summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatsuu Takuto <matsuu@gentoo.org>2005-01-19 22:48:55 +0000
committerMatsuu Takuto <matsuu@gentoo.org>2005-01-19 22:48:55 +0000
commitb6b32e0f04763774c328f147265f70333c9a07f0 (patch)
tree4da6630a5052bbbde8ef1bac86da6c401e321eba /app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff
parentVersion bump for security bug #78712. (diff)
downloadgentoo-2-b6b32e0f04763774c328f147265f70333c9a07f0.tar.gz
gentoo-2-b6b32e0f04763774c328f147265f70333c9a07f0.tar.bz2
gentoo-2-b6b32e0f04763774c328f147265f70333c9a07f0.zip
Security bump; Bug #75801
Diffstat (limited to 'app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff')
-rw-r--r--app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff78
1 files changed, 78 insertions, 0 deletions
diff --git a/app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff b/app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff
new file mode 100644
index 000000000000..55a24458c9a4
--- /dev/null
+++ b/app-text/cstetex/files/xpdf-CESA-2004-007-xpdf2-newer.diff
@@ -0,0 +1,78 @@
+--- XRef.cc.orig 2004-09-17 23:54:38.000000000 -0700
++++ XRef.cc 2004-09-25 17:59:36.000000000 -0700
+@@ -76,6 +76,12 @@
+
+ // trailer is ok - read the xref table
+ } else {
++ if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
++ error(-1, "Invalid 'size' inside xref table.");
++ ok = gFalse;
++ errCode = errDamaged;
++ return;
++ }
+ entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+ for (i = 0; i < size; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -267,6 +273,10 @@
+ // table size
+ if (first + n > size) {
+ newSize = size + 256;
++ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ error(-1, "Invalid 'newSize'");
++ goto err2;
++ }
+ entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+ entries[i].offset = 0xffffffff;
+@@ -410,6 +420,10 @@
+ if (!strncmp(p, "obj", 3)) {
+ if (num >= size) {
+ newSize = (num + 1 + 255) & ~255;
++ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++ error(-1, "Invalid 'obj' parameters.");
++ return gFalse;
++ }
+ entries = (XRefEntry *)
+ grealloc(entries, newSize * sizeof(XRefEntry));
+ for (i = size; i < newSize; ++i) {
+@@ -431,6 +445,11 @@
+ } else if (!strncmp(p, "endstream", 9)) {
+ if (streamEndsLen == streamEndsSize) {
+ streamEndsSize += 64;
++ if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
++ error(-1, "Invalid 'endstream' parameter.");
++ return gFalse;
++ }
++
+ streamEnds = (Guint *)grealloc(streamEnds,
+ streamEndsSize * sizeof(int));
+ }
+--- Catalog.cc.orig 2004-10-18 16:26:39.388666476 +0200
++++ Catalog.cc 2004-10-18 16:27:28.004749073 +0200
+@@ -62,6 +62,12 @@
+ }
+ pagesSize = numPages0 = obj.getInt();
+ obj.free();
++ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
++ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
++ error(-1, "Invalid 'pagesSize'");
++ ok = gFalse;
++ return;
++ }
+ pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+ for (i = 0; i < pagesSize; ++i) {
+@@ -186,6 +192,11 @@
+ }
+ if (start >= pagesSize) {
+ pagesSize += 32;
++ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
++ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
++ error(-1, "Invalid 'pagesSize' parameter.");
++ goto err3;
++ }
+ pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ for (j = pagesSize - 32; j < pagesSize; ++j) {
+
+