139 lines
4.7 KiB
Plaintext
139 lines
4.7 KiB
Plaintext
|
$OpenBSD: patch-xpdf_Object_h,v 1.1 2008/04/19 07:38:24 bernd Exp $
|
||
|
|
||
|
* CVE-2008-1693: Arbitrary code execution vulnerability in handling of
|
||
|
PDF embedded fonts.
|
||
|
|
||
|
From Debian.
|
||
|
|
||
|
--- xpdf/Object.h.orig Tue Feb 27 23:05:52 2007
|
||
|
+++ xpdf/Object.h Fri Apr 18 16:40:14 2008
|
||
|
@@ -68,17 +68,18 @@ enum ObjType {
|
||
|
//------------------------------------------------------------------------
|
||
|
|
||
|
#ifdef DEBUG_MEM
|
||
|
-#define initObj(t) ++numAlloc[type = t]
|
||
|
+#define initObj(t) zeroUnion(); ++numAlloc[type = t]
|
||
|
#else
|
||
|
-#define initObj(t) type = t
|
||
|
+#define initObj(t) zeroUnion(); type = t
|
||
|
#endif
|
||
|
|
||
|
class Object {
|
||
|
public:
|
||
|
-
|
||
|
+ // attempt to clear the anonymous union
|
||
|
+ void zeroUnion() { this->name = NULL; }
|
||
|
// Default constructor.
|
||
|
Object():
|
||
|
- type(objNone) {}
|
||
|
+ type(objNone) { zeroUnion(); }
|
||
|
|
||
|
// Initialize an object.
|
||
|
Object *initBool(GBool boolnA)
|
||
|
@@ -220,16 +221,16 @@ class Object { (private)
|
||
|
#include "Array.h"
|
||
|
|
||
|
inline int Object::arrayGetLength()
|
||
|
- { return array->getLength(); }
|
||
|
+ { if (type != objArray) return 0; return array->getLength(); }
|
||
|
|
||
|
inline void Object::arrayAdd(Object *elem)
|
||
|
- { array->add(elem); }
|
||
|
+ { if (type == objArray) array->add(elem); }
|
||
|
|
||
|
inline Object *Object::arrayGet(int i, Object *obj)
|
||
|
- { return array->get(i, obj); }
|
||
|
+ { if (type != objArray) return obj->initNull(); return array->get(i, obj); }
|
||
|
|
||
|
inline Object *Object::arrayGetNF(int i, Object *obj)
|
||
|
- { return array->getNF(i, obj); }
|
||
|
+ { if (type != objArray) return obj->initNull(); return array->getNF(i, obj); }
|
||
|
|
||
|
//------------------------------------------------------------------------
|
||
|
// Dict accessors.
|
||
|
@@ -238,31 +239,31 @@ inline Object *Object::arrayGetNF(int i, Object *obj)
|
||
|
#include "Dict.h"
|
||
|
|
||
|
inline int Object::dictGetLength()
|
||
|
- { return dict->getLength(); }
|
||
|
+ { if (type != objDict) return 0; return dict->getLength(); }
|
||
|
|
||
|
inline void Object::dictAdd(char *key, Object *val)
|
||
|
- { dict->add(key, val); }
|
||
|
+ { if (type == objDict) dict->add(key, val); }
|
||
|
|
||
|
inline GBool Object::dictIs(char *dictType)
|
||
|
- { return dict->is(dictType); }
|
||
|
+ { return (type == objDict) && dict->is(dictType); }
|
||
|
|
||
|
inline GBool Object::isDict(char *dictType)
|
||
|
- { return type == objDict && dictIs(dictType); }
|
||
|
+ { return (type == objDict) && dictIs(dictType); }
|
||
|
|
||
|
inline Object *Object::dictLookup(char *key, Object *obj)
|
||
|
- { return dict->lookup(key, obj); }
|
||
|
+ { if (type != objDict) return obj->initNull(); return dict->lookup(key, obj); }
|
||
|
|
||
|
inline Object *Object::dictLookupNF(char *key, Object *obj)
|
||
|
- { return dict->lookupNF(key, obj); }
|
||
|
+ { if (type != objDict) return obj->initNull(); return dict->lookupNF(key, obj); }
|
||
|
|
||
|
inline char *Object::dictGetKey(int i)
|
||
|
- { return dict->getKey(i); }
|
||
|
+ { if (type != objDict) return NULL; return dict->getKey(i); }
|
||
|
|
||
|
inline Object *Object::dictGetVal(int i, Object *obj)
|
||
|
- { return dict->getVal(i, obj); }
|
||
|
+ { if (type != objDict) return obj->initNull(); return dict->getVal(i, obj); }
|
||
|
|
||
|
inline Object *Object::dictGetValNF(int i, Object *obj)
|
||
|
- { return dict->getValNF(i, obj); }
|
||
|
+ { if (type != objDict) return obj->initNull(); return dict->getValNF(i, obj); }
|
||
|
|
||
|
//------------------------------------------------------------------------
|
||
|
// Stream accessors.
|
||
|
@@ -271,33 +272,33 @@ inline Object *Object::dictGetValNF(int i, Object *obj
|
||
|
#include "Stream.h"
|
||
|
|
||
|
inline GBool Object::streamIs(char *dictType)
|
||
|
- { return stream->getDict()->is(dictType); }
|
||
|
+ { return (type == objStream) && stream->getDict()->is(dictType); }
|
||
|
|
||
|
inline GBool Object::isStream(char *dictType)
|
||
|
- { return type == objStream && streamIs(dictType); }
|
||
|
+ { return (type == objStream) && streamIs(dictType); }
|
||
|
|
||
|
inline void Object::streamReset()
|
||
|
- { stream->reset(); }
|
||
|
+ { if (type == objStream) stream->reset(); }
|
||
|
|
||
|
inline void Object::streamClose()
|
||
|
- { stream->close(); }
|
||
|
+ { if (type == objStream) stream->close(); }
|
||
|
|
||
|
inline int Object::streamGetChar()
|
||
|
- { return stream->getChar(); }
|
||
|
+ { if (type != objStream) return EOF; return stream->getChar(); }
|
||
|
|
||
|
inline int Object::streamLookChar()
|
||
|
- { return stream->lookChar(); }
|
||
|
+ { if (type != objStream) return EOF; return stream->lookChar(); }
|
||
|
|
||
|
inline char *Object::streamGetLine(char *buf, int size)
|
||
|
- { return stream->getLine(buf, size); }
|
||
|
+ { if (type != objStream) return NULL; return stream->getLine(buf, size); }
|
||
|
|
||
|
inline Guint Object::streamGetPos()
|
||
|
- { return stream->getPos(); }
|
||
|
+ { if (type != objStream) return 0; return stream->getPos(); }
|
||
|
|
||
|
inline void Object::streamSetPos(Guint pos, int dir)
|
||
|
- { stream->setPos(pos, dir); }
|
||
|
+ { if (type == objStream) stream->setPos(pos, dir); }
|
||
|
|
||
|
inline Dict *Object::streamGetDict()
|
||
|
- { return stream->getDict(); }
|
||
|
+ { if (type != objStream) return NULL; return stream->getDict(); }
|
||
|
|
||
|
#endif
|