[subversion-commit] SVN tetex commit + diffs: r386 - tetex-bin/trunk/debian/patches

Frank Küster frank at costa.debian.org
Thu Dec 8 16:12:45 UTC 2005 

Author: frank
Date: 2005-12-08 16:12:43 +0000 (Thu, 08 Dec 2005)
New Revision: 386

Modified:
   tetex-bin/trunk/debian/patches/patch-CAN-2004-0888
   tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3
Log:
fix patch CVE-... according to Martin Pitt's ubuntu patch, and port some anti-optimization code from 2.0.2's patch CAN-2004-0888 to ours.

Modified: tetex-bin/trunk/debian/patches/patch-CAN-2004-0888
===================================================================
--- tetex-bin/trunk/debian/patches/patch-CAN-2004-0888	2005-12-08 13:32:41 UTC (rev 385)
+++ tetex-bin/trunk/debian/patches/patch-CAN-2004-0888	2005-12-08 16:12:43 UTC (rev 386)
@@ -4,14 +4,14 @@
 
 Index: tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc
 ===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/Catalog.cc	2005-10-06 15:03:59.011332464 +0200
-+++ tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc	2005-10-06 15:04:41.153814298 +0200
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Catalog.cc	2005-12-08 17:01:46.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/Catalog.cc	2005-12-08 17:04:56.000000000 +0100
 @@ -64,6 +64,12 @@
    }
    pagesSize = numPages0 = (int)obj.getNum();
    obj.free();
-+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
-+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
++  if (pagesSize >= INT_MAX/sizeof(Page *) ||
++      pagesSize >= INT_MAX/sizeof(Ref)) {
 +    error(-1, "Invalid 'pagesSize'");
 +    ok = gFalse;
 +    return;
@@ -23,8 +23,8 @@
        }
        if (start >= pagesSize) {
  	pagesSize += 32;
-+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
-+	    pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
++        if (pagesSize >= INT_MAX/sizeof(Page *) ||
++            pagesSize >= INT_MAX/sizeof(Ref)) {
 +          error(-1, "Invalid 'pagesSize' parameter.");
 +          goto err3;
 +        }
@@ -33,13 +33,13 @@
  	for (j = pagesSize - 32; j < pagesSize; ++j) {
 Index: tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc
 ===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/XRef.cc	2005-10-06 15:03:59.011332464 +0200
-+++ tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc	2005-10-06 15:04:41.155814083 +0200
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/XRef.cc	2005-12-08 17:01:46.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/XRef.cc	2005-12-08 17:12:03.000000000 +0100
 @@ -718,6 +718,10 @@
  		    error(-1, "Bad object number");
  		    return gFalse;
  		  }
-+		  if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++		  if (newSize >=INT_MAX/sizeof(XRefEntry)) {
 +		    error(-1, "Invalid 'obj' parameters.");
 +		    return gFalse;
 +		  }

Modified: tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3
===================================================================
--- tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3	2005-12-08 13:32:41 UTC (rev 385)
+++ tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3	2005-12-08 16:12:43 UTC (rev 386)
@@ -1,28 +1,39 @@
-Index: tetex-bin-3.0/libs/xpdf/xpdf/Stream.h
+Index: tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc
 ===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.h	2005-12-07 14:10:04.000000000 +0100
-+++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.h	2005-12-08 13:09:27.000000000 +0100
-@@ -233,6 +233,8 @@
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/JPXStream.cc	2005-12-08 17:01:26.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc	2005-12-08 17:01:33.000000000 +0100
+@@ -666,7 +666,8 @@
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
++  Guint allocSize;
  
-   ~StreamPredictor();
- 
-+  GBool isOk() { return ok; }
-+
-   int lookChar();
-   int getChar();
- 
-@@ -250,6 +252,7 @@
-   int rowBytes;			// bytes per line
-   Guchar *predLine;		// line buffer
-   int predIdx;			// current index in predLine
-+  GBool ok;
- };
- 
- //------------------------------------------------------------------------
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +702,15 @@
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-				     sizeof(JPXTile));
++      nTiles = img.nXTiles * img.nYTiles;
++      allocSize = nTiles * sizeof(JPXTile);
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles ||
++          allocSize / sizeof(JPXTile) != nTiles) {
++	error(getPos(), "Bad tile count in JPX SIZ marker segment");
++	return gFalse;
++      }
++      img.tiles = (JPXTile *)gmalloc(allocSize);
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ 							sizeof(JPXTileComp));
 Index: tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc
 ===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.cc	2005-12-07 14:10:04.000000000 +0100
-+++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc	2005-12-08 13:11:14.000000000 +0100
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.cc	2005-12-08 17:01:26.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.cc	2005-12-08 17:01:33.000000000 +0100
 @@ -407,18 +407,33 @@
  
  StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
@@ -102,32 +113,24 @@
    } else {
      pred = NULL;
    }
-Index: tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc
+Index: tetex-bin-3.0/libs/xpdf/xpdf/Stream.h
 ===================================================================
---- tetex-bin-3.0.orig/libs/xpdf/xpdf/JPXStream.cc	2005-12-07 14:10:04.000000000 +0100
-+++ tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc	2005-12-08 13:09:27.000000000 +0100
-@@ -666,7 +666,7 @@
-   int segType;
-   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
-   Guint precinctSize, style;
--  Guint segLen, capabilities, comp, i, j, r;
-+  Guint segLen, capabilities, nTiles, comp, i, j, r;
+--- tetex-bin-3.0.orig/libs/xpdf/xpdf/Stream.h	2005-12-08 17:01:26.000000000 +0100
++++ tetex-bin-3.0/libs/xpdf/xpdf/Stream.h	2005-12-08 17:01:33.000000000 +0100
+@@ -233,6 +233,8 @@
  
-   //----- main header
-   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -701,8 +701,13 @@
- 	            / img.xTileSize;
-       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
- 	            / img.yTileSize;
--      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
--				     sizeof(JPXTile));
-+      nTiles = img.nXTiles * img.nYTiles;
-+      // check for overflow before allocating memory
-+      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
-+	error(getPos(), "Bad tile count in JPX SIZ marker segment");
-+	return gFalse;
-+      }
-+      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
-       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
- 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
- 							sizeof(JPXTileComp));
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -250,6 +252,7 @@
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------

More information about the Pkg-tetex-commits mailing list