[pkgsrc/trunk]: pkgsrc/print/teTeX-bin fixed CAN-2004-0888. Since xpdf inclu...

[kei <kei%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/bf5cf6a71738
branches:  trunk
changeset: 487590:bf5cf6a71738
user:      kei <kei%pkgsrc.org@localhost>
date:      Mon Jan 17 12:19:13 2005 +0000

description:
fixed CAN-2004-0888.  Since xpdf included with teTeX is 2.01, so this
back-ported fix is pulled from FreeBSD ports collection.  Hiroki Sato
noticed and helped me a lot.

diffstat:

 print/teTeX-bin/distinfo         |   4 ++-
 print/teTeX-bin/patches/patch-aj |  37 +++++++++++++++++++++++++
 print/teTeX-bin/patches/patch-ak |  57 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+), 1 deletions(-)

diffs (119 lines):

diff -r 81ccc5598b57 -r bf5cf6a71738 print/teTeX-bin/distinfo
--- a/print/teTeX-bin/distinfo  Mon Jan 17 12:12:43 2005 +0000
+++ b/print/teTeX-bin/distinfo  Mon Jan 17 12:19:13 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2005/01/16 08:35:08 kei Exp $
+$NetBSD: distinfo,v 1.9 2005/01/17 12:19:13 kei Exp $
 
 SHA1 (teTeX/tetex-src-2.0.2.tar.gz) = 6445206b14d659458ee352df78d2c2daf8e88ab3
 Size (teTeX/tetex-src-2.0.2.tar.gz) = 11745933 bytes
@@ -11,5 +11,7 @@
 SHA1 (patch-ag) = a6fd35e0cfbe4041abebb3e64ae825dcc4ec1dda
 SHA1 (patch-ah) = b028d996fcbf602f94b93b51a04578d893dd972c
 SHA1 (patch-ai) = b8c34c089b1c3730f57915fddd63762dea2f3435
+SHA1 (patch-aj) = 933ce880af54f2049c7f795621c2c237742026da
+SHA1 (patch-ak) = ef7f151fb786e6fe288d904bb0804fe2d9bfce40
 SHA1 (patch-ap) = 40543e9a2fb87d296557f3a8bd9a7207b2331a8e
 SHA1 (patch-aq) = f90ed07b2de340c55c6d987fdaa59d7ed6d46e0f
diff -r 81ccc5598b57 -r bf5cf6a71738 print/teTeX-bin/patches/patch-aj
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/teTeX-bin/patches/patch-aj  Mon Jan 17 12:19:13 2005 +0000
@@ -0,0 +1,37 @@
+$NetBSD: patch-aj,v 1.3 2005/01/17 12:19:13 kei Exp $
+
+--- libs/xpdf/xpdf/Catalog.cc.orig     Mon Nov  4 07:15:36 2002
++++ libs/xpdf/xpdf/Catalog.cc  Fri Oct 29 09:18:17 2004
+@@ -22,6 +22,7 @@
+ #include "Error.h"
+ #include "Link.h"
+ #include "Catalog.h"
++#include <limits.h>
+ 
+ //------------------------------------------------------------------------
+ // Catalog
+@@ -63,6 +64,12 @@
+   }
+   pagesSize = numPages0 = obj.getInt();
+   obj.free();
++  if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
++      (pagesSize >= INT_MAX / sizeof(Ref))) {
++    error(-1, "Invalid 'pagesSize'");
++    ok = gFalse;
++    return;
++  }
+   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+   for (i = 0; i < pagesSize; ++i) {
+@@ -190,6 +197,11 @@
+       }
+       if (start >= pagesSize) {
+       pagesSize += 32;
++      if ((pagesSize >= INT_MAX/sizeof(Page *)) ||
++          (pagesSize >= INT_MAX/sizeof(Ref))) {
++        error(-1, "Invalid 'pagesSize' parameter.");
++        goto err3;
++      }
+       pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+       pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+       for (j = pagesSize - 32; j < pagesSize; ++j) {
diff -r 81ccc5598b57 -r bf5cf6a71738 print/teTeX-bin/patches/patch-ak
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/print/teTeX-bin/patches/patch-ak  Mon Jan 17 12:19:13 2005 +0000
@@ -0,0 +1,57 @@
+$NetBSD: patch-ak,v 1.3 2005/01/17 12:19:13 kei Exp $
+
+--- libs/xpdf/xpdf/XRef.cc.orig        Mon Nov  4 07:15:37 2002
++++ libs/xpdf/xpdf/XRef.cc     Fri Oct 29 09:18:17 2004
+@@ -28,6 +28,7 @@
+ #include "Error.h"
+ #include "ErrorCodes.h"
+ #include "XRef.h"
++#include <limits.h>
+ 
+ //------------------------------------------------------------------------
+ 
+@@ -76,6 +77,11 @@
+ 
+   // trailer is ok - read the xref table
+   } else {
++    if ( size >= INT_MAX/sizeof(XRefEntry)) {
++      error(-1, "Invalid 'size' inside xref table.");
++      ok = gFalse;
++      return;
++    }
+     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+     for (i = 0; i < size; ++i) {
+       entries[i].offset = 0xffffffff;
+@@ -267,6 +273,10 @@
+     // table size
+     if (first + n > size) {
+       newSize = size + 256;
++      if (newSize >= INT_MAX/sizeof(XRefEntry)) {
++      error(-1, "Invalid 'newSize'");
++      goto err2;
++      }
+       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+       for (i = size; i < newSize; ++i) {
+       entries[i].offset = 0xffffffff;
+@@ -410,6 +420,10 @@
+           if (!strncmp(p, "obj", 3)) {
+             if (num >= size) {
+               newSize = (num + 1 + 255) & ~255;
++              if (newSize >= INT_MAX / sizeof(XRefEntry)) {
++                error(-1, "Invalid 'obj' parameters.");
++                return gFalse;
++              }
+               entries = (XRefEntry *)
+                           grealloc(entries, newSize * sizeof(XRefEntry));
+               for (i = size; i < newSize; ++i) {
+@@ -431,6 +445,10 @@
+     } else if (!strncmp(p, "endstream", 9)) {
+       if (streamEndsLen == streamEndsSize) {
+       streamEndsSize += 64;
++      if (streamEndsSize >= INT_MAX/sizeof(int)) {
++        error(-1, "Invalid 'endstream' parameter.");
++        return gFalse;
++      }
+       streamEnds = (Guint *)grealloc(streamEnds,
+                                      streamEndsSize * sizeof(int));
+       }