diff options
author | markus <markus@FreeBSD.org> | 2004-12-25 00:23:13 +0800 |
---|---|---|
committer | markus <markus@FreeBSD.org> | 2004-12-25 00:23:13 +0800 |
commit | a16dc79b7aab4d333f56454463d5eda775335e69 (patch) | |
tree | 5528a8848d25dc0170829c44053dbca0beb0d3fc /editors/calligra | |
parent | 506ae6f2baf9be231539888a0064e079fc3815e0 (diff) | |
download | freebsd-ports-gnome-a16dc79b7aab4d333f56454463d5eda775335e69.tar.gz freebsd-ports-gnome-a16dc79b7aab4d333f56454463d5eda775335e69.tar.zst freebsd-ports-gnome-a16dc79b7aab4d333f56454463d5eda775335e69.zip |
Patch vulnerability in imported xpdf code. Bump PORTREVISION.
References:
http://koffice.kde.org/releases/1.3.5-release.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125
http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities
Notified by: josef
Diffstat (limited to 'editors/calligra')
-rw-r--r-- | editors/calligra/Makefile | 1 | ||||
-rw-r--r-- | editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff | 41 |
2 files changed, 42 insertions, 0 deletions
diff --git a/editors/calligra/Makefile b/editors/calligra/Makefile index 73501ed3bf02..3b6102eac61a 100644 --- a/editors/calligra/Makefile +++ b/editors/calligra/Makefile @@ -8,6 +8,7 @@ PORTNAME= koffice PORTVERSION= 1.3.5 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= editors kde MASTER_SITES= ${MASTER_SITE_KDE} diff --git a/editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff b/editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff new file mode 100644 index 000000000000..929a3ba2964c --- /dev/null +++ b/editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff @@ -0,0 +1,41 @@ +diff -u -b -p -u -r1.3 -r1.3.2.1 +--- filters/kword/pdf/xpdf/xpdf/Gfx.cc 25 Jan 2003 23:17:44 -0000 1.3 ++++ filters/kword/pdf/xpdf/xpdf/Gfx.cc 22 Dec 2004 12:07:12 -0000 1.3.2.1 +@@ -2379,7 +2379,9 @@ void Gfx::doImage(Object *ref, Stream *s + haveMask = gFalse; + dict->lookup("Mask", &maskObj); + if (maskObj.isArray()) { +- for (i = 0; i < maskObj.arrayGetLength(); ++i) { ++ for (i = 0; ++ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; ++ ++i) { + maskObj.arrayGet(i, &obj1); + maskColors[i] = obj1.getInt(); + obj1.free(); +diff -u -b -p -u -r1.3 -r1.3.2.1 +--- filters/kword/pdf/xpdf/xpdf/GfxState.cc 25 Jan 2003 23:17:44 -0000 1.3 ++++ filters/kword/pdf/xpdf/xpdf/GfxState.cc 22 Dec 2004 12:07:12 -0000 1.3.2.1 +@@ -682,6 +682,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa + } + nCompsA = obj2.getInt(); + obj2.free(); ++ if (nCompsA > gfxColorMaxComps) { ++ error(-1, "ICCBased color space with too many (%d > %d) components", ++ nCompsA, gfxColorMaxComps); ++ nCompsA = gfxColorMaxComps; ++ } + if (dict->lookup("Alternate", &obj2)->isNull() || + !(altA = GfxColorSpace::parse(&obj2))) { + switch (nCompsA) { +@@ -1023,6 +1028,11 @@ GfxColorSpace *GfxDeviceNColorSpace::par + goto err2; + } + nCompsA = obj1.arrayGetLength(); ++ if (nCompsA > gfxColorMaxComps) { ++ error(-1, "DeviceN color space with too many (%d > %d) components", ++ nCompsA, gfxColorMaxComps); ++ nCompsA = gfxColorMaxComps; ++ } + for (i = 0; i < nCompsA; ++i) { + if (!obj1.arrayGet(i, &obj2)->isName()) { + error(-1, "Bad DeviceN color space (names)"); |