diff options
author | Matsuu Takuto <matsuu@gentoo.org> | 2005-01-19 22:48:55 +0000 |
---|---|---|
committer | Matsuu Takuto <matsuu@gentoo.org> | 2005-01-19 22:48:55 +0000 |
commit | b6b32e0f04763774c328f147265f70333c9a07f0 (patch) | |
tree | 4da6630a5052bbbde8ef1bac86da6c401e321eba /app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff | |
parent | Version bump for security bug #78712. (diff) | |
download | gentoo-2-b6b32e0f04763774c328f147265f70333c9a07f0.tar.gz gentoo-2-b6b32e0f04763774c328f147265f70333c9a07f0.tar.bz2 gentoo-2-b6b32e0f04763774c328f147265f70333c9a07f0.zip |
Security bump; Bug #75801
Diffstat (limited to 'app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff')
-rw-r--r-- | app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff b/app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff new file mode 100644 index 000000000000..55a24458c9a4 --- /dev/null +++ b/app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff @@ -0,0 +1,78 @@ +--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700 ++++ XRef.cc 2004-09-25 17:59:36.000000000 -0700 +@@ -76,6 +76,12 @@ + + // trailer is ok - read the xref table + } else { ++ if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { ++ error(-1, "Invalid 'size' inside xref table."); ++ ok = gFalse; ++ errCode = errDamaged; ++ return; ++ } + entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry)); + for (i = 0; i < size; ++i) { + entries[i].offset = 0xffffffff; +@@ -267,6 +273,10 @@ + // table size + if (first + n > size) { + newSize = size + 256; ++ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ error(-1, "Invalid 'newSize'"); ++ goto err2; ++ } + entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); + for (i = size; i < newSize; ++i) { + entries[i].offset = 0xffffffff; +@@ -410,6 +420,10 @@ + if (!strncmp(p, "obj", 3)) { + if (num >= size) { + newSize = (num + 1 + 255) & ~255; ++ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ error(-1, "Invalid 'obj' parameters."); ++ return gFalse; ++ } + entries = (XRefEntry *) + grealloc(entries, newSize * sizeof(XRefEntry)); + for (i = size; i < newSize; ++i) { +@@ -431,6 +445,11 @@ + } else if (!strncmp(p, "endstream", 9)) { + if (streamEndsLen == streamEndsSize) { + streamEndsSize += 64; ++ if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { ++ error(-1, "Invalid 'endstream' parameter."); ++ return gFalse; ++ } ++ + streamEnds = (Guint *)grealloc(streamEnds, + streamEndsSize * sizeof(int)); + } +--- Catalog.cc.orig 2004-10-18 16:26:39.388666476 +0200 ++++ Catalog.cc 2004-10-18 16:27:28.004749073 +0200 +@@ -62,6 +62,12 @@ + } + pagesSize = numPages0 = obj.getInt(); + obj.free(); ++ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || ++ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { ++ error(-1, "Invalid 'pagesSize'"); ++ ok = gFalse; ++ return; ++ } + pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); + pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); + for (i = 0; i < pagesSize; ++i) { +@@ -186,6 +192,11 @@ + } + if (start >= pagesSize) { + pagesSize += 32; ++ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || ++ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { ++ error(-1, "Invalid 'pagesSize' parameter."); ++ goto err3; ++ } + pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); + pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); + for (j = pagesSize - 32; j < pagesSize; ++j) { + + |