[pkgsrc/pkgsrc-2005Q3]: pkgsrc/print/gpdf Pullup ticket 953 - requested by Lu...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/pkgsrc-2005Q3]: pkgsrc/print/gpdf Pullup ticket 953 - requested by Lu...
From: seb <seb%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 02:19:05 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/604005652576
branches:  pkgsrc-2005Q3
changeset: 499743:604005652576
user:      seb <seb%pkgsrc.org@localhost>
date:      Mon Dec 12 23:04:01 2005 +0000

description:
Pullup ticket 953 - requested by Lubomir Sedlacik
security fix via patch for print/gpdf

diffstat:

 print/gpdf/Makefile         |   4 +-
 print/gpdf/distinfo         |   5 ++-
 print/gpdf/patches/patch-ac |  31 +++++++++++++++++
 print/gpdf/patches/patch-ad |  78 +++++++++++++++++++++++++++++++++++++++++++++
 print/gpdf/patches/patch-ae |  23 +++++++++++++
 5 files changed, 138 insertions(+), 3 deletions(-)

diffs (173 lines):

diff -r eaaf2d16c66b -r 604005652576 print/gpdf/Makefile
--- a/print/gpdf/Makefile       Mon Dec 12 13:20:59 2005 +0000
+++ b/print/gpdf/Makefile       Mon Dec 12 23:04:01 2005 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2005/09/05 14:42:42 jmmv Exp $
+# $NetBSD: Makefile,v 1.29.2.1 2005/12/12 23:04:01 seb Exp $
 #
 
 DISTNAME=      gpdf-2.10.0
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    print
 MASTER_SITES=  ${MASTER_SITE_GNOME:=sources/gpdf/2.10/}
 EXTRACT_SUFX=  .tar.bz2
diff -r eaaf2d16c66b -r 604005652576 print/gpdf/distinfo
--- a/print/gpdf/distinfo       Mon Dec 12 13:20:59 2005 +0000
+++ b/print/gpdf/distinfo       Mon Dec 12 23:04:01 2005 +0000
@@ -1,7 +1,10 @@
-$NetBSD: distinfo,v 1.12 2005/09/05 14:42:42 jmmv Exp $
+$NetBSD: distinfo,v 1.12.2.1 2005/12/12 23:04:01 seb Exp $
 
 SHA1 (gpdf-2.10.0.tar.bz2) = f9b925ed5b15deb90968e834fd63fc7628688808
 RMD160 (gpdf-2.10.0.tar.bz2) = 16cb9413e012c2c5268082d8322d1468e5c30907
 Size (gpdf-2.10.0.tar.bz2) = 1079944 bytes
 SHA1 (patch-aa) = 8985b54bad962a31a6ee315747c0297419b8e291
 SHA1 (patch-ab) = 4601088604b8c5a52546e689bfdccc2aa18ea1e6
+SHA1 (patch-ac) = cf2973f83d6a6f02c4c387696bb328512e20e877
+SHA1 (patch-ad) = a1138d90f28ec93de573d180bcce2cd2a15f7439
+SHA1 (patch-ae) = a75595e464d4a73e0ffeeb0d418f566d61b12732
diff -r eaaf2d16c66b -r 604005652576 print/gpdf/patches/patch-ac
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/gpdf/patches/patch-ac       Mon Dec 12 23:04:01 2005 +0000
@@ -0,0 +1,31 @@
+$NetBSD: patch-ac,v 1.1.2.1 2005/12/12 23:04:02 seb Exp $
+
+Security fix for CVE-2005-3193.
+
+--- xpdf/JPXStream.cc.orig     2004-05-17 20:11:49.000000000 +0200
++++ xpdf/JPXStream.cc  2005-12-11 05:08:28.000000000 +0100
+@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
+                   / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+                   / img.yTileSize;
+-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-                                   sizeof(JPXTile));
++      nTiles = img.nXTiles * img.nYTiles;
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++        error(getPos(), "Bad tile count in JPX SIZ marker segment");
++        return gFalse;
++      }
++      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+       img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+                                                       sizeof(JPXTileComp));
diff -r eaaf2d16c66b -r 604005652576 print/gpdf/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/gpdf/patches/patch-ad       Mon Dec 12 23:04:01 2005 +0000
@@ -0,0 +1,78 @@
+$NetBSD: patch-ad,v 1.1.2.1 2005/12/12 23:04:02 seb Exp $
+
+Security fix for CVE-2005-3191 and CVE-2005-3192.
+
+--- xpdf/Stream.cc.orig        2004-05-17 21:37:57.000000000 +0200
++++ xpdf/Stream.cc     2005-12-11 05:10:04.000000000 +0100
+@@ -407,18 +407,33 @@ void ImageStream::skipLine() {
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+                                int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() {
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
diff -r eaaf2d16c66b -r 604005652576 print/gpdf/patches/patch-ae
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/gpdf/patches/patch-ae       Mon Dec 12 23:04:01 2005 +0000
@@ -0,0 +1,23 @@
+$NetBSD: patch-ae,v 1.1.2.1 2005/12/12 23:04:02 seb Exp $
+
+Security fix for CVE-2005-3192.
+
+--- xpdf/Stream.h.orig 2004-05-17 21:37:57.000000000 +0200
++++ xpdf/Stream.h      2005-12-11 05:10:04.000000000 +0100
+@@ -233,6 +233,8 @@ public:
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -250,6 +252,7 @@ private:
+   int rowBytes;                       // bytes per line
+   Guchar *predLine;           // line buffer
+   int predIdx;                        // current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------

Prev by Date: [pkgsrc/pkgsrc-2005Q3]: pkgsrc/multimedia Pullup ticket 952 - requested by Lu...
Next by Date: [pkgsrc/pkgsrc-2005Q3]: pkgsrc/doc #953
Previous by Thread: [pkgsrc/pkgsrc-2005Q3]: pkgsrc/multimedia Pullup ticket 952 - requested by Lu...
Next by Thread: [pkgsrc/pkgsrc-2005Q3]: pkgsrc/doc #953
Indexes:

Home | Main Index | Thread Index | Old Index