diff options
author | mnag <mnag@FreeBSD.org> | 2006-03-28 06:15:26 +0800 |
---|---|---|
committer | mnag <mnag@FreeBSD.org> | 2006-03-28 06:15:26 +0800 |
commit | 8330bd6e57fcc36242ef2a48b4dce3c3cb7c65b3 (patch) | |
tree | ee1f27ffa6c22803ba300aa1ab919bfe76a4fd6e /graphics | |
parent | ef242900c6532009f3a0aa7cb20a5e444a24a5b9 (diff) | |
download | freebsd-ports-gnome-8330bd6e57fcc36242ef2a48b4dce3c3cb7c65b3.tar.gz freebsd-ports-gnome-8330bd6e57fcc36242ef2a48b4dce3c3cb7c65b3.tar.zst freebsd-ports-gnome-8330bd6e57fcc36242ef2a48b4dce3c3cb7c65b3.zip |
- Add patch for security issues
- Bump PORTREVISION
- portlint(1)
Approved by: gnome (marcus)
Obtained from: gentoo
Security: CVE-2005-3624, CVE-2005-3625, CVE-2005-3626,
CVE-2005-3627, CVE-2006-0301,
http://secunia.com/advisories/18303/,
http://secunia.com/advisories/18677/
Diffstat (limited to 'graphics')
-rw-r--r-- | graphics/gpdf/Makefile | 3 | ||||
-rw-r--r-- | graphics/gpdf/files/patch-SA17897 | 120 | ||||
-rw-r--r-- | graphics/gpdf/files/patch-SA18303 | 296 | ||||
-rw-r--r-- | graphics/gpdf/files/patch-SA18677 | 52 |
4 files changed, 350 insertions, 121 deletions
diff --git a/graphics/gpdf/Makefile b/graphics/gpdf/Makefile index ac7e8b94c78e..48c6702ecfd0 100644 --- a/graphics/gpdf/Makefile +++ b/graphics/gpdf/Makefile @@ -7,7 +7,7 @@ PORTNAME= gpdf PORTVERSION= 2.10.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= graphics print gnome MASTER_SITES= ${MASTER_SITE_GNOME} MASTER_SITE_SUBDIR= sources/${PORTNAME}/2.10 @@ -20,6 +20,7 @@ USE_BZIP2= yes USE_GMAKE= yes USE_GNOME= gnomeprefix gnomehack intlhack libgnomeui libgnomeprintui \ desktopfileutils +USE_GETTEXT= yes USE_X_PREFIX= yes INSTALLS_OMF= yes GNU_CONFIGURE= yes diff --git a/graphics/gpdf/files/patch-SA17897 b/graphics/gpdf/files/patch-SA17897 deleted file mode 100644 index f27f1a139be4..000000000000 --- a/graphics/gpdf/files/patch-SA17897 +++ /dev/null @@ -1,120 +0,0 @@ ---- xpdf/JPXStream.cc.orig Mon May 17 15:11:49 2004 -+++ xpdf/JPXStream.cc Tue Dec 6 18:07:18 2005 -@@ -666,7 +666,7 @@ - int segType; - GBool haveSIZ, haveCOD, haveQCD, haveSOT; - Guint precinctSize, style; -- Guint segLen, capabilities, comp, i, j, r; -+ Guint segLen, capabilities, nTiles, comp, i, j, r; - - //----- main header - haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; -@@ -701,8 +701,13 @@ - / img.xTileSize; - img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) - / img.yTileSize; -- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * -- sizeof(JPXTile)); -+ nTiles = img.nXTiles * img.nYTiles; -+ // check for overflow before allocating memory -+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { -+ error(getPos(), "Bad tile count in JPX SIZ marker segment"); -+ return gFalse; -+ } -+ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); - for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { - img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * - sizeof(JPXTileComp)); ---- xpdf/Stream.cc.orig Mon May 17 16:37:57 2004 -+++ xpdf/Stream.cc Tue Dec 6 18:05:14 2005 -@@ -407,18 +407,33 @@ - - StreamPredictor::StreamPredictor(Stream *strA, int predictorA, - int widthA, int nCompsA, int nBitsA) { -+ int totalBits; -+ - str = strA; - predictor = predictorA; - width = widthA; - nComps = nCompsA; - nBits = nBitsA; -+ predLine = NULL; -+ ok = gFalse; - - nVals = width * nComps; -+ totalBits = nVals * nBits; -+ if (totalBits == 0 || -+ (totalBits / nBits) / nComps != width || -+ totalBits + 7 < 0) { -+ return; -+ } - pixBytes = (nComps * nBits + 7) >> 3; -- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; -+ rowBytes = ((totalBits + 7) >> 3) + pixBytes; -+ if (rowBytes < 0) { -+ return; -+ } - predLine = (Guchar *)gmalloc(rowBytes); - memset(predLine, 0, rowBytes); - predIdx = rowBytes; -+ -+ ok = gTrue; - } - - StreamPredictor::~StreamPredictor() { -@@ -1012,6 +1027,10 @@ - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -@@ -2897,6 +2916,14 @@ - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream", prec); -+ return gFalse; -+ } -+ if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream", prec); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -@@ -3255,6 +3282,10 @@ - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } ---- xpdf/Stream.h.orig Mon May 17 16:37:57 2004 -+++ xpdf/Stream.h Tue Dec 6 18:05:14 2005 -@@ -233,6 +233,8 @@ - - ~StreamPredictor(); - -+ GBool isOk() { return ok; } -+ - int lookChar(); - int getChar(); - -@@ -250,6 +252,7 @@ - int rowBytes; // bytes per line - Guchar *predLine; // line buffer - int predIdx; // current index in predLine -+ GBool ok; - }; - - //------------------------------------------------------------------------ diff --git a/graphics/gpdf/files/patch-SA18303 b/graphics/gpdf/files/patch-SA18303 new file mode 100644 index 000000000000..567ce2622153 --- /dev/null +++ b/graphics/gpdf/files/patch-SA18303 @@ -0,0 +1,296 @@ +Index: xpdf/JPXStream.cc +=================================================================== +--- xpdf/JPXStream.cc ++++ xpdf/JPXStream.cc +@@ -7,6 +7,7 @@ + //======================================================================== + + #include <aconf.h> ++#include <limits.h> + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le + int segType; + GBool haveSIZ, haveCOD, haveQCD, haveSOT; + Guint precinctSize, style; +- Guint segLen, capabilities, comp, i, j, r; ++ Guint segLen, capabilities, nTiles, comp, i, j, r; + + //----- main header + haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; +@@ -701,8 +702,19 @@ GBool JPXStream::readCodestream(Guint le + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * +- sizeof(JPXTile)); ++ // check for overflow before allocating memory ++ if (img.nXTiles <= 0 || img.nYTiles <= 0 || ++ img.nXTiles >= INT_MAX/img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ nTiles = img.nXTiles * img.nYTiles; ++ if (nTiles >= INT_MAX/sizeof(JPXTile)) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); ++ + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * + sizeof(JPXTileComp)); +Index: xpdf/Stream.h +=================================================================== +--- xpdf/Stream.h ++++ xpdf/Stream.h +@@ -233,6 +233,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -250,6 +252,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------ +Index: xpdf/Stream.cc +=================================================================== +--- xpdf/Stream.cc ++++ xpdf/Stream.cc +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <stddef.h> ++#include <limits.h> + #ifndef WIN32 + #include <unistd.h> + #endif +@@ -412,13 +413,28 @@ StreamPredictor::StreamPredictor(Stream + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX/nBits || ++ width >= INT_MAX/nComps/nBits) { ++ return; ++ } + nVals = width * nComps; ++ if (nVals * nBits + 7 <= 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; + rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -1012,6 +1028,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -1260,6 +1280,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s + endOfLine = endOfLineA; + byteAlign = byteAlignA; + columns = columnsA; ++ if (columns < 1 || columns >= INT_MAX / sizeof(short)) { ++ error(-1, "invalid number of columns: %d", columns); ++ exit(1); ++ } + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +@@ -2897,6 +2921,11 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2923,6 +2952,11 @@ GBool DCTStream::readProgressiveSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2945,6 +2979,11 @@ GBool DCTStream::readScanInfo() { + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ scanInfo.numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +@@ -3019,12 +3058,12 @@ GBool DCTStream::readHuffmanTables() { + while (length > 0) { + index = str->getChar(); + --length; +- if ((index & 0x0f) >= 4) { ++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { + error(getPos(), "Bad DCT Huffman table"); + return gFalse; + } + if (index & 0x10) { +- index &= 0x0f; ++ index &= 0x03; + if (index >= numACHuffTables) + numACHuffTables = index+1; + tbl = &acHuffTables[index]; +@@ -3142,9 +3181,11 @@ int DCTStream::readMarker() { + do { + do { + c = str->getChar(); ++ if(c == EOF) return EOF; + } while (c != 0xff); + do { + c = str->getChar(); ++ if(c == EOF) return EOF; + } while (c == 0xff); + } while (c == 0x00); + return c; +@@ -3255,6 +3296,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +Index: xpdf/JBIG2Stream.cc +=================================================================== +--- xpdf/JBIG2Stream.cc ++++ xpdf/JBIG2Stream.cc +@@ -7,6 +7,7 @@ + //======================================================================== + + #include <aconf.h> ++#include <limits.h> + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -681,7 +682,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = wA; + h = hA; + line = (wA + 7) >> 3; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ++ error(-1, "invalid width/height"); ++ data = NULL; ++ return; ++ } ++ ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)gmalloc(h * line + 1); ++ data[h * line] = 0; + } + + JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): +@@ -690,8 +700,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ++ error(-1, "invalid width/height"); ++ data = NULL; ++ return; ++ } ++ ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)gmalloc(h * line + 1); + memcpy(data, bitmap->data, h * line); ++ data[h * line] = 0; + } + + JBIG2Bitmap::~JBIG2Bitmap() { +@@ -716,10 +735,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +- if (newH <= h) { ++ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { ++ error(-1, "invalid width/height"); ++ gfree(data); ++ data = NULL; + return; + } +- data = (Guchar *)grealloc(data, newH * line); ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)grealloc(data, newH * line + 1); + if (pixel) { + memset(data + h * line, 0xff, (newH - h) * line); + } else { +@@ -2256,6 +2279,15 @@ void JBIG2Stream::readHalftoneRegionSeg( + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad size in JBIG2 halftone segment"); ++ return; ++ } ++ if (w == 0 || h >= INT_MAX / w) { ++ error(getPos(), "Bad size in JBIG2 bitmap segment"); ++ return; ++ } ++ + patternDict = (JBIG2PatternDict *)seg; + bpp = 0; + i = 1; +@@ -2887,6 +2919,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef + JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; + int x, y, pix; + ++ if (w < 0 || h <= 0 || w >= INT_MAX / h) { ++ error(-1, "invalid width/height"); ++ return NULL; ++ } ++ + bitmap = new JBIG2Bitmap(0, w, h); + bitmap->clearToZero(); + +# vim: syntax=diff diff --git a/graphics/gpdf/files/patch-SA18677 b/graphics/gpdf/files/patch-SA18677 new file mode 100644 index 000000000000..61ccfbae40b7 --- /dev/null +++ b/graphics/gpdf/files/patch-SA18677 @@ -0,0 +1,52 @@ +diff --exclude-from=/home/dang/.diffrc -u -ruN splash/SplashXPathScanner.cc splash/SplashXPathScanner.cc +--- splash/SplashXPathScanner.cc 2004-05-17 14:10:56.000000000 -0400 ++++ splash/SplashXPathScanner.cc 2006-02-12 14:35:09.000000000 -0500 +@@ -182,7 +182,7 @@ + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -232,19 +232,27 @@ + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; ++ } else { ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; ++ } ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) { |