pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/print/ghostscript add a patch from gentoo to fix range...
details: https://anonhg.NetBSD.org/pkgsrc/rev/62851665b8e0
branches: trunk
changeset: 556642:62851665b8e0
user: drochner <drochner%pkgsrc.org@localhost>
date: Wed Mar 25 10:42:13 2009 +0000
description:
add a patch from gentoo to fix range checks in icc profile handling
which could lead to DOS or possibly code injection (CVE-2009-0583,
CVE-2009-0584), bump PKGREVISION
diffstat:
print/ghostscript/Makefile | 3 +-
print/ghostscript/distinfo | 3 +-
print/ghostscript/patches/patch-aj | 990 +++++++++++++++++++++++++++++++++++++
3 files changed, 994 insertions(+), 2 deletions(-)
diffs (truncated from 1020 to 300 lines):
diff -r 7d8a4b45804a -r 62851665b8e0 print/ghostscript/Makefile
--- a/print/ghostscript/Makefile Wed Mar 25 09:32:48 2009 +0000
+++ b/print/ghostscript/Makefile Wed Mar 25 10:42:13 2009 +0000
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.59 2009/02/18 17:52:58 drochner Exp $
+# $NetBSD: Makefile,v 1.60 2009/03/25 10:42:13 drochner Exp $
DISTNAME= ghostscript-8.64
+PKGREVISION= 1
CATEGORIES= print
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ghostscript/}
EXTRACT_SUFX= .tar.bz2
diff -r 7d8a4b45804a -r 62851665b8e0 print/ghostscript/distinfo
--- a/print/ghostscript/distinfo Wed Mar 25 09:32:48 2009 +0000
+++ b/print/ghostscript/distinfo Wed Mar 25 10:42:13 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2009/02/16 16:31:30 drochner Exp $
+$NetBSD: distinfo,v 1.22 2009/03/25 10:42:13 drochner Exp $
SHA1 (ghostscript-8.64.tar.bz2) = 4c2a6e04145428d35da73fbc4db9c66a75e336e0
RMD160 (ghostscript-8.64.tar.bz2) = 565134dcfe1e823b435c3761461c5eb394bd633c
@@ -10,3 +10,4 @@
SHA1 (patch-ag) = dd452d29253e20bb8fa453a1e4f139a40b2ab3e3
SHA1 (patch-ah) = efc85dead838505ee462714167f196db2deeb0aa
SHA1 (patch-ai) = ad69ddd4a4bd50cf2263ac6c6d17a59798ef3124
+SHA1 (patch-aj) = 5608e834189c9746f4ad40d11cc36e76609e5d6c
diff -r 7d8a4b45804a -r 62851665b8e0 print/ghostscript/patches/patch-aj
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/print/ghostscript/patches/patch-aj Wed Mar 25 10:42:13 2009 +0000
@@ -0,0 +1,990 @@
+$NetBSD: patch-aj,v 1.3 2009/03/25 10:42:13 drochner Exp $
+
+--- icclib/icc.c.orig 2008-05-09 06:12:01.000000000 +0200
++++ icclib/icc.c
+@@ -152,6 +152,8 @@
+ * Various bug fixes and enhancements.
+ */
+
++#include <limits.h>
++#include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stdarg.h>
+@@ -313,8 +315,11 @@ size_t count
+ icmFileMem *p = (icmFileMem *)pp;
+ size_t len;
+
++ if (count > 0 && size > SIZE_MAX / count)
++ return 0;
++
+ len = size * count;
+- if ((p->cur + len) >= p->end) { /* Too much */
++ if (len > (p->end - p->cur)) { /* Too much */
+ if (size > 0)
+ count = (p->end - p->cur)/size;
+ else
+@@ -1634,6 +1639,8 @@ static int icmUInt8Array_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmUInt8Array_write malloc() failed");
+ return icp->errc = 2;
+@@ -1698,7 +1705,7 @@ static int icmUInt8Array_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
+ sprintf(icp->err,"icmUInt8Array_alloc: malloc() of icmUInt8Array data failed");
+ return icp->errc = 2;
+ }
+@@ -1749,6 +1756,10 @@ static unsigned int icmUInt16Array_get_s
+ icmUInt16Array *p = (icmUInt16Array *)pp;
+ unsigned int len = 0;
+ len += 8; /* 8 bytes for tag and padding */
++ if (p->size > (UINT_MAX - len) / 2) {
++ p->icp->errc = 1;
++ return (unsigned int) -1;
++ }
+ len += p->size * 2; /* 2 bytes for each UInt16 */
+ return len;
+ }
+@@ -1821,6 +1832,8 @@ static int icmUInt16Array_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmUInt16Array_write malloc() failed");
+ return icp->errc = 2;
+@@ -1885,7 +1898,7 @@ static int icmUInt16Array_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
+ sprintf(icp->err,"icmUInt16Array_alloc: malloc() of icmUInt16Array data failed");
+ return icp->errc = 2;
+ }
+@@ -1936,6 +1949,10 @@ static unsigned int icmUInt32Array_get_s
+ icmUInt32Array *p = (icmUInt32Array *)pp;
+ unsigned int len = 0;
+ len += 8; /* 8 bytes for tag and padding */
++ if (p->size > (UINT_MAX - len) / 4) {
++ p->icp->errc = 1;
++ return (unsigned int) -1;
++ }
+ len += p->size * 4; /* 4 bytes for each UInt32 */
+ return len;
+ }
+@@ -2008,6 +2025,8 @@ static int icmUInt32Array_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmUInt32Array_write malloc() failed");
+ return icp->errc = 2;
+@@ -2072,7 +2091,7 @@ static int icmUInt32Array_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (unsigned int *) icp->al->malloc(icp->al, p->size * sizeof(unsigned int))) == NULL) {
++ if ((p->data = (unsigned int *) icp->al->calloc(icp->al, p->size, sizeof(unsigned int))) == NULL) {
+ sprintf(icp->err,"icmUInt32Array_alloc: malloc() of icmUInt32Array data failed");
+ return icp->errc = 2;
+ }
+@@ -2123,6 +2142,10 @@ static unsigned int icmUInt64Array_get_s
+ icmUInt64Array *p = (icmUInt64Array *)pp;
+ unsigned int len = 0;
+ len += 8; /* 8 bytes for tag and padding */
++ if (p->size > (UINT_MAX - len) / 8) {
++ p->icp->errc = 1;
++ return (unsigned int) -1;
++ }
+ len += p->size * 8; /* 8 bytes for each UInt64 */
+ return len;
+ }
+@@ -2195,6 +2218,8 @@ static int icmUInt64Array_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmUInt64Array_write malloc() failed");
+ return icp->errc = 2;
+@@ -2259,7 +2284,7 @@ static int icmUInt64Array_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (icmUint64 *) icp->al->malloc(icp->al, p->size * sizeof(icmUint64))) == NULL) {
++ if ((p->data = (icmUint64 *) icp->al->calloc(icp->al, p->size, sizeof(icmUint64))) == NULL) {
+ sprintf(icp->err,"icmUInt64Array_alloc: malloc() of icmUInt64Array data failed");
+ return icp->errc = 2;
+ }
+@@ -2310,6 +2335,10 @@ static unsigned int icmU16Fixed16Array_g
+ icmU16Fixed16Array *p = (icmU16Fixed16Array *)pp;
+ unsigned int len = 0;
+ len += 8; /* 8 bytes for tag and padding */
++ if (p->size > (UINT_MAX - len) / 4) {
++ p->icp->errc = 1;
++ return (unsigned int) -1;
++ }
+ len += p->size * 4; /* 4 byte for each U16Fixed16 */
+ return len;
+ }
+@@ -2382,6 +2411,8 @@ static int icmU16Fixed16Array_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmU16Fixed16Array_write malloc() failed");
+ return icp->errc = 2;
+@@ -2446,7 +2477,7 @@ static int icmU16Fixed16Array_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
+ sprintf(icp->err,"icmU16Fixed16Array_alloc: malloc() of icmU16Fixed16Array data failed");
+ return icp->errc = 2;
+ }
+@@ -2497,6 +2528,10 @@ static unsigned int icmS15Fixed16Array_g
+ icmS15Fixed16Array *p = (icmS15Fixed16Array *)pp;
+ unsigned int len = 0;
+ len += 8; /* 8 bytes for tag and padding */
++ if (p->size > (UINT_MAX - len) / 4) {
++ p->icp->errc = 1;
++ return (unsigned int) - 1;
++ }
+ len += p->size * 4; /* 4 byte for each S15Fixed16 */
+ return len;
+ }
+@@ -2569,6 +2604,8 @@ static int icmS15Fixed16Array_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmS15Fixed16Array_write malloc() failed");
+ return icp->errc = 2;
+@@ -2633,7 +2670,7 @@ static int icmS15Fixed16Array_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
+ sprintf(icp->err,"icmS15Fixed16Array_alloc: malloc() of icmS15Fixed16Array data failed");
+ return icp->errc = 2;
+ }
+@@ -2726,6 +2763,10 @@ static unsigned int icmXYZArray_get_size
+ icmXYZArray *p = (icmXYZArray *)pp;
+ unsigned int len = 0;
+ len += 8; /* 8 bytes for tag and padding */
++ if (p->size > (UINT_MAX - len) / 12) {
++ p->icp->errc = 1;
++ return (unsigned int) - 1;
++ }
+ len += p->size * 12; /* 12 bytes for each XYZ */
+ return len;
+ }
+@@ -2798,6 +2839,8 @@ static int icmXYZArray_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmXYZArray_write malloc() failed");
+ return icp->errc = 2;
+@@ -2865,7 +2908,7 @@ static int icmXYZArray_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (icmXYZNumber *) icp->al->malloc(icp->al, p->size * sizeof(icmXYZNumber))) == NULL) {
++ if ((p->data = (icmXYZNumber *) icp->al->calloc(icp->al, p->size, sizeof(icmXYZNumber))) == NULL) {
+ sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");
+ return icp->errc = 2;
+ }
+@@ -3001,7 +3044,7 @@ static int icmTable_setup_bwd(
+ int nf; /* Next free slot */
+ if (rt->rlists[j] == NULL) { /* No allocation */
+ as = 5; /* Start with space for 5 */
+- if ((rt->rlists[j] = (int *) icp->al->malloc(icp->al, sizeof(int) * as)) == NULL) {
++ if ((rt->rlists[j] = (int *) icp->al->calloc(icp->al, sizeof(int), as)) == NULL) {
+ return 2;
+ }
+ rt->rlists[j][0] = as;
+@@ -3141,6 +3184,10 @@ static unsigned int icmCurve_get_size(
+ icmCurve *p = (icmCurve *)pp;
+ unsigned int len = 0;
+ len += 12; /* 12 bytes for tag, padding and count */
++ if (p->size > (UINT_MAX - len) / 2) {
++ p->icp->errc = 1;
++ return (unsigned int) - 1;
++ }
+ len += p->size * 2; /* 2 bytes for each UInt16 */
+ return len;
+ }
+@@ -3238,6 +3285,8 @@ static int icmCurve_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmCurve_write malloc() failed");
+ return icp->errc = 2;
+@@ -3347,7 +3396,7 @@ static int icmCurve_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (double *) icp->al->malloc(icp->al, p->size * sizeof(double))) == NULL) {
++ if ((p->data = (double *) icp->al->calloc(icp->al, p->size, sizeof(double))) == NULL) {
+ sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");
+ return icp->errc = 2;
+ }
+@@ -3493,6 +3542,8 @@ static int icmData_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
++ return icp->errc;
+ if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
+ sprintf(icp->err,"icmData_write malloc() failed");
+ return icp->errc = 2;
+@@ -3745,6 +3796,8 @@ static int icmText_write(
+
+ /* Allocate a file write buffer */
+ len = p->get_size((icmBase *)p);
++ if (icp->errc)
Home |
Main Index |
Thread Index |
Old Index