SECURITY FIX

fix included xpdf, for details see
http://www.idefense.com/application/poi/display?id=172&type=vulnerabilities&flashstatus=false

print/teTeX/base/Makefile

@@ -1,10 +1,10 @@
-# $OpenBSD: Makefile,v 1.27 2004/11/27 14:15:04 sturm Exp $
+# $OpenBSD: Makefile,v 1.28 2004/12/25 23:14:29 sturm Exp $
 
 COMMENT=	"TeX distribution, executables"
 
 VERSION=	2.0.2
 DISTNAME=	tetex-base-${VERSION}
-PKGNAME=	${DISTNAME:S/tetex-/teTeX_/}p0
+PKGNAME=	${DISTNAME:S/tetex-/teTeX_/}p1
 CATEGORIES=	print
 
 DISTFILES=	tetex-src-${VERSION}.tar.gz

print/teTeX/base/patches/patch-libs_xpdf_xpdf_GfxState_cc

@@ -0,0 +1,15 @@
+$OpenBSD: patch-libs_xpdf_xpdf_GfxState_cc,v 1.1 2004/12/25 23:14:29 sturm Exp $
+--- libs/xpdf/xpdf/GfxState.cc.orig	Tue Jan  7 17:33:35 2003
++++ libs/xpdf/xpdf/GfxState.cc	Sat Dec 25 23:44:41 2004
+@@ -708,6 +708,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
+   }
+   nCompsA = obj2.getInt();
+   obj2.free();
++  if (nCompsA > gfxColorMaxComps) {
++    error(-1, "ICCBased color space with too many (%d > %d) components",
++         nCompsA, gfxColorMaxComps);
++    nCompsA = gfxColorMaxComps;
++  }
+   if (dict->lookup("Alternate", &obj2)->isNull() ||
+       !(altA = GfxColorSpace::parse(&obj2))) {
+     switch (nCompsA) {

print/teTeX/base/patches/patch-libs_xpdf_xpdf_Gfx_cc

@@ -0,0 +1,14 @@
+$OpenBSD: patch-libs_xpdf_xpdf_Gfx_cc,v 1.1 2004/12/25 23:14:29 sturm Exp $
+--- libs/xpdf/xpdf/Gfx.cc.orig	Fri Dec  6 00:44:32 2002
++++ libs/xpdf/xpdf/Gfx.cc	Sat Dec 25 23:48:18 2004
+@@ -2381,7 +2381,9 @@ void Gfx::doImage(Object *ref, Stream *s
+     haveMask = gFalse;
+     dict->lookup("Mask", &maskObj);
+     if (maskObj.isArray()) {
+-      for (i = 0; i < maskObj.arrayGetLength(); ++i) {
++      for (i = 0;
++	  i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
++	  ++i) {
+ 	maskObj.arrayGet(i, &obj1);
+ 	maskColors[i] = obj1.getInt();
+ 	obj1.free();