aboutsummaryrefslogtreecommitdiffstats
path: root/editors/calligra
diff options
context:
space:
mode:
authormarkus <markus@FreeBSD.org>2004-12-25 00:23:13 +0800
committermarkus <markus@FreeBSD.org>2004-12-25 00:23:13 +0800
commita16dc79b7aab4d333f56454463d5eda775335e69 (patch)
tree5528a8848d25dc0170829c44053dbca0beb0d3fc /editors/calligra
parent506ae6f2baf9be231539888a0064e079fc3815e0 (diff)
downloadfreebsd-ports-gnome-a16dc79b7aab4d333f56454463d5eda775335e69.tar.gz
freebsd-ports-gnome-a16dc79b7aab4d333f56454463d5eda775335e69.tar.zst
freebsd-ports-gnome-a16dc79b7aab4d333f56454463d5eda775335e69.zip
Patch vulnerability in imported xpdf code. Bump PORTREVISION.
References: http://koffice.kde.org/releases/1.3.5-release.php http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1125 http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities Notified by: josef
Diffstat (limited to 'editors/calligra')
-rw-r--r--editors/calligra/Makefile1
-rw-r--r--editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff41
2 files changed, 42 insertions, 0 deletions
diff --git a/editors/calligra/Makefile b/editors/calligra/Makefile
index 73501ed3bf02..3b6102eac61a 100644
--- a/editors/calligra/Makefile
+++ b/editors/calligra/Makefile
@@ -8,6 +8,7 @@
PORTNAME= koffice
PORTVERSION= 1.3.5
+PORTREVISION= 1
PORTEPOCH= 1
CATEGORIES= editors kde
MASTER_SITES= ${MASTER_SITE_KDE}
diff --git a/editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff b/editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff
new file mode 100644
index 000000000000..929a3ba2964c
--- /dev/null
+++ b/editors/calligra/files/patch-xpdf_security_integer_overflow_2.diff
@@ -0,0 +1,41 @@
+diff -u -b -p -u -r1.3 -r1.3.2.1
+--- filters/kword/pdf/xpdf/xpdf/Gfx.cc 25 Jan 2003 23:17:44 -0000 1.3
++++ filters/kword/pdf/xpdf/xpdf/Gfx.cc 22 Dec 2004 12:07:12 -0000 1.3.2.1
+@@ -2379,7 +2379,9 @@ void Gfx::doImage(Object *ref, Stream *s
+ haveMask = gFalse;
+ dict->lookup("Mask", &maskObj);
+ if (maskObj.isArray()) {
+- for (i = 0; i < maskObj.arrayGetLength(); ++i) {
++ for (i = 0;
++ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
++ ++i) {
+ maskObj.arrayGet(i, &obj1);
+ maskColors[i] = obj1.getInt();
+ obj1.free();
+diff -u -b -p -u -r1.3 -r1.3.2.1
+--- filters/kword/pdf/xpdf/xpdf/GfxState.cc 25 Jan 2003 23:17:44 -0000 1.3
++++ filters/kword/pdf/xpdf/xpdf/GfxState.cc 22 Dec 2004 12:07:12 -0000 1.3.2.1
+@@ -682,6 +682,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
+ }
+ nCompsA = obj2.getInt();
+ obj2.free();
++ if (nCompsA > gfxColorMaxComps) {
++ error(-1, "ICCBased color space with too many (%d > %d) components",
++ nCompsA, gfxColorMaxComps);
++ nCompsA = gfxColorMaxComps;
++ }
+ if (dict->lookup("Alternate", &obj2)->isNull() ||
+ !(altA = GfxColorSpace::parse(&obj2))) {
+ switch (nCompsA) {
+@@ -1023,6 +1028,11 @@ GfxColorSpace *GfxDeviceNColorSpace::par
+ goto err2;
+ }
+ nCompsA = obj1.arrayGetLength();
++ if (nCompsA > gfxColorMaxComps) {
++ error(-1, "DeviceN color space with too many (%d > %d) components",
++ nCompsA, gfxColorMaxComps);
++ nCompsA = gfxColorMaxComps;
++ }
+ for (i = 0; i < nCompsA; ++i) {
+ if (!obj1.arrayGet(i, &obj2)->isName()) {
+ error(-1, "Bad DeviceN color space (names)");