pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/print/ghostscript add a patch (from Redhat bugzilla #4...
details: https://anonhg.NetBSD.org/pkgsrc/rev/940252323ae7
branches: trunk
changeset: 557531:940252323ae7
user: drochner <drochner%pkgsrc.org@localhost>
date: Fri Apr 17 15:05:31 2009 +0000
description:
add a patch (from Redhat bugzilla #491853) to fix more integer
overflows in the icc code (CVE-2009-0792),
bump PKGREVISION
diffstat:
print/ghostscript/Makefile | 4 +-
print/ghostscript/distinfo | 4 +-
print/ghostscript/patches/patch-aj | 283 +++++++++++++++++++++++++++++-------
3 files changed, 227 insertions(+), 64 deletions(-)
diffs (truncated from 731 to 300 lines):
diff -r a79abcedcc80 -r 940252323ae7 print/ghostscript/Makefile
--- a/print/ghostscript/Makefile Fri Apr 17 14:39:28 2009 +0000
+++ b/print/ghostscript/Makefile Fri Apr 17 15:05:31 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.61 2009/04/14 19:32:54 tron Exp $
+# $NetBSD: Makefile,v 1.62 2009/04/17 15:05:31 drochner Exp $
DISTNAME= ghostscript-8.64
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= print
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=ghostscript/}
EXTRACT_SUFX= .tar.bz2
diff -r a79abcedcc80 -r 940252323ae7 print/ghostscript/distinfo
--- a/print/ghostscript/distinfo Fri Apr 17 14:39:28 2009 +0000
+++ b/print/ghostscript/distinfo Fri Apr 17 15:05:31 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2009/04/14 19:32:54 tron Exp $
+$NetBSD: distinfo,v 1.24 2009/04/17 15:05:31 drochner Exp $
SHA1 (ghostscript-8.64.tar.bz2) = 4c2a6e04145428d35da73fbc4db9c66a75e336e0
RMD160 (ghostscript-8.64.tar.bz2) = 565134dcfe1e823b435c3761461c5eb394bd633c
@@ -11,4 +11,4 @@
SHA1 (patch-ag) = dd452d29253e20bb8fa453a1e4f139a40b2ab3e3
SHA1 (patch-ah) = efc85dead838505ee462714167f196db2deeb0aa
SHA1 (patch-ai) = ad69ddd4a4bd50cf2263ac6c6d17a59798ef3124
-SHA1 (patch-aj) = 5608e834189c9746f4ad40d11cc36e76609e5d6c
+SHA1 (patch-aj) = 83403be55c9fa8d22fbf3809190c381a06fa2657
diff -r a79abcedcc80 -r 940252323ae7 print/ghostscript/patches/patch-aj
--- a/print/ghostscript/patches/patch-aj Fri Apr 17 14:39:28 2009 +0000
+++ b/print/ghostscript/patches/patch-aj Fri Apr 17 15:05:31 2009 +0000
@@ -1,4 +1,4 @@
-$NetBSD: patch-aj,v 1.3 2009/03/25 10:42:13 drochner Exp $
+$NetBSD: patch-aj,v 1.4 2009/04/17 15:05:31 drochner Exp $
--- icclib/icc.c.orig 2008-05-09 06:12:01.000000000 +0200
+++ icclib/icc.c
@@ -216,7 +216,53 @@
sprintf(icp->err,"icmXYZArray_alloc: malloc() of icmXYZArray data failed");
return icp->errc = 2;
}
-@@ -3001,7 +3044,7 @@ static int icmTable_setup_bwd(
+@@ -2939,7 +2982,7 @@ static int icmCurve_lookup_fwd(
+ rv |= 1;
+ }
+ ix = (int)floor(val); /* Coordinate */
+- if (ix > (p->size-2))
++ if (ix < 0 || ix > (p->size-2))
+ ix = (p->size-2);
+ w = val - (double)ix; /* weight */
+ val = p->data[ix];
+@@ -2961,6 +3004,11 @@ static int icmTable_setup_bwd(
+ ) {
+ int i;
+
++ if (size > INT_MAX - 2)
++ /* Although rt->size is unsigned long, the rt data
++ * structure uses int data types to store indices. */
++ return 2;
++
+ rt->size = size; /* Stash pointers to these away */
+ rt->data = data;
+
+@@ -2979,7 +3027,7 @@ static int icmTable_setup_bwd(
+ rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */
+
+ /* Initialize the reverse lookup structures, and get overall min/max */
+- if ((rt->rlists = (int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(int *))) == NULL) {
++ if ((rt->rlists = (int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
+ return 2;
+ }
+
+@@ -2992,6 +3040,15 @@ static int icmTable_setup_bwd(
+ int t;
+ t = s; s = e; e = t;
+ }
++ /* s and e should both be in the range [0,rt->rsize]
++ * now, but let's not rely on floating point
++ * calculations -- double-check. */
++ if (s < 0)
++ s = 0;
++ if (e < 0)
++ e = 0;
++ if (s >= rt->rsize)
++ s = rt->rsize-1;
+ if (e >= rt->rsize)
+ e = rt->rsize-1;
+
+@@ -3001,7 +3058,7 @@ static int icmTable_setup_bwd(
int nf; /* Next free slot */
if (rt->rlists[j] == NULL) { /* No allocation */
as = 5; /* Start with space for 5 */
@@ -225,7 +271,34 @@
return 2;
}
rt->rlists[j][0] = as;
-@@ -3141,6 +3184,10 @@ static unsigned int icmCurve_get_size(
+@@ -3010,6 +3067,9 @@ static int icmTable_setup_bwd(
+ as = rt->rlists[j][0]; /* Allocate space for this list */
+ nf = rt->rlists[j][1]; /* Next free location in list */
+ if (nf >= as) { /* need to expand space */
++ if (as > INT_MAX / 2 / sizeof (int))
++ return 2;
++
+ as *= 2;
+ rt->rlists[j] = (int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(int) * as);
+ if (rt->rlists[j] == NULL) {
+@@ -3061,7 +3121,7 @@ static int icmTable_lookup_bwd(
+ val = rsize_1;
+ ix = (int)floor(val); /* Coordinate */
+
+- if (ix > (rt->size-2))
++ if (ix < 0 || ix > (rt->size-2))
+ ix = (rt->size-2);
+ if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */
+ /* For each candidate forward range */
+@@ -3088,6 +3148,7 @@ static int icmTable_lookup_bwd(
+ /* We have failed to find an exact value, so return the nearest value */
+ /* (This is slow !) */
+ val = fabs(ival - rt->data[0]);
++ /* rt->size is known to be < INT_MAX */
+ for (k = 0, i = 1; i < rt->size; i++) {
+ double er;
+ er = fabs(ival - rt->data[i]);
+@@ -3141,6 +3202,10 @@ static unsigned int icmCurve_get_size(
icmCurve *p = (icmCurve *)pp;
unsigned int len = 0;
len += 12; /* 12 bytes for tag, padding and count */
@@ -236,7 +309,7 @@
len += p->size * 2; /* 2 bytes for each UInt16 */
return len;
}
-@@ -3238,6 +3285,8 @@ static int icmCurve_write(
+@@ -3238,6 +3303,8 @@ static int icmCurve_write(
/* Allocate a file write buffer */
len = p->get_size((icmBase *)p);
@@ -245,7 +318,7 @@
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
sprintf(icp->err,"icmCurve_write malloc() failed");
return icp->errc = 2;
-@@ -3347,7 +3396,7 @@ static int icmCurve_allocate(
+@@ -3347,7 +3414,7 @@ static int icmCurve_allocate(
if (p->size != p->_size) {
if (p->data != NULL)
icp->al->free(icp->al, p->data);
@@ -254,7 +327,7 @@
sprintf(icp->err,"icmCurve_alloc: malloc() of icmCurve data failed");
return icp->errc = 2;
}
-@@ -3493,6 +3542,8 @@ static int icmData_write(
+@@ -3493,6 +3560,8 @@ static int icmData_write(
/* Allocate a file write buffer */
len = p->get_size((icmBase *)p);
@@ -263,7 +336,16 @@
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
sprintf(icp->err,"icmData_write malloc() failed");
return icp->errc = 2;
-@@ -3745,6 +3796,8 @@ static int icmText_write(
+@@ -3620,7 +3689,7 @@ static int icmData_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (unsigned char *) icp->al->malloc(icp->al, p->size * sizeof(unsigned char))) == NULL) {
++ if ((p->data = (unsigned char *) icp->al->calloc(icp->al, p->size, sizeof(unsigned char))) == NULL) {
+ sprintf(icp->err,"icmData_alloc: malloc() of icmData data failed");
+ return icp->errc = 2;
+ }
+@@ -3745,6 +3814,8 @@ static int icmText_write(
/* Allocate a file write buffer */
len = p->get_size((icmBase *)p);
@@ -272,7 +354,16 @@
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
sprintf(icp->err,"icmText_write malloc() failed");
return icp->errc = 2;
-@@ -4038,6 +4091,8 @@ static int icmDateTimeNumber_write(
+@@ -3834,7 +3905,7 @@ static int icmText_allocate(
+ if (p->size != p->_size) {
+ if (p->data != NULL)
+ icp->al->free(icp->al, p->data);
+- if ((p->data = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
++ if ((p->data = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
+ sprintf(icp->err,"icmText_alloc: malloc() of icmText data failed");
+ return icp->errc = 2;
+ }
+@@ -4038,6 +4109,8 @@ static int icmDateTimeNumber_write(
/* Allocate a file write buffer */
len = p->get_size((icmBase *)p);
@@ -281,7 +372,7 @@
if ((buf = (char *) icp->al->malloc(icp->al, len)) == NULL) {
sprintf(icp->err,"icmDateTimeNumber_write malloc() failed");
return icp->errc = 2;
-@@ -4128,11 +4183,15 @@ static icmBase *new_icmDateTimeNumber(
+@@ -4128,11 +4201,15 @@ static icmBase *new_icmDateTimeNumber(
/* icmLut object */
/* Utility function - raise one integer to an integer power */
@@ -300,7 +391,16 @@
}
/* - - - - - - - - - - - - - - - - */
-@@ -4268,7 +4327,7 @@ double *in /* Input array[outputChan] *
+@@ -4242,7 +4319,7 @@ double *in /* Input array[inputChan] */
+ rv |= 1;
+ }
+ ix = (int)floor(val); /* Grid coordinate */
+- if (ix > (p->inputEnt-2))
++ if (ix < 0 || ix > (p->inputEnt-2))
+ ix = (p->inputEnt-2);
+ w = val - (double)ix; /* weight */
+ val = table[ix];
+@@ -4268,7 +4345,7 @@ double *in /* Input array[outputChan] *
if (p->inputChan <= 8) {
gw = GW; /* Use stack allocation */
} else {
@@ -309,7 +409,34 @@
sprintf(icp->err,"icmLut_lookup_clut: malloc() failed");
return icp->errc = 2;
}
-@@ -4819,19 +4878,50 @@ static unsigned int icmLut_get_size(
+@@ -4301,7 +4378,7 @@ double *in /* Input array[outputChan] *
+ rv |= 1;
+ }
+ x = (int)floor(val); /* Grid coordinate */
+- if (x > clutPoints_2)
++ if (x < 0 || x > clutPoints_2)
+ x = clutPoints_2;
+ co[e] = val - (double)x; /* 1.0 - weight */
+ gp += x * p->dinc[e]; /* Add index offset for base of cube */
+@@ -4374,7 +4451,7 @@ double *in /* Input array[outputChan] *
+ rv |= 1;
+ }
+ x = (int)floor(val); /* Grid coordinate */
+- if (x > clutPoints_2)
++ if (x < 0 || x > clutPoints_2)
+ x = clutPoints_2;
+ co[e] = val - (double)x; /* 1.0 - weight */
+ gp += x * p->dinc[e]; /* Add index offset for base of cube */
+@@ -4447,7 +4524,7 @@ double *in /* Input array[outputChan] *
+ rv |= 1;
+ }
+ ix = (int)floor(val); /* Grid coordinate */
+- if (ix > (p->outputEnt-2))
++ if (ix < 0 || ix > (p->outputEnt-2))
+ ix = (p->outputEnt-2);
+ w = val - (double)ix; /* weight */
+ val = table[ix];
+@@ -4819,19 +4896,50 @@ static unsigned int icmLut_get_size(
) {
icmLut *p = (icmLut *)pp;
unsigned int len = 0;
@@ -362,7 +489,7 @@
}
/* read the object, return 0 on success, error code on fail */
-@@ -4844,6 +4934,7 @@ static int icmLut_read(
+@@ -4844,6 +4952,7 @@ static int icmLut_read(
icc *icp = p->icp;
int rv = 0;
unsigned long i, j, g, size;
@@ -370,7 +497,7 @@
char *bp, *buf;
if (len < 4) {
-@@ -4904,6 +4995,11 @@ static int icmLut_read(
+@@ -4904,6 +5013,11 @@ static int icmLut_read(
return icp->errc = 1;
}
@@ -382,7 +509,7 @@
/* Read 3x3 transform matrix */
for (j = 0; j < 3; j++) { /* Rows */
for (i = 0; i < 3; i++) { /* Columns */
-@@ -4921,13 +5017,18 @@ static int icmLut_read(
+@@ -4921,13 +5035,18 @@ static int icmLut_read(
bp = buf+52;
}
@@ -402,7 +529,7 @@
size = (p->inputChan * p->inputEnt);
if ((rv = p->allocate((icmBase *)p)) != 0) {
icp->al->free(icp->al, buf);
-@@ -4942,7 +5043,14 @@ static int icmLut_read(
+@@ -4942,7 +5061,14 @@ static int icmLut_read(
}
/* Read the clut table */
@@ -418,7 +545,7 @@
if ((rv = p->allocate((icmBase *)p)) != 0) {
icp->al->free(icp->al, buf);
return rv;
-@@ -4956,6 +5064,11 @@ static int icmLut_read(
+@@ -4956,6 +5082,11 @@ static int icmLut_read(
}
/* Read the output tables */
@@ -430,7 +557,7 @@
Home |
Main Index |
Thread Index |
Old Index