- Fix buffer overflow vulnerability.

- Bump PORTREVISION

Approved by:	simon (secteam)
Security:	http://www.vuxml.org/freebsd/0e43a14d-3f3f-11dc-a79a-0016179b2dd5.html

2 files changed, 34 insertions, 1 deletions

diff --git a/graphics/xpdf/Makefile b/graphics/xpdf/Makefile
index 60d7fd982f13..fc69d42d82ae 100644
--- a/graphics/xpdf/Makefile
+++ b/graphics/xpdf/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	xpdf
 PORTVERSION=	3.02
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics print
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/ \
 		${MASTER_SITE_TEX_CTAN}
diff --git a/graphics/xpdf/files/patch-CVE-2007-3387 b/graphics/xpdf/files/patch-CVE-2007-3387
new file mode 100644
index 000000000000..692d243ab949
--- /dev/null
+++ b/graphics/xpdf/files/patch-CVE-2007-3387
@@ -0,0 +1,33 @@
+*** xpdf/Stream.cc	Tue Feb 27 14:05:52 2007
+--- xpdf/Stream.cc	Thu Jul 26 14:44:43 2007
+***************
+*** 410,424 ****
+    ok = gFalse;
+  
+    nVals = width * nComps;
+-   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-       nComps >= INT_MAX / nBits ||
+-       width >= INT_MAX / nComps / nBits ||
+-       nVals * nBits + 7 < 0) {
+-     return;
+-   }
+    pixBytes = (nComps * nBits + 7) >> 3;
+    rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+!   if (rowBytes <= 0) {
+      return;
+    }
+    predLine = (Guchar *)gmalloc(rowBytes);
+--- 410,422 ----
+    ok = gFalse;
+  
+    nVals = width * nComps;
+    pixBytes = (nComps * nBits + 7) >> 3;
+    rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+!   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+!       nComps > gfxColorMaxComps ||
+!       nBits > 16 ||
+!       width >= INT_MAX / nComps ||      // check for overflow in nVals 
+!       nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+      return;
+    }
+    predLine = (Guchar *)gmalloc(rowBytes);