Fix heap based buffer overflow.

From KDE. http://www.kde.org/info/security/advisory-20060202-1.txt

ok brad@
This commit is contained in:
bernd 2006-02-05 09:59:00 +00:00
parent 2b7af0e891
commit 5cef0e1aee
2 changed files with 53 additions and 2 deletions

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.51 2005/12/07 09:22:14 bernd Exp $
# $OpenBSD: Makefile,v 1.52 2006/02/05 09:59:00 bernd Exp $
COMMENT= "PDF viewer for X"
DISTNAME= xpdf-3.01
PKGNAME= ${DISTNAME}p0
PKGNAME= ${DISTNAME}p1
CATEGORIES= textproc x11
MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/

View File

@ -0,0 +1,51 @@
$OpenBSD: patch-splash_SplashXPathScanner_cc,v 1.1 2006/02/05 09:59:01 bernd Exp $
--- splash/SplashXPathScanner.cc.orig Wed Aug 17 07:34:31 2005
+++ splash/SplashXPathScanner.cc Sat Feb 4 14:32:51 2006
@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in
}
void SplashXPathScanner::computeIntersections(int y) {
- SplashCoord ySegMin, ySegMax, xx0, xx1;
+ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec
} else if (seg->flags & splashXPathVert) {
xx0 = xx1 = seg->x0;
} else {
- if (ySegMin <= y) {
- // intersection with top edge
- xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+ if (seg->x0 < seg->x1) {
+ xSegMin = seg->x0;
+ xSegMax = seg->x1;
} else {
- // x coord of segment endpoint with min y coord
- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
+ xSegMin = seg->x1;
+ xSegMax = seg->x0;
}
- if (ySegMax >= y + 1) {
- // intersection with bottom edge
- xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
- } else {
- // x coord of segment endpoint with max y coord
- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
+ // intersection with top edge
+ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+ // intersection with bottom edge
+ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+ // the segment may not actually extend to the top and/or bottom edges
+ if (xx0 < xSegMin) {
+ xx0 = xSegMin;
+ } else if (xx0 > xSegMax) {
+ xx0 = xSegMax;
+ }
+ if (xx1 < xSegMin) {
+ xx1 = xSegMin;
+ } else if (xx1 > xSegMax) {
+ xx1 = xSegMax;
}
}
if (xx0 < xx1) {