Fix denial of service vulnerability.

Check sanity of the TrueType "loca" table. Specially crafted broken tables caused disk space exhaustion due to very large generated glyph descriptions when attempting to fix the table. CAN-2005-2097. http://www.kde.org/info/security/advisory-20050809-1.txt
2005-08-11 14:21:46 +00:00 · 2005-08-11 14:21:46 +00:00 · 16c7c089d3
commit 16c7c089d3
parent 9c8738ab34
3 changed files with 57 additions and 2 deletions
--- a/x11/kde/graphics3/Makefile
+++ b/x11/kde/graphics3/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.48 2005/07/28 08:47:40 espie Exp $
+# $OpenBSD: Makefile,v 1.49 2005/08/11 14:21:46 naddy Exp $

 COMMENT=		"K Desktop Environment, graphic applications"
 COMMENT-kamera=		"KDE interface to digital cameras"
@ -11,7 +11,7 @@ MODKDE_VERSION=		3.4
 FLAVORS=debug
 SEPARATE_BUILD=flavored
 MULTI_PACKAGES=-kpov -kamera
-PKGNAME=${DISTNAME}
+PKGNAME=${DISTNAME}p0
 FULLPKGNAME-kamera=kamera-${VERSION}
 FULLPKGNAME-kpov=kpovmodeller-${VERSION}
 SUBPACKAGE?=
--- a/x11/kde/graphics3/patches/patch-kpdf_xpdf_fofi_FoFiTrueType_cc
+++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_fofi_FoFiTrueType_cc
@ -0,0 +1,31 @@
+$OpenBSD: patch-kpdf_xpdf_fofi_FoFiTrueType_cc,v 1.1 2005/08/11 14:21:46 naddy Exp $
+--- kpdf/xpdf/fofi/FoFiTrueType.cc.orig	Wed Jul 20 12:00:36 2005
+++ kpdf/xpdf/fofi/FoFiTrueType.cc	Wed Aug 10 23:11:25 2005
+@@ -1373,6 +1373,27 @@ void FoFiTrueType::parse() {
+     return;
+   }
+ 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
+   // read the post table
+   readPostTable();
+   if (!parsedOk) {
--- a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_SplashOutputDev_cc
+++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_SplashOutputDev_cc
@ -0,0 +1,24 @@
+$OpenBSD: patch-kpdf_xpdf_xpdf_SplashOutputDev_cc,v 1.1 2005/08/11 14:21:46 naddy Exp $
+--- kpdf/xpdf/xpdf/SplashOutputDev.cc.orig	Wed Jul 20 12:00:36 2005
+++ kpdf/xpdf/xpdf/SplashOutputDev.cc	Wed Aug 10 23:13:31 2005
+@@ -622,11 +622,15 @@ void SplashOutputDev::updateFont(GfxStat
+ 	ff = FoFiTrueType::load(fileName->getCString());
+       else
+ 	ff = new FoFiTrueType(tmpBuf, tmpBufLen, gFalse);
+-      if (! ff)
+-	goto err2;
+-      codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+-      delete ff;
+-      fontFile = fontEngine->loadTrueTypeFont(id, fontsrc, codeToGID, 256);
+      if (ff) {
+	codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+	n = 256;
+	delete ff;
+      } else {
+	codeToGID = NULL;
+	n = 0;
+      }
+      fontFile = fontEngine->loadTrueTypeFont(id, fontsrc, codeToGID, n);
+       if (! fontFile) {
+ 	error(-1, "Couldn't create a font for '%s'",
+ 	      gfxFont->getName() ? gfxFont->getName()->getCString()