vulnerabilities in included xpdf code, #114429

Package-Manager: portage-2.0.53
author: Carsten Lohrke <carlo@gentoo.org> 2005-12-06 01:39:03 +0000
committer: Carsten Lohrke <carlo@gentoo.org> 2005-12-06 01:39:03 +0000
commit: e5d17d6eeaaf755f4dbfaac570e7243008343ddb (patch)
tree: b5bc583725f189b33776aad9bbad58d2d05561bd /kde-base
parent: format string vulnerability, #114583 (diff)
download: historical-e5d17d6eeaaf755f4dbfaac570e7243008343ddb.tar.gz
historical-e5d17d6eeaaf755f4dbfaac570e7243008343ddb.tar.bz2
historical-e5d17d6eeaaf755f4dbfaac570e7243008343ddb.zip
9 files changed, 352 insertions, 12 deletions
diff --git a/kde-base/kpdf/ChangeLog b/kde-base/kpdf/ChangeLog
index eb9c3c93cf76..5931e945065d 100644
--- a/kde-base/kpdf/ChangeLog
+++ b/kde-base/kpdf/ChangeLog
@@ -1,6 +1,16 @@
 # ChangeLog for kde-base/kpdf
 # Copyright 1999-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/kde-base/kpdf/ChangeLog,v 1.39 2005/12/04 01:14:30 kloeri Exp $
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kpdf/ChangeLog,v 1.40 2005/12/06 01:39:03 carlo Exp $
+
+*kpdf-3.5.0-r1 (06 Dec 2005)
+*kpdf-3.4.3-r1 (06 Dec 2005)
+
+  06 Dec 2005; Carsten Lohrke <carlo@gentoo.org>
+  +files/kpdf-3.4.3-CAN-2005-3193.patch,
+  +files/kpdf-3.5.0-CAN-2005-3193.patch,
+  +files/kpdf-3.5.0-splitter-io.patch, +kpdf-3.4.3-r1.ebuild,
+  +kpdf-3.5.0-r1.ebuild:
+  vulnerabilities in included xpdf code, #114429
 
   04 Dec 2005; Bryan Østergaard <kloeri@gentoo.org> kpdf-3.5.0.ebuild:
   ~alpha keyword.
diff --git a/kde-base/kpdf/Manifest b/kde-base/kpdf/Manifest
index 8b4a99b4de9c..2daba06879d6 100644
--- a/kde-base/kpdf/Manifest
+++ b/kde-base/kpdf/Manifest
@@ -1,29 +1,26 @@
------BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA1
-
-MD5 91d2e40a4f04148c75bb5a384542474e ChangeLog 5072
+MD5 77202e7482c9af26cb9caf8911990734 ChangeLog 5398
 MD5 1334abaee53983ad0a0810adeafef453 files/digest-kpdf-3.4.1 221
 MD5 1334abaee53983ad0a0810adeafef453 files/digest-kpdf-3.4.1-r1 221
 MD5 cb94e5a98246b8c80e29c3d668e4be9d files/digest-kpdf-3.4.2 300
 MD5 cb94e5a98246b8c80e29c3d668e4be9d files/digest-kpdf-3.4.2-r1 300
 MD5 cb94e5a98246b8c80e29c3d668e4be9d files/digest-kpdf-3.4.2-r2 300
 MD5 ad9f9a5920cdd067ae76d39d768fce5f files/digest-kpdf-3.4.3 71
+MD5 ad9f9a5920cdd067ae76d39d768fce5f files/digest-kpdf-3.4.3-r1 71
 MD5 0459ac16349d79da6246392e2454796b files/digest-kpdf-3.5.0 71
+MD5 0459ac16349d79da6246392e2454796b files/digest-kpdf-3.5.0-r1 71
 MD5 653bd55a1e87c51731d0b0512051774e files/kdegraphics-3.4.2-kpdf-contentcrash.patch 749
 MD5 4caddebea4d845abb2de6dbbfe1b979a files/kdegraphics-3.4.2-kpdf-fix.patch 1024
+MD5 a4a2359edd7af28474916f12f99871fb files/kpdf-3.4.3-CAN-2005-3193.patch 3455
+MD5 fb8e3783bd62a0ef7979c10fb6046201 files/kpdf-3.5.0-CAN-2005-3193.patch 3384
+MD5 d18efc8eb0bf3e3b54a33cf04cdba3fd files/kpdf-3.5.0-splitter-io.patch 1415
 MD5 ec3b95efe9139f4259d6de213fe4b87b files/post-3.4.1-kdegraphics-4.diff 1827
 MD5 493fdf9a2dc94e56301161f38122b422 kpdf-3.4.1-r1.ebuild 627
 MD5 710200655b097652c4ea66ea6e5931db kpdf-3.4.1.ebuild 569
 MD5 da8c7b95896e393c3af5901801f76253 kpdf-3.4.2-r1.ebuild 698
 MD5 26ec262357d5acdd4fbe2e83d488e692 kpdf-3.4.2-r2.ebuild 816
 MD5 9d42c07d0672b69a347a437c76b5e024 kpdf-3.4.2.ebuild 578
+MD5 a78c86a414ecf2829cf702cfc1a03981 kpdf-3.4.3-r1.ebuild 638
 MD5 73d838ef9808bb8eb4d46c8fa00e5d96 kpdf-3.4.3.ebuild 578
+MD5 cc6d38e42e8fbfe20e07805598e357b2 kpdf-3.5.0-r1.ebuild 933
 MD5 8d8d7ccc0f707b75e14d22df3c13f6b6 kpdf-3.5.0.ebuild 836
 MD5 acc03a4b12bb0433a57e95bd253b9501 metadata.xml 156
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.2 (GNU/Linux)
-
-iD8DBQFDkkMEugEuf3OQ0akRAr5mAJ9MUoNkJkjSfxVirlLkjeTBokWhWQCgjM0Z
-+iNj1U1pD7jbgSMbextZj3s=
-=AibC
------END PGP SIGNATURE-----
diff --git a/kde-base/kpdf/files/digest-kpdf-3.4.3-r1 b/kde-base/kpdf/files/digest-kpdf-3.4.3-r1
new file mode 100644
index 000000000000..2cb888ba9f29
--- /dev/null
+++ b/kde-base/kpdf/files/digest-kpdf-3.4.3-r1
@@ -0,0 +1 @@
+MD5 e2b2926301204a0f587d9e6e163c06d9 kdegraphics-3.4.3.tar.bz2 6554272
diff --git a/kde-base/kpdf/files/digest-kpdf-3.5.0-r1 b/kde-base/kpdf/files/digest-kpdf-3.5.0-r1
new file mode 100644
index 000000000000..44e671a5ef99
--- /dev/null
+++ b/kde-base/kpdf/files/digest-kpdf-3.5.0-r1
@@ -0,0 +1 @@
+MD5 389a00d4387e621d4dd325a59c7657c4 kdegraphics-3.5.0.tar.bz2 7094349
diff --git a/kde-base/kpdf/files/kpdf-3.4.3-CAN-2005-3193.patch b/kde-base/kpdf/files/kpdf-3.4.3-CAN-2005-3193.patch
new file mode 100644
index 000000000000..0999fe01cd4e
--- /dev/null
+++ b/kde-base/kpdf/files/kpdf-3.4.3-CAN-2005-3193.patch
@@ -0,0 +1,119 @@
+--- kpdf/xpdf/xpdf/JPXStream.cc.orig	2005-12-04 13:01:07.000000000 +0100
++++ kpdf/xpdf/xpdf/JPXStream.cc	2005-12-04 13:15:44.000000000 +0100
+@@ -666,7 +666,7 @@
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,6 +701,13 @@
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
++      nTiles = img.nXTiles * img.nYTiles;
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++	error(getPos(), "Bad tile count in JPX SIZ marker segment");
++	return gFalse;
++      }
++      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+       img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+ 				     sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+--- kpdf/xpdf/xpdf/Stream.h.orig	2005-12-04 13:16:13.000000000 +0100
++++ kpdf/xpdf/xpdf/Stream.h	2005-12-04 13:21:52.000000000 +0100
+@@ -233,6 +233,8 @@
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -250,6 +252,7 @@
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------
+--- kpdf/xpdf/xpdf/Stream.cc.orig	2005-12-04 13:23:51.000000000 +0100
++++ kpdf/xpdf/xpdf/Stream.cc	2005-12-04 13:36:34.000000000 +0100
+@@ -408,18 +408,34 @@
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
++
+ 
+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -1013,6 +1029,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -2899,6 +2919,14 @@
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -3258,6 +3286,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
diff --git a/kde-base/kpdf/files/kpdf-3.5.0-CAN-2005-3193.patch b/kde-base/kpdf/files/kpdf-3.5.0-CAN-2005-3193.patch
new file mode 100644
index 000000000000..f171b12cf5ce
--- /dev/null
+++ b/kde-base/kpdf/files/kpdf-3.5.0-CAN-2005-3193.patch
@@ -0,0 +1,118 @@
+--- kpdf/xpdf/xpdf/JPXStream.cc	2005/12/01 22:32:29	484786
++++ kpdf/xpdf/xpdf/JPXStream.cc	2005/12/01 22:34:41	484787
+@@ -783,7 +783,7 @@
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -818,6 +818,13 @@
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
++      nTiles = img.nXTiles * img.nYTiles;
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++	error(getPos(), "Bad tile count in JPX SIZ marker segment");
++	return gFalse;
++      }
++      img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
+       img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
+ 				     sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+--- kpdf/xpdf/xpdf/Stream.h	2005/12/01 22:32:29	484786
++++ kpdf/xpdf/xpdf/Stream.h	2005/12/01 22:34:41	484787
+@@ -232,6 +232,8 @@
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -249,6 +251,7 @@
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------
+--- kpdf/xpdf/xpdf/Stream.cc	2005/12/01 22:32:29	484786
++++ kpdf/xpdf/xpdf/Stream.cc	2005/12/01 22:34:41	484787
+@@ -403,18 +403,33 @@
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -1006,6 +1021,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -2903,6 +2922,14 @@
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -3833,6 +3860,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
diff --git a/kde-base/kpdf/files/kpdf-3.5.0-splitter-io.patch b/kde-base/kpdf/files/kpdf-3.5.0-splitter-io.patch
new file mode 100644
index 000000000000..82e4311bba5c
--- /dev/null
+++ b/kde-base/kpdf/files/kpdf-3.5.0-splitter-io.patch
@@ -0,0 +1,38 @@
+Index: kpdf/part.cpp
+===================================================================
+--- kpdf/part.cpp	(revision 485446)
++++ kpdf/part.cpp	(revision 485447)
+@@ -274,6 +274,8 @@
+ 	connect( m_watcher, SIGNAL( dirty( const QString& ) ), this, SLOT( slotFileDirty( const QString& ) ) );
+ 	m_dirtyHandler = new QTimer( this );
+ 	connect( m_dirtyHandler, SIGNAL( timeout() ),this, SLOT( slotDoFileDirty() ) );
++	m_saveSplitterSizeTimer = new QTimer( this );
++	connect( m_saveSplitterSizeTimer, SIGNAL( timeout() ),this, SLOT( saveSplitterSize() ) );
+ 
+ 	slotNewConfig();
+ 
+@@ -478,7 +480,7 @@
+ {
+     // if pageView has been resized, save splitter sizes
+     if ( watched == m_pageView && e->type() == QEvent::Resize )
+-        saveSplitterSize();
++        m_saveSplitterSizeTimer->start(500, true);
+ 
+     // only intercept events, don't block them
+     return false;
+Index: kpdf/part.h
+===================================================================
+--- kpdf/part.h	(revision 485446)
++++ kpdf/part.h	(revision 485447)
+@@ -146,6 +146,11 @@
+ 	// static instances counter
+ 	static unsigned int m_count;
+ 
++	// this is a hack because we can not use writeConfig on part destructor
++	// and we don't want to writeconfig every time someone moves the splitter
++	// so we use a QTimer each 500 ms
++	QTimer *m_saveSplitterSizeTimer;
++
+ 	KDirWatch *m_watcher;
+ 	QTimer *m_dirtyHandler;
+ 	DocumentViewport m_viewportDirty;
diff --git a/kde-base/kpdf/kpdf-3.4.3-r1.ebuild b/kde-base/kpdf/kpdf-3.4.3-r1.ebuild
new file mode 100644
index 000000000000..65fa71897228
--- /dev/null
+++ b/kde-base/kpdf/kpdf-3.4.3-r1.ebuild
@@ -0,0 +1,23 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kpdf/kpdf-3.4.3-r1.ebuild,v 1.1 2005/12/06 01:39:03 carlo Exp $
+
+KMNAME=kdegraphics
+MAXKDEVER=$PV
+KM_DEPRANGE="$PV $MAXKDEVER"
+inherit kde-meta
+
+DESCRIPTION="kpdf, a kde pdf viewer based on xpdf"
+KEYWORDS="~alpha ~amd64 ~ppc ~ppc64 ~sparc ~x86"
+IUSE="nodrm"
+KMEXTRA="kfile-plugins/pdf"
+
+DEPEND=">=media-libs/freetype-2.0.5 media-libs/t1lib"
+
+PATCHES="${FILESDIR}/kpdf-3.4.3-CAN-2005-3193.patch"
+
+src_compile() {
+	myconf="${myconf} $(use_enable !nodrm kpdf-drm)"
+
+	kde-meta_src_compile
+}
diff --git a/kde-base/kpdf/kpdf-3.5.0-r1.ebuild b/kde-base/kpdf/kpdf-3.5.0-r1.ebuild
new file mode 100644
index 000000000000..7e42a3b48ce8
--- /dev/null
+++ b/kde-base/kpdf/kpdf-3.5.0-r1.ebuild
@@ -0,0 +1,33 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kpdf/kpdf-3.5.0-r1.ebuild,v 1.1 2005/12/06 01:39:03 carlo Exp $
+
+KMNAME=kdegraphics
+MAXKDEVER=$PV
+KM_DEPRANGE="$PV $MAXKDEVER"
+inherit kde-meta
+
+DESCRIPTION="kpdf, a kde pdf viewer based on xpdf"
+KEYWORDS="~alpha ~amd64 ~sparc ~x86"
+IUSE=""
+KMEXTRA="kfile-plugins/pdf"
+
+DEPEND=">=media-libs/freetype-2.0.5
+	media-libs/t1lib
+	>=app-text/poppler-0.3.1"
+
+PATCHES="${FILESDIR}/kpdf-3.5.0-CAN-2005-3193.patch ${FILESDIR}/kpdf-3.5.0-splitter-io.patch"
+
+pkg_setup() {
+	if ! built_with_use app-text/poppler qt; then
+		eerror "This package requires app-text/poppler compiled with Qt support."
+		eerror "Please reemerge app-text/poppler with USE=\"qt\"."
+		die "Please reemerge app-text/poppler with USE=\"qt\"."
+	fi
+}
+
+src_compile() {
+	local myconf="--with-poppler"
+
+	kde-meta_src_compile
+}
author	Carsten Lohrke <carlo@gentoo.org>	2005-12-06 01:39:03 +0000
committer	Carsten Lohrke <carlo@gentoo.org>	2005-12-06 01:39:03 +0000
commit	e5d17d6eeaaf755f4dbfaac570e7243008343ddb (patch)
tree	b5bc583725f189b33776aad9bbad58d2d05561bd /kde-base
parent	format string vulnerability, #114583 (diff)
download	historical-e5d17d6eeaaf755f4dbfaac570e7243008343ddb.tar.gz historical-e5d17d6eeaaf755f4dbfaac570e7243008343ddb.tar.bz2 historical-e5d17d6eeaaf755f4dbfaac570e7243008343ddb.zip