diff options
author | Armijn Hemel <armijn@gpl-violations.org> | 2006-07-05 14:00:05 +0000 |
---|---|---|
committer | Armijn Hemel <armijn@gpl-violations.org> | 2006-07-05 14:00:05 +0000 |
commit | d511baa7d96ada081e1c878a857b8953cdf1bc49 (patch) | |
tree | 1f228eb6624791ce51656c5b4566a14c5937953f /pkgs/applications/misc | |
parent | a4d3fde9d5ac701748947cce8ed8830ab983ff92 (diff) | |
download | nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.tar nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.tar.gz nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.tar.bz2 nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.tar.lz nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.tar.xz nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.tar.zst nixlib-d511baa7d96ada081e1c878a857b8953cdf1bc49.zip |
add security patch
svn path=/nixpkgs/trunk/; revision=5591
Diffstat (limited to 'pkgs/applications/misc')
-rw-r--r-- | pkgs/applications/misc/xpdf/default.nix | 1 | ||||
-rw-r--r-- | pkgs/applications/misc/xpdf/xpdf-3.01pl2.patch | 471 |
2 files changed, 472 insertions, 0 deletions
diff --git a/pkgs/applications/misc/xpdf/default.nix b/pkgs/applications/misc/xpdf/default.nix index 140a0b2e2561..911535b93104 100644 --- a/pkgs/applications/misc/xpdf/default.nix +++ b/pkgs/applications/misc/xpdf/default.nix @@ -25,4 +25,5 @@ stdenv.mkDerivation { "--with-freetype2-includes=${freetype}/include/freetype2" ] else []); + patches = [./xpdf-3.01pl2.patch]; } diff --git a/pkgs/applications/misc/xpdf/xpdf-3.01pl2.patch b/pkgs/applications/misc/xpdf/xpdf-3.01pl2.patch new file mode 100644 index 000000000000..3ea3cb8c923c --- /dev/null +++ b/pkgs/applications/misc/xpdf/xpdf-3.01pl2.patch @@ -0,0 +1,471 @@ +diff -cr xpdf-3.01.orig/goo/gmem.c xpdf-3.01/goo/gmem.c +*** xpdf-3.01.orig/goo/gmem.c Tue Aug 16 22:34:30 2005 +--- xpdf-3.01/goo/gmem.c Tue Jan 17 17:03:57 2006 +*************** +*** 11,16 **** +--- 11,17 ---- + #include <stdlib.h> + #include <stddef.h> + #include <string.h> ++ #include <limits.h> + #include "gmem.h" + + #ifdef DEBUG_MEM +*************** +*** 63,69 **** + int lst; + unsigned long *trl, *p; + +! if (size == 0) + return NULL; + size1 = gMemDataSize(size); + if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { +--- 64,70 ---- + int lst; + unsigned long *trl, *p; + +! if (size <= 0) + return NULL; + size1 = gMemDataSize(size); + if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { +*************** +*** 86,92 **** + #else + void *p; + +! if (size == 0) + return NULL; + if (!(p = malloc(size))) { + fprintf(stderr, "Out of memory\n"); +--- 87,93 ---- + #else + void *p; + +! if (size <= 0) + return NULL; + if (!(p = malloc(size))) { + fprintf(stderr, "Out of memory\n"); +*************** +*** 102,108 **** + void *q; + int oldSize; + +! if (size == 0) { + if (p) + gfree(p); + return NULL; +--- 103,109 ---- + void *q; + int oldSize; + +! if (size <= 0) { + if (p) + gfree(p); + return NULL; +*************** +*** 120,126 **** + #else + void *q; + +! if (size == 0) { + if (p) + free(p); + return NULL; +--- 121,127 ---- + #else + void *q; + +! if (size <= 0) { + if (p) + free(p); + return NULL; +*************** +*** 140,147 **** + void *gmallocn(int nObjs, int objSize) { + int n; + + n = nObjs * objSize; +! if (objSize == 0 || n / objSize != nObjs) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +--- 141,151 ---- + void *gmallocn(int nObjs, int objSize) { + int n; + ++ if (nObjs == 0) { ++ return NULL; ++ } + n = nObjs * objSize; +! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +*************** +*** 151,158 **** + void *greallocn(void *p, int nObjs, int objSize) { + int n; + + n = nObjs * objSize; +! if (objSize == 0 || n / objSize != nObjs) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +--- 155,168 ---- + void *greallocn(void *p, int nObjs, int objSize) { + int n; + ++ if (nObjs == 0) { ++ if (p) { ++ gfree(p); ++ } ++ return NULL; ++ } + n = nObjs * objSize; +! if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) { + fprintf(stderr, "Bogus memory allocation size\n"); + exit(1); + } +diff -cr xpdf-3.01.orig/xpdf/JBIG2Stream.cc xpdf-3.01/xpdf/JBIG2Stream.cc +*** xpdf-3.01.orig/xpdf/JBIG2Stream.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/JBIG2Stream.cc Tue Jan 17 17:29:46 2006 +*************** +*** 13,18 **** +--- 13,19 ---- + #endif + + #include <stdlib.h> ++ #include <limits.h> + #include "GList.h" + #include "Error.h" + #include "JArithmeticDecoder.h" +*************** +*** 681,686 **** +--- 682,691 ---- + w = wA; + h = hA; + line = (wA + 7) >> 3; ++ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ++ data = NULL; ++ return; ++ } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); + data[h * line] = 0; +*************** +*** 692,697 **** +--- 697,706 ---- + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; ++ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ++ data = NULL; ++ return; ++ } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); + memcpy(data, bitmap->data, h * line); +*************** +*** 720,726 **** + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +! if (newH <= h) { + return; + } + // need to allocate one extra guard byte for use in combine() +--- 729,735 ---- + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +! if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { + return; + } + // need to allocate one extra guard byte for use in combine() +*************** +*** 2294,2299 **** +--- 2303,2316 ---- + !readUWord(&stepX) || !readUWord(&stepY)) { + goto eofError; + } ++ if (w == 0 || h == 0 || w >= INT_MAX / h) { ++ error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); ++ return; ++ } ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad grid size in JBIG2 halftone segment"); ++ return; ++ } + + // get pattern dictionary + if (nRefSegs != 1) { +diff -cr xpdf-3.01.orig/xpdf/JPXStream.cc xpdf-3.01/xpdf/JPXStream.cc +*** xpdf-3.01.orig/xpdf/JPXStream.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/JPXStream.cc Tue Jan 17 17:14:06 2006 +*************** +*** 12,17 **** +--- 12,18 ---- + #pragma implementation + #endif + ++ #include <limits.h> + #include "gmem.h" + #include "Error.h" + #include "JArithmeticDecoder.h" +*************** +*** 818,823 **** +--- 819,830 ---- + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; ++ // check for overflow before allocating memory ++ if (img.nXTiles <= 0 || img.nYTiles <= 0 || ++ img.nXTiles >= INT_MAX / img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } + img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles, + sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { +diff -cr xpdf-3.01.orig/xpdf/Stream.cc xpdf-3.01/xpdf/Stream.cc +*** xpdf-3.01.orig/xpdf/Stream.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/Stream.cc Tue Jan 17 17:31:52 2006 +*************** +*** 15,20 **** +--- 15,21 ---- + #include <stdio.h> + #include <stdlib.h> + #include <stddef.h> ++ #include <limits.h> + #ifndef WIN32 + #include <unistd.h> + #endif +*************** +*** 406,418 **** +--- 407,432 ---- + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + + nVals = width * nComps; ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX / nBits || ++ width >= INT_MAX / nComps / nBits || ++ nVals * nBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ if (rowBytes <= 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +*************** +*** 1004,1009 **** +--- 1018,1027 ---- + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +*************** +*** 1259,1264 **** +--- 1277,1285 ---- + if (columns < 1) { + columns = 1; + } ++ if (columns + 4 <= 0) { ++ columns = INT_MAX - 4; ++ } + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +*************** +*** 2899,2904 **** +--- 2920,2930 ---- + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ numComps = 0; ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +*************** +*** 2925,2930 **** +--- 2951,2961 ---- + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ numComps = 0; ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +*************** +*** 2947,2952 **** +--- 2978,2988 ---- + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream"); ++ scanInfo.numComps = 0; ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +*************** +*** 3041,3046 **** +--- 3077,3083 ---- + numACHuffTables = index+1; + tbl = &acHuffTables[index]; + } else { ++ index &= 0x0f; + if (index >= numDCHuffTables) + numDCHuffTables = index+1; + tbl = &dcHuffTables[index]; +*************** +*** 3827,3832 **** +--- 3864,3873 ---- + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +diff -cr xpdf-3.01.orig/xpdf/Stream.h xpdf-3.01/xpdf/Stream.h +*** xpdf-3.01.orig/xpdf/Stream.h Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/xpdf/Stream.h Tue Jan 17 17:19:54 2006 +*************** +*** 232,237 **** +--- 232,239 ---- + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +*************** +*** 249,254 **** +--- 251,257 ---- + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------ +*************** +*** 527,533 **** + short getWhiteCode(); + short getBlackCode(); + short lookBits(int n); +! void eatBits(int n) { inputBits -= n; } + }; + + //------------------------------------------------------------------------ +--- 530,536 ---- + short getWhiteCode(); + short getBlackCode(); + short lookBits(int n); +! void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } + }; + + //------------------------------------------------------------------------ +diff -cr xpdf-3.01.orig/splash/SplashXPathScanner.cc xpdf-3.01/splash/SplashXPathScanner.cc +*** xpdf-3.01.orig/splash/SplashXPathScanner.cc Tue Aug 16 22:34:31 2005 +--- xpdf-3.01/splash/SplashXPathScanner.cc Wed Feb 1 17:01:14 2006 +*************** +*** 186,192 **** + } + + void SplashXPathScanner::computeIntersections(int y) { +! SplashCoord ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +--- 186,192 ---- + } + + void SplashXPathScanner::computeIntersections(int y) { +! SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +*************** +*** 236,254 **** + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +! if (ySegMin <= y) { +! // intersection with top edge +! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; + } else { +! // x coord of segment endpoint with min y coord +! xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; + } +! if (ySegMax >= y + 1) { +! // intersection with bottom edge +! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +! } else { +! // x coord of segment endpoint with max y coord +! xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; + } + } + if (xx0 < xx1) { +--- 236,262 ---- + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +! if (seg->x0 < seg->x1) { +! xSegMin = seg->x0; +! xSegMax = seg->x1; + } else { +! xSegMin = seg->x1; +! xSegMax = seg->x0; + } +! // intersection with top edge +! xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; +! // intersection with bottom edge +! xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +! // the segment may not actually extend to the top and/or bottom edges +! if (xx0 < xSegMin) { +! xx0 = xSegMin; +! } else if (xx0 > xSegMax) { +! xx0 = xSegMax; +! } +! if (xx1 < xSegMin) { +! xx1 = xSegMin; +! } else if (xx1 > xSegMax) { +! xx1 = xSegMax; + } + } + if (xx0 < xx1) { |