libxpdf bug #196735; quote
+  variables
 
   08 Sep 2007; Steve Dibb <beandog@gentoo.org> tetex-3.0_p1-r4.ebuild:
   amd64 stable, security bug 170861
diff --git a/app-text/tetex/Manifest b/app-text/tetex/Manifest
index 20022528b8bc..6edba0cdc3b2 100644
--- a/app-text/tetex/Manifest
+++ b/app-text/tetex/Manifest
@@ -53,6 +53,10 @@ AUX tetex-3.0_p1-dvipdfm-timezone.patch 1546 RMD160 9be8bb58b3be7add25ce30acb4ee
 MD5 8585c6b04f2dda15ac989c61b49d355d files/tetex-3.0_p1-dvipdfm-timezone.patch 1546
 RMD160 9be8bb58b3be7add25ce30acb4eee08b35c85c5f files/tetex-3.0_p1-dvipdfm-timezone.patch 1546
 SHA256 a441179d3f09c7faca63ccf85cd84ad64d117835ad925f33b0fcbc882ed9c827 files/tetex-3.0_p1-dvipdfm-timezone.patch 1546
+AUX tetex-3.0_p1-dvips_bufferoverflow.patch 3032 RMD160 d82c40767b8614180e1487a95c923b99e92161b5 SHA1 1616aff45e9412ad861d75019a2c88a5122e5b23 SHA256 d5942c40589199d19dd4407b9bcdfeb13a2559de59e70ca986c3c16040788f6b
+MD5 65b84b563d53e426b5a78f1302c45863 files/tetex-3.0_p1-dvips_bufferoverflow.patch 3032
+RMD160 d82c40767b8614180e1487a95c923b99e92161b5 files/tetex-3.0_p1-dvips_bufferoverflow.patch 3032
+SHA256 d5942c40589199d19dd4407b9bcdfeb13a2559de59e70ca986c3c16040788f6b files/tetex-3.0_p1-dvips_bufferoverflow.patch 3032
 AUX tetex-3.0_p1-fmtutil-etex.patch 809 RMD160 1e366196609160db8a51b33a9203d0be41e6e644 SHA1 13a976c990d608fd9a9ba9bf9b18ed768a10feee SHA256 a024aad1fbdb53bf328ce2aeb7a4649da9c501442b313f4c361c9de0f7a4dd44
 MD5 c64f8d574550522ea5d8e3b41f886eb2 files/tetex-3.0_p1-fmtutil-etex.patch 809
 RMD160 1e366196609160db8a51b33a9203d0be41e6e644 files/tetex-3.0_p1-fmtutil-etex.patch 809
@@ -93,6 +97,10 @@ AUX xpdf-3.00pl3-CAN-2005-0064.patch 346 RMD160 7fb5521b698589245f9e0ccea753a6d4
 MD5 c32a612ce419b9930ff273cf382558bf files/xpdf-3.00pl3-CAN-2005-0064.patch 346
 RMD160 7fb5521b698589245f9e0ccea753a6d4e30badf8 files/xpdf-3.00pl3-CAN-2005-0064.patch 346
 SHA256 c51f769fcac31cbb95dd3124deb1b658e0874a3a90fe17d9752c9be937773621 files/xpdf-3.00pl3-CAN-2005-0064.patch 346
+AUX xpdf-3.02pl2.patch 16908 RMD160 bc1fd86527442f44ec5cfec754f2053b700a3dbf SHA1 620ec9fe4a4d63766b35bbeaa3261fd772e54a15 SHA256 a7e993257d8ad3b03f9d509973db141823496873c192ed4335ce66f744c468a6
+MD5 1f55d4489c7a8fa21b3e59e152b1514d files/xpdf-3.02pl2.patch 16908
+RMD160 bc1fd86527442f44ec5cfec754f2053b700a3dbf files/xpdf-3.02pl2.patch 16908
+SHA256 a7e993257d8ad3b03f9d509973db141823496873c192ed4335ce66f744c468a6 files/xpdf-3.02pl2.patch 16908
 AUX xpdf-CESA-2004-007-xpdf2-newer.diff 2718 RMD160 0cf60c817b9868896c7d6fa678978c2c1244618c SHA1 ae1dc4e938501be9e2154dea2aecd79abd6ae9be SHA256 7df6d659edd6c79f89e0b2a54c65b9ae27dca57c00e7650fd3ae6273e7dc2ed1
 MD5 87d20c86d1451638e4b7adc2f7ac8067 files/xpdf-CESA-2004-007-xpdf2-newer.diff 2718
 RMD160 0cf60c817b9868896c7d6fa678978c2c1244618c files/xpdf-CESA-2004-007-xpdf2-newer.diff 2718
@@ -106,6 +114,7 @@ MD5 362296e34a1a04a6e5e2a7d9e97547c6 files/xpdf2-underflow.patch 2363
 RMD160 110c32f97715d3eb0bcdf19db41a0ac7465d75d1 files/xpdf2-underflow.patch 2363
 SHA256 88a06ef62c423805a0fed011db59e9c170a2482c29f0359dec8ae962395a28ba files/xpdf2-underflow.patch 2363
 DIST tetex-2.0.2-gentoo.tar.gz 1704 RMD160 f32700bfe389c9c15a72344770c7abe2ee048c38 SHA1 655379c710004ffe2cc65acf6c2efd424cecd109 SHA256 331ac072cf658c22b983b16439dc0e6f95cac0cc95f4d993fcb4bad883ea2622
+DIST tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797 RMD160 ac8499fcc818c4d8fe69b9e2d7fcbe04514d3a04 SHA1 860d526d64d06a836e472aa61c76ecb0c932794f SHA256 30e14cbed1ac1f2f6b5c5f0066c54394d7f2f215fb96ec3870282947ad33c520
 DIST tetex-3.0_p1-gentoo.tar.gz 604 RMD160 5da9d211792ab81d072f0fed65ac737aa3074a6b SHA1 e1f78f0d0136b80a8c51f66df40d098d5385249d SHA256 4e9236349a6d849db06fefcbbf5af7c333199312b461a06840cb8fd2eddd1ac6
 DIST tetex-src-2.0.2.tar.gz 11745933 RMD160 9bbb274c0598547bcecb00ff48e459d41bc65e93 SHA1 6445206b14d659458ee352df78d2c2daf8e88ab3 SHA256 9f8a35b3abd293d71fa6785a4c3e6aa4fdaeff03ae71863ad5ec9e1a9fc087f5
 DIST tetex-src-3.0_p1.tar.gz 13357541 RMD160 24d5029619675ce597782562bc1b87052235d461 SHA1 7d8a9be1d13881064b84c6ef84f74bec8f8724d3 SHA256 e67fff941ba95222ac8f0e17395446723fd78045fc2ff548ca40cc72086a4cc1
@@ -132,10 +141,14 @@ EBUILD tetex-3.0_p1-r4.ebuild 2718 RMD160 0bc80350627ab5550f8bcaf4e08d3174a8c6cc
 MD5 3d0772bad75df0cb23bfa462db9fba28 tetex-3.0_p1-r4.ebuild 2718
 RMD160 0bc80350627ab5550f8bcaf4e08d3174a8c6cc96 tetex-3.0_p1-r4.ebuild 2718
 SHA256 8d3ac57b244720cab52c579849727a6f8ed89456bf9411823ccf62a79103f85f tetex-3.0_p1-r4.ebuild 2718
-MISC ChangeLog 27115 RMD160 e76e5dfd77a753b11687269fe11c36d6bb7e614d SHA1 86e428facbab281e6b0af6c1d57413ec4b614d77 SHA256 4d64031925462909f3622dae7d2ef9cec1b2eaaf0cd8160ebdc4ae9157e9e66f
-MD5 8ad0266e8ae41d3c0a1801d1a94b8491 ChangeLog 27115
-RMD160 e76e5dfd77a753b11687269fe11c36d6bb7e614d ChangeLog 27115
-SHA256 4d64031925462909f3622dae7d2ef9cec1b2eaaf0cd8160ebdc4ae9157e9e66f ChangeLog 27115
+EBUILD tetex-3.0_p1-r5.ebuild 3170 RMD160 254e57b729bd228d80f39450f6b8aa4b8fbc84f9 SHA1 02b51c70b7ceb7160afb170578dc8968c1afdc18 SHA256 1ae82cbda697ccf6d7e898620bd7f6cf2263db04427d27c765157afdb19962cc
+MD5 ad92cadcb68131e8b45370854ead2e9f tetex-3.0_p1-r5.ebuild 3170
+RMD160 254e57b729bd228d80f39450f6b8aa4b8fbc84f9 tetex-3.0_p1-r5.ebuild 3170
+SHA256 1ae82cbda697ccf6d7e898620bd7f6cf2263db04427d27c765157afdb19962cc tetex-3.0_p1-r5.ebuild 3170
+MISC ChangeLog 27395 RMD160 cc63d021354ab3aa3cdd9687d3a5059585a1880a SHA1 60d18574783669ba262ca331ccfdfbfb83cd8a8b SHA256 ef20156ce33562dfa37a575b43ab67de35f440b97cb8fc4d7f392d5872fd0d81
+MD5 b1c3a5bfb06cb0ac2d2755862f51aaeb ChangeLog 27395
+RMD160 cc63d021354ab3aa3cdd9687d3a5059585a1880a ChangeLog 27395
+SHA256 ef20156ce33562dfa37a575b43ab67de35f440b97cb8fc4d7f392d5872fd0d81 ChangeLog 27395
 MISC metadata.xml 156 RMD160 2bf6b2ed9ff0fcef1e902cf093ccf4ae2dcc70a0 SHA1 e9260cd53905d8569cf3327ded4c6d01653fc389 SHA256 b4971b8472ab3fe4fbfe41b331a79193ca19e86c08d055ad1c20eaf9e04b79b6
 MD5 504d11dd034a4ba8f06e8e7c633d13ba metadata.xml 156
 RMD160 2bf6b2ed9ff0fcef1e902cf093ccf4ae2dcc70a0 metadata.xml 156
@@ -155,10 +168,13 @@ SHA256 30ea6f60adc5bae409f275bcf84024f76b81fc6dbad39beccadbdfdf292685c5 files/di
 MD5 931c53c1b0eceef55db5b2ff868bb200 files/digest-tetex-3.0_p1-r4 759
 RMD160 892c3e3577ad27b94445144dc7a82062c35507b6 files/digest-tetex-3.0_p1-r4 759
 SHA256 30ea6f60adc5bae409f275bcf84024f76b81fc6dbad39beccadbdfdf292685c5 files/digest-tetex-3.0_p1-r4 759
+MD5 f1fead447ea842cc2e59c190108d1fef files/digest-tetex-3.0_p1-r5 1066
+RMD160 6397f6203a3f632a68e3f8fc722fb47cbabcf39e files/digest-tetex-3.0_p1-r5 1066
+SHA256 f409247cd81e764c41785e945d59715f21270cc05add5d9b1b11a77c2380b052 files/digest-tetex-3.0_p1-r5 1066
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.7 (GNU/Linux)
 
-iD8DBQFHCYfDp/wUKkr7RBoRAgSLAJwNPdTOdMSeUDcML302DVCZcPliigCgyjFq
-bYRDtrNobsALoO9jsJYcfgo=
-=LlAw
+iD8DBQFHMkTcvFcC4BYPU0oRAnQ4AJ9cIsrNH53g+nxTnvwE1t69RnEqpgCfcsMM
+LZ98cr/lMJ3tkJj3Xk4Jy9g=
+=VaLS
 -----END PGP SIGNATURE-----
diff --git a/app-text/tetex/files/digest-tetex-3.0_p1-r5 b/app-text/tetex/files/digest-tetex-3.0_p1-r5
new file mode 100644
index 000000000000..13610b97c3f0
--- /dev/null
+++ b/app-text/tetex/files/digest-tetex-3.0_p1-r5
@@ -0,0 +1,12 @@
+MD5 e7cb60ace25c8c4a964c32895508e3e7 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797
+RMD160 ac8499fcc818c4d8fe69b9e2d7fcbe04514d3a04 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797
+SHA256 30e14cbed1ac1f2f6b5c5f0066c54394d7f2f215fb96ec3870282947ad33c520 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797
+MD5 24568263880f911452936573211fa4e8 tetex-3.0_p1-gentoo.tar.gz 604
+RMD160 5da9d211792ab81d072f0fed65ac737aa3074a6b tetex-3.0_p1-gentoo.tar.gz 604
+SHA256 4e9236349a6d849db06fefcbbf5af7c333199312b461a06840cb8fd2eddd1ac6 tetex-3.0_p1-gentoo.tar.gz 604
+MD5 0f82ade673335256226d0321e6c5e2cf tetex-src-3.0_p1.tar.gz 13357541
+RMD160 24d5029619675ce597782562bc1b87052235d461 tetex-src-3.0_p1.tar.gz 13357541
+SHA256 e67fff941ba95222ac8f0e17395446723fd78045fc2ff548ca40cc72086a4cc1 tetex-src-3.0_p1.tar.gz 13357541
+MD5 ed9d30d9162d16ac8d5065cde6e0f6fa tetex-texmf-3.0.tar.gz 91402377
+RMD160 a1e87733fa3cbef04e39a690ed8549aeaaddb241 tetex-texmf-3.0.tar.gz 91402377
+SHA256 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2 tetex-texmf-3.0.tar.gz 91402377
diff --git a/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch b/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch
new file mode 100644
index 000000000000..3f4732f1a249
--- /dev/null
+++ b/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch
@@ -0,0 +1,87 @@
+hps.c (stamp_external, stamp_hps): protext against long strings.
+    From Bastien Roucaries via Norbert, 21 Oct 2007 13:22:19,
+    Debian bug 447081.
+
+Index: texk/dvipsk/hps.c
+===================================================================
+--- texk/dvipsk/hps.c	(revision 5253)
++++ texk/dvipsk/hps.c	(revision 5254)
+@@ -441,20 +441,29 @@
+ 
+ void stamp_hps P1C(Hps_link *, pl)
+ {
+-  char tmpbuf[200] ;
++  char * tmpbuf;
+   if (pl == NULL) {
+-    error("Null pointer, oh no!") ;
++    error("stamp_hps: null pl pointer, oh no!") ;
+     return ;
+-  } else {
+-    /* print out the proper pdfm with local page info only 
+-     *  target info will be in the target dictionary */
+-    (void)sprintf(tmpbuf, 
+-		  " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+-		  pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+-		  pl->color[0], pl->color[1], pl->color[2]) ;
+-    cmdout(tmpbuf) ; 
+-  }
++  } 
++  if(pl->title == NULL) {
++    error("stamp_hps: null pl->title pointer, oh no!") ;
++    return ;
++  } 
++
++  tmpbuf = (char *) xmalloc(strlen(pl->title)+200);
++
++  /* print out the proper pdfm with local page info only 
++   *  target info will be in the target dictionary */
++  (void)sprintf(tmpbuf, 
++		" (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", 
++		pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
++		pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
++		pl->color[0], pl->color[1], pl->color[2]) ;
++  cmdout(tmpbuf) ; 
++  free(tmpbuf);
+   
++  
+ }
+ 
+ /* For external URL's, we just pass them through as a string. The hyperps
+@@ -462,18 +471,27 @@
+  */
+ void stamp_external P2C(char *, s, Hps_link *, pl) 
+ {
+-  char tmpbuf[200];
++  char *tmpbuf;
+   if (pl == NULL) {
+-    error("Null pointer, oh no!") ;
++    error("stamp_external: null pl pointer, oh no!") ;
+     return ;
+-  } else {
+-    /* print out the proper pdfm with local page info only 
+-     *  target info will be in the target dictionary */
+-    (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+-		  pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+-		  pl->color[0], pl->color[1], pl->color[2], s) ;
+-    cmdout(tmpbuf) ;
+-  }
++  } 
++
++  if (s == NULL) {
++    error("stamp_external: null s pointer, oh no!") ;
++    return ;
++  } 
++
++  tmpbuf = (char *) xmalloc(strlen(s) + 200);
++
++  /* print out the proper pdfm with local page info only 
++   *  target info will be in the target dictionary */
++  (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ",
++		pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
++		pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
++		pl->color[0], pl->color[1], pl->color[2], s) ;
++  cmdout(tmpbuf) ;
++  free(tmpbuf);
+ }
+ 
+ void finish_hps P1H(void) {
diff --git a/app-text/tetex/files/xpdf-3.02pl2.patch b/app-text/tetex/files/xpdf-3.02pl2.patch
new file mode 100644
index 000000000000..1d962f328a02
--- /dev/null
+++ b/app-text/tetex/files/xpdf-3.02pl2.patch
@@ -0,0 +1,640 @@
+Index: tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
+===================================================================
+--- tetex-src-3.0.orig/libs/xpdf/xpdf/Stream.cc
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
+@@ -1285,19 +1285,24 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+     error (-1, "invalid number of columns: %d\n", columns);
+     exit (1);
+   }
++  else if (columns > INT_MAX - 2) columns = INT_MAX - 2;
+   rows = rowsA;
+   endOfBlock = endOfBlockA;
+   black = blackA;
+-  refLine = (short *)gmallocn(columns + 4, sizeof(short));
+-  codingLine = (short *)gmallocn(columns + 3, sizeof(short));
++  // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns
++  // ---> max codingLine size = columns + 1
++  // refLine has one extra guard entry at the end
++  // ---> max refLine size = columns + 2
++  codingLine = (int *)gmallocn(columns + 1, sizeof(int));
++  refLine = (int *)gmallocn(columns + 2, sizeof(int));
+ 
+   eof = gFalse;
+   row = 0;
+   nextLine2D = encoding < 0;
+   inputBits = 0;
+-  codingLine[0] = 0;
+-  codingLine[1] = refLine[2] = columns;
+-  a0 = 1;
++  codingLine[0] = columns;
++  a0i = 0;
++  outputBits = 0;
+ 
+   buf = EOF;
+ }
+@@ -1316,9 +1321,9 @@ void CCITTFaxStream::reset() {
+   row = 0;
+   nextLine2D = encoding < 0;
+   inputBits = 0;
+-  codingLine[0] = 0;
+-  codingLine[1] = refLine[2] = columns;
+-  a0 = 1;
++  codingLine[0] = columns;
++  a0i = 0;
++  outputBits = 0;
+   buf = EOF;
+ 
+   // skip any initial zero bits and end-of-line marker, and get the 2D
+@@ -1335,164 +1340,228 @@ void CCITTFaxStream::reset() {
+   }
+ }
+ 
++inline void CCITTFaxStream::addPixels(int a1, int blackPixels) {
++  if (a1 > codingLine[a0i]) {
++    if (a1 > columns) {
++      error(getPos(), "CCITTFax row is wrong length (%d)", a1);
++      err = gTrue;
++      a1 = columns;
++    }
++    if ((a0i & 1) ^ blackPixels) {
++      ++a0i;
++    }
++    codingLine[a0i] = a1;
++  }
++}
++
++inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) {
++  if (a1 > codingLine[a0i]) {
++    if (a1 > columns) {
++      error(getPos(), "CCITTFax row is wrong length (%d)", a1);
++      err = gTrue;
++      a1 = columns;
++    }
++    if ((a0i & 1) ^ blackPixels) {
++      ++a0i;
++    }
++    codingLine[a0i] = a1;
++  } else if (a1 < codingLine[a0i]) {
++    if (a1 < 0) {
++      error(getPos(), "Invalid CCITTFax code");
++      err = gTrue;
++      a1 = 0;
++    }
++    while (a0i > 0 && a1 <= codingLine[a0i - 1]) {
++      --a0i;
++    }
++    codingLine[a0i] = a1;
++  }
++}
++ 
+ int CCITTFaxStream::lookChar() {
+   short code1, code2, code3;
+-  int a0New;
+-  GBool err, gotEOL;
+-  int ret;
+-  int bits, i;
+-
+-  // if at eof just return EOF
+-  if (eof && codingLine[a0] >= columns) {
+-    return EOF;
++  int b1i, blackPixels, i, bits;
++  GBool gotEOL;
++  
++  if (buf != EOF) {
++    return buf;
+   }
+ 
+   // read the next row
+-  err = gFalse;
+-  if (codingLine[a0] >= columns) {
++  if (outputBits == 0) {
+ 
++    // if at eof just return EOF
++    if (eof) {
++      return EOF;
++    }
++
++    err = gFalse;
++  
+     // 2-D encoding
+     if (nextLine2D) {
+       for (i = 0; codingLine[i] < columns; ++i)
+ 	refLine[i] = codingLine[i];
+-      refLine[i] = refLine[i + 1] = columns;
+-      b1 = 1;
+-      a0New = codingLine[a0 = 0] = 0;
+-      do {
+-	code1 = getTwoDimCode();
++      refLine[i++] = columns;
++      refLine[i] = columns;
++      codingLine[0] = 0;
++      a0i = 0;
++      b1i = 0;
++      blackPixels = 0;
++      // invariant:
++      // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1]
++      //                                                             <= columns
++      // exception at left edge:
++      //   codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
++      // exception at right edge:
++      //   refLine[b1i] = refLine[b1i+1] = columns is possible
++      while (codingLine[a0i] < columns) {
++  	code1 = getTwoDimCode();
+ 	switch (code1) {
+-	case twoDimPass:
+-	  if (refLine[b1] < columns) {
+-	    a0New = refLine[b1 + 1];
+-	    b1 += 2;
+-	  }
+-	  break;
+-	case twoDimHoriz:
+-	  if ((a0 & 1) == 0) {
+-	    code1 = code2 = 0;
+-	    do {
+-	      code1 += code3 = getWhiteCode();
+-	    } while (code3 >= 64);
+-	    do {
+-	      code2 += code3 = getBlackCode();
+-	    } while (code3 >= 64);
+-	  } else {
+-	    code1 = code2 = 0;
+-	    do {
+-	      code1 += code3 = getBlackCode();
+-	    } while (code3 >= 64);
+-	    do {
+-	      code2 += code3 = getWhiteCode();
+-	    } while (code3 >= 64);
+-	  }
+-	  if (code1 > 0 || code2 > 0) {
+-	    codingLine[a0 + 1] = a0New + code1;
+-	    ++a0;
+-	    a0New = codingLine[a0 + 1] = codingLine[a0] + code2;
+-	    ++a0;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVert0:
+-	  a0New = codingLine[++a0] = refLine[b1];
+-	  if (refLine[b1] < columns) {
+-	    ++b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVertR1:
+-	  a0New = codingLine[++a0] = refLine[b1] + 1;
+-	  if (refLine[b1] < columns) {
+-	    ++b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVertL1:
+-	  if (a0 == 0 || refLine[b1] - 1 > a0New) {
+-	    a0New = codingLine[++a0] = refLine[b1] - 1;
+-	    --b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVertR2:
+-	  a0New = codingLine[++a0] = refLine[b1] + 2;
+-	  if (refLine[b1] < columns) {
+-	    ++b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVertL2:
+-	  if (a0 == 0 || refLine[b1] - 2 > a0New) {
+-	    a0New = codingLine[++a0] = refLine[b1] - 2;
+-	    --b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVertR3:
+-	  a0New = codingLine[++a0] = refLine[b1] + 3;
+-	  if (refLine[b1] < columns) {
+-	    ++b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case twoDimVertL3:
+-	  if (a0 == 0 || refLine[b1] - 3 > a0New) {
+-	    a0New = codingLine[++a0] = refLine[b1] - 3;
+-	    --b1;
+-	    while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
+-	      b1 += 2;
+-	  }
+-	  break;
+-	case EOF:
+-	  eof = gTrue;
+-	  codingLine[a0 = 0] = columns;
+-	  return EOF;
+-	default:
+-	  error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
+-	  err = gTrue;
+-	  break;
++  	case twoDimPass:
++ 	  addPixels(refLine[b1i + 1], blackPixels);
++ 	  if (refLine[b1i + 1] < columns) {
++ 	    b1i += 2;
++  	  }
++  	  break;
++  	case twoDimHoriz:
++ 	  code1 = code2 = 0;
++ 	  if (blackPixels) {
++  	    do {
++ 	      code1 += code3 = getBlackCode();
++  	    } while (code3 >= 64);
++  	    do {
++ 	      code2 += code3 = getWhiteCode();
++  	    } while (code3 >= 64);
++  	  } else {
++  	    do {
++ 	      code1 += code3 = getWhiteCode();
++  	    } while (code3 >= 64);
++  	    do {
++ 	      code2 += code3 = getBlackCode();
++  	    } while (code3 >= 64);
++  	  }
++ 	  addPixels(codingLine[a0i] + code1, blackPixels);
++ 	  if (codingLine[a0i] < columns) {
++ 	    addPixels(codingLine[a0i] + code2, blackPixels ^ 1);
++ 	  }
++ 	  while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	    b1i += 2;
++ 	  }
++ 	  break;
++ 	case twoDimVertR3:
++ 	  addPixels(refLine[b1i] + 3, blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    ++b1i;
++ 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++  	    }
++  	  }
++  	  break;
++ 	case twoDimVertR2:
++ 	  addPixels(refLine[b1i] + 2, blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    ++b1i;
++	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++  	    }
++  	  }
++  	  break;
++  	case twoDimVertR1:
++ 	  addPixels(refLine[b1i] + 1, blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    ++b1i;
++ 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++  	    }
++  	  }
++  	  break;
++ 	case twoDimVert0:
++ 	  addPixels(refLine[b1i], blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    ++b1i;
++ 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++  	    }
++  	  }
++  	  break;
++ 	case twoDimVertL3:
++ 	  addPixelsNeg(refLine[b1i] - 3, blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    if (b1i > 0) {
++ 	      --b1i;
++ 	    } else {
++	      ++b1i;
++ 	    }
++	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++  	    }
++  	  }
++  	  break;
++  	case twoDimVertL2:
++ 	  addPixelsNeg(refLine[b1i] - 2, blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    if (b1i > 0) {
++ 	      --b1i;
++ 	    } else {
++ 	      ++b1i;
++  	    }
++ 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++ 	    }
++  	  }
++  	  break;
++ 	case twoDimVertL1:
++ 	  addPixelsNeg(refLine[b1i] - 1, blackPixels);
++ 	  blackPixels ^= 1;
++ 	  if (codingLine[a0i] < columns) {
++ 	    if (b1i > 0) {
++ 	      --b1i;
++ 	    } else {
++ 	      ++b1i;
++ 	    }
++ 	    while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
++ 	      b1i += 2;
++  	    }
++  	  }
++  	  break;
++  	case EOF:
++ 	  addPixels(columns, 0);
++  	  eof = gTrue;
++ 	  break;
++  	default:
++  	  error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
++ 	  addPixels(columns, 0);
++  	  err = gTrue;
++  	  break;
++  	}
+ 	}
+-      } while (codingLine[a0] < columns);
+ 
+     // 1-D encoding
+     } else {
+-      codingLine[a0 = 0] = 0;
+-      while (1) {
+-	code1 = 0;
+-	do {
+-	  code1 += code3 = getWhiteCode();
+-	} while (code3 >= 64);
+-	codingLine[a0+1] = codingLine[a0] + code1;
+-	++a0;
+-	if (codingLine[a0] >= columns)
+-	  break;
+-	code2 = 0;
+-	do {
+-	  code2 += code3 = getBlackCode();
+-	} while (code3 >= 64);
+-	codingLine[a0+1] = codingLine[a0] + code2;
+-	++a0;
+-	if (codingLine[a0] >= columns)
+-	  break;
+-      }
+-    }
+-
+-    if (codingLine[a0] != columns) {
+-      error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]);
+-      // force the row to be the correct length
+-      while (codingLine[a0] > columns) {
+-	--a0;
++       codingLine[0] = 0;
++       a0i = 0;
++       blackPixels = 0;
++       while (codingLine[a0i] < columns) {
++ 	code1 = 0;
++ 	if (blackPixels) {
++ 	  do {
++ 	    code1 += code3 = getBlackCode();
++ 	  } while (code3 >= 64);
++ 	} else {
++ 	  do {
++ 	    code1 += code3 = getWhiteCode();
++ 	  } while (code3 >= 64);
++  	}
++ 	addPixels(codingLine[a0i] + code1, blackPixels);
++ 	blackPixels ^= 1;
++        }
+       }
+-      codingLine[++a0] = columns;
+-      err = gTrue;
+-    }
+ 
+     // byte-align the row
+     if (byteAlign) {
+@@ -1552,14 +1621,17 @@ int CCITTFaxStream::lookChar() {
+     // this if we know the stream contains end-of-line markers because
+     // the "just plow on" technique tends to work better otherwise
+     } else if (err && endOfLine) {
+-      do {
++      while (1) {
++	code1 = lookBits(13);
+ 	if (code1 == EOF) {
+ 	  eof = gTrue;
+ 	  return EOF;
+ 	}
++	if ((code1 >> 1) == 0x001) {
++	  break;
++	}
+ 	eatBits(1);
+-	code1 = lookBits(13);
+-      } while ((code1 >> 1) != 0x001);
++      }
+       eatBits(12); 
+       if (encoding > 0) {
+ 	eatBits(1);
+@@ -1567,11 +1639,11 @@ int CCITTFaxStream::lookChar() {
+       }
+     }
+ 
+-    a0 = 0;
+-    outputBits = codingLine[1] - codingLine[0];
+-    if (outputBits == 0) {
+-      a0 = 1;
+-      outputBits = codingLine[2] - codingLine[1];
++    // set up for output
++    if (codingLine[0] > 0) {
++      outputBits = codingLine[a0i = 0];
++    } else {
++      outputBits = codingLine[a0i = 1];
+     }
+ 
+     ++row;
+@@ -1579,39 +1651,43 @@ int CCITTFaxStream::lookChar() {
+ 
+   // get a byte
+   if (outputBits >= 8) {
+-    ret = ((a0 & 1) == 0) ? 0xff : 0x00;
+-    if ((outputBits -= 8) == 0) {
+-      ++a0;
+-      if (codingLine[a0] < columns) {
+-	outputBits = codingLine[a0 + 1] - codingLine[a0];
+-      }
++    buf = (a0i & 1) ? 0x00 : 0xff;
++    outputBits -= 8;
++    if (outputBits == 0 && codingLine[a0i] < columns) {
++      ++a0i;
++      outputBits = codingLine[a0i] - codingLine[a0i - 1];
+     }
+   } else {
+     bits = 8;
+-    ret = 0;
++    buf = 0;
+     do {
+       if (outputBits > bits) {
+-	i = bits;
+-	bits = 0;
+-	if ((a0 & 1) == 0) {
+-	  ret |= 0xff >> (8 - i);
++	buf <<= bits;
++	if (!(a0i & 1)) {
++	  buf |= 0xff >> (8 - bits);
+ 	}
+-	outputBits -= i;
++	outputBits -= bits;
++	bits = 0;
+       } else {
+-	i = outputBits;
+-	bits -= outputBits;
+-	if ((a0 & 1) == 0) {
+-	  ret |= (0xff >> (8 - i)) << bits;
++	buf <<= outputBits;
++	if (!(a0i & 1)) {
++	  buf |= 0xff >> (8 - outputBits);
+ 	}
++	bits -= outputBits;
+ 	outputBits = 0;
+-	++a0;
+-	if (codingLine[a0] < columns) {
+-	  outputBits = codingLine[a0 + 1] - codingLine[a0];
++	if (codingLine[a0i] < columns) {
++	  ++a0i;
++	  outputBits = codingLine[a0i] - codingLine[a0i - 1];
++	} else if (bits > 0) {
++	  buf <<= bits;
++	  bits = 0;
+ 	}
+       }
+-    } while (bits > 0 && codingLine[a0] < columns);
++    } while (bits);
++  }
++  if (black) {
++    buf ^= 0xff;
+   }
+-  buf = black ? (ret ^ 0xff) : ret;
+   return buf;
+ }
+ 
+@@ -1653,6 +1729,9 @@ short CCITTFaxStream::getWhiteCode() {
+   code = 0; // make gcc happy
+   if (endOfBlock) {
+     code = lookBits(12);
++    if (code == EOF) {
++      return 1;
++    }
+     if ((code >> 5) == 0) {
+       p = &whiteTab1[code];
+     } else {
+@@ -1665,6 +1744,9 @@ short CCITTFaxStream::getWhiteCode() {
+   } else {
+     for (n = 1; n <= 9; ++n) {
+       code = lookBits(n);
++      if (code == EOF) {
++	return 1;
++      }
+       if (n < 9) {
+ 	code <<= 9 - n;
+       }
+@@ -1676,6 +1758,9 @@ short CCITTFaxStream::getWhiteCode() {
+     }
+     for (n = 11; n <= 12; ++n) {
+       code = lookBits(n);
++      if (code == EOF) {
++	return 1;
++      }
+       if (n < 12) {
+ 	code <<= 12 - n;
+       }
+@@ -1701,6 +1786,9 @@ short CCITTFaxStream::getBlackCode() {
+   code = 0; // make gcc happy
+   if (endOfBlock) {
+     code = lookBits(13);
++    if (code == EOF) {
++      return 1;
++    }
+     if ((code >> 7) == 0) {
+       p = &blackTab1[code];
+     } else if ((code >> 9) == 0) {
+@@ -1715,6 +1803,9 @@ short CCITTFaxStream::getBlackCode() {
+   } else {
+     for (n = 2; n <= 6; ++n) {
+       code = lookBits(n);
++      if (code == EOF) {
++	return 1;
++      }
+       if (n < 6) {
+ 	code <<= 6 - n;
+       }
+@@ -1726,6 +1817,9 @@ short CCITTFaxStream::getBlackCode() {
+     }
+     for (n = 7; n <= 12; ++n) {
+       code = lookBits(n);
++      if (code == EOF) {
++	return 1;
++      }
+       if (n < 12) {
+ 	code <<= 12 - n;
+       }
+@@ -1739,6 +1833,9 @@ short CCITTFaxStream::getBlackCode() {
+     }
+     for (n = 10; n <= 13; ++n) {
+       code = lookBits(n);
++      if (code == EOF) {
++	return 1;
++      }
+       if (n < 13) {
+ 	code <<= 13 - n;
+       }
+@@ -1961,6 +2058,12 @@ void DCTStream::reset() {
+     // allocate a buffer for the whole image
+     bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth;
+     bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight;
++    if (bufWidth <= 0 || bufHeight <= 0 ||
++	bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) {
++      error(getPos(), "Invalid image size in DCT stream");
++      y = height;
++      return;
++    }
+     for (i = 0; i < numComps; ++i) {
+       frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int));
+       memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int));
+@@ -3024,6 +3127,11 @@ GBool DCTStream::readScanInfo() {
+   }
+   scanInfo.firstCoeff = str->getChar();
+   scanInfo.lastCoeff = str->getChar();
++  if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 ||
++      scanInfo.firstCoeff > scanInfo.lastCoeff) {
++    error(getPos(), "Bad DCT coefficient numbers in scan info block");
++    return gFalse;
++  }
+   c = str->getChar();
+   scanInfo.ah = (c >> 4) & 0x0f;
+   scanInfo.al = c & 0x0f;
+Index: tetex-src-3.0/libs/xpdf/xpdf/Stream.h
+===================================================================
+--- tetex-src-3.0.orig/libs/xpdf/xpdf/Stream.h
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h
+@@ -519,13 +519,15 @@ private:
+   int row;			// current row
+   int inputBuf;			// input buffer
+   int inputBits;		// number of bits in input buffer
+-  short *refLine;		// reference line changing elements
+-  int b1;			// index into refLine
+-  short *codingLine;		// coding line changing elements
+-  int a0;			// index into codingLine
++  int *codingLine;		// coding line changing elements
++  int *refLine;			// reference line changing elements
++  int a0i;			// index into codingLine
++  GBool err;			// error on current line
+   int outputBits;		// remaining ouput bits
+   int buf;			// character buffer
+ 
++  void addPixels(int a1, int black);
++  void addPixelsNeg(int a1, int black);
+   short getTwoDimCode();
+   short getWhiteCode();
+   short getBlackCode();
diff --git a/app-text/tetex/tetex-3.0_p1-r5.ebuild b/app-text/tetex/tetex-3.0_p1-r5.ebuild
new file mode 100644
index 000000000000..35155f1d1e12
--- /dev/null
+++ b/app-text/tetex/tetex-3.0_p1-r5.ebuild
@@ -0,0 +1,119 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-text/tetex/tetex-3.0_p1-r5.ebuild,v 1.1 2007/11/07 23:05:19 aballier Exp $
+
+inherit tetex-3 flag-o-matic versionator virtualx autotools
+
+SMALL_PV=$(get_version_component_range 1-2 ${PV})
+TETEX_TEXMF_PV=${SMALL_PV}
+S="${WORKDIR}/tetex-src-${SMALL_PV}"
+
+TETEX_SRC="tetex-src-${PV}.tar.gz"
+TETEX_TEXMF="tetex-texmf-${TETEX_TEXMF_PV:-${TETEX_PV}}.tar.gz"
+#TETEX_TEXMF_SRC="tetex-texmfsrc-${TETEX_TEXMF_PV:-${TETEX_PV}}.tar.gz"
+TETEX_TEXMF_SRC=""
+
+DESCRIPTION="a complete TeX distribution"
+HOMEPAGE="http://tug.org/teTeX/"
+
+SRC_PATH_TETEX=ftp://cam.ctan.org/tex-archive/systems/unix/teTeX/current/distrib
+SRC_URI="mirror://gentoo/${TETEX_SRC}
+	${SRC_PATH_TETEX}/${TETEX_TEXMF}
+	mirror://gentoo/${P}-gentoo.tar.gz
+	mirror://gentoo/${P}-dviljk-security-fixes.patch.bz2"
+
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
+
+# these are defined in tetex.eclass and tetex-3.eclass
+IUSE=""
+DEPEND="${DEPEND} media-libs/gd"
+RDEPEND="${RDEPEND} media-libs/gd"
+
+src_unpack() {
+	tetex-3_src_unpack
+	cd "${WORKDIR}"
+	unpack ${P}-dviljk-security-fixes.patch.bz2
+	cd "${S}"
+	epatch "${FILESDIR}/${PN}-${SMALL_PV}-kpathsea-pic.patch"
+
+	# bug 85404
+	epatch "${FILESDIR}/${PN}-${SMALL_PV}-epstopdf-wrong-rotation.patch"
+
+	epatch "${FILESDIR}/${P}-amd64-xdvik-wp.patch"
+	epatch "${FILESDIR}/${P}-mptest.patch"
+
+	#bug 98029
+	epatch "${FILESDIR}/${P}-fmtutil-etex.patch"
+
+	#bug 115775
+	epatch "${FILESDIR}/${P}-xpdf-vulnerabilities.patch"
+
+	# bug 94860
+	epatch "${FILESDIR}/${P}-pdftosrc-install.patch"
+
+	# bug 126918
+	epatch "${FILESDIR}/${P}-create-empty-files.patch"
+
+	# bug 94901
+	epatch "${FILESDIR}/${P}-dvipdfm-timezone.patch"
+
+	# security bug #170861
+	epatch "${FILESDIR}/${P}-CVE-2007-0650.patch"
+
+	# security bug #188172
+	epatch "${FILESDIR}/${P}-xpdf-CVE-2007-3387.patch"
+
+	# security bug #198238
+	epatch "${FILESDIR}/${P}-dvips_bufferoverflow.patch"
+
+	# securty bug #196735
+	epatch "${FILESDIR}/xpdf-3.02pl2.patch"
+
+	# Construct a Gentoo site texmf directory
+	# that overlays the upstream supplied
+	epatch "${FILESDIR}/${P}-texmf-site.patch"
+
+	# security bug #198238
+	epatch "${WORKDIR}/${P}-dviljk-security-fixes.patch"
+
+	cd "${S}/texk/dviljk"
+	AT_M4DIR="${S}/texk/m4" eautoreconf
+}
+
+src_compile() {
+	#bug 119856
+	export LC_ALL=C
+
+	# dvipng has its own ebuild (fix for bug #129044).
+	# also, do not build against own lib gd (security #182055)
+	TETEX_ECONF="${TETEX_ECONF} --without-dvipng --with-system-gd"
+
+	tetex-3_src_compile
+}
+
+src_test() {
+	fmtutil --fmtdir "${S}/texk/web2c" --all
+	# The check target tries to access X display, bug #69439.
+	Xmake check || die "Xmake check failed."
+}
+
+src_install() {
+	insinto /usr/share/texmf/dvips/pstricks
+	doins "${FILESDIR}/pst-circ.pro"
+
+	# install pdftosrc man page, bug 94860
+	doman "${S}/texk/web2c/pdftexdir/pdftosrc.1"
+
+	tetex-3_src_install
+
+	# Create Gentoo site texmf directory
+	keepdir /usr/share/texmf-site
+}
+
+pkg_postinst() {
+	tetex-3_pkg_postinst
+
+	elog
+	elog "This release removes dvipng since it is provided in app-text/dvipng"
+	elog
+}