diff --git a/x11/kde/graphics3/Makefile b/x11/kde/graphics3/Makefile index b12f4f2d2e6..0a5efe43a63 100644 --- a/x11/kde/graphics3/Makefile +++ b/x11/kde/graphics3/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.86 2009/08/31 18:51:02 kili Exp $ +# $OpenBSD: Makefile,v 1.87 2009/10/15 15:50:25 kili Exp $ COMMENT-main = K Desktop Environment, graphic applications COMMENT-kamera = KDE interface to digital cameras @@ -14,7 +14,7 @@ SEPARATE_BUILD = flavored MULTI_PACKAGES = -main -kpov -kamera -sane PKGNAME = ${DISTNAME} -PKGNAME-main = ${DISTNAME}p2 +PKGNAME-main = ${DISTNAME}p3 PKGNAME-kamera = kamera-${VERSION}p3 PKGNAME-kpov = kpovmodeller-${VERSION}p2 PKGNAME-sane = ksane-${VERSION}p3 diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_goo_gmem_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_goo_gmem_cc new file mode 100644 index 00000000000..a1ed0bf0cda --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_goo_gmem_cc @@ -0,0 +1,71 @@ +$OpenBSD: patch-kpdf_xpdf_goo_gmem_cc,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/goo/gmem.cc.orig Wed Feb 13 10:37:05 2008 ++++ kpdf/xpdf/goo/gmem.cc Sun Apr 19 22:28:20 2009 +@@ -55,7 +55,15 @@ void *gmalloc(int size) GMEM_EXCEP { + void *data; + unsigned long *trl, *p; + +- if (size <= 0) { ++ if (size < 0) { ++#if USE_EXCEPTIONS ++ throw GMemException(); ++#else ++ fprintf(stderr, "Invalid memory allocation size\n"); ++ exit(1); ++#endif ++ } ++ if (size == 0) { + return NULL; + } + size1 = gMemDataSize(size); +@@ -91,7 +99,15 @@ void *gmalloc(int size) GMEM_EXCEP { + #else + void *p; + +- if (size <= 0) { ++ if (size < 0) { ++#if USE_EXCEPTIONS ++ throw GMemException(); ++#else ++ fprintf(stderr, "Invalid memory allocation size\n"); ++ exit(1); ++#endif ++ } ++ if (size == 0) { + return NULL; + } + if (!(p = malloc(size))) { +@@ -112,7 +128,15 @@ void *grealloc(void *p, int size) GMEM_EXCEP { + void *q; + int oldSize; + +- if (size <= 0) { ++ if (size < 0) { ++#if USE_EXCEPTIONS ++ throw GMemException(); ++#else ++ fprintf(stderr, "Invalid memory allocation size\n"); ++ exit(1); ++#endif ++ } ++ if (size == 0) { + if (p) { + gfree(p); + } +@@ -131,7 +155,15 @@ void *grealloc(void *p, int size) GMEM_EXCEP { + #else + void *q; + +- if (size <= 0) { ++ if (size < 0) { ++#if USE_EXCEPTIONS ++ throw GMemException(); ++#else ++ fprintf(stderr, "Invalid memory allocation size\n"); ++ exit(1); ++#endif ++ } ++ if (size == 0) { + if (p) { + free(p); + } diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashBitmap_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashBitmap_cc new file mode 100644 index 00000000000..d56c286d7d7 --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashBitmap_cc @@ -0,0 +1,68 @@ +$OpenBSD: patch-kpdf_xpdf_splash_SplashBitmap_cc,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/splash/SplashBitmap.cc.orig Mon May 14 09:39:31 2007 ++++ kpdf/xpdf/splash/SplashBitmap.cc Thu Oct 15 16:35:46 2009 +@@ -11,6 +11,7 @@ + #endif + + #include ++#include + #include "gmem.h" + #include "SplashErrorCodes.h" + #include "SplashBitmap.h" +@@ -27,30 +28,48 @@ SplashBitmap::SplashBitmap(int widthA, int heightA, in + mode = modeA; + switch (mode) { + case splashModeMono1: +- rowSize = (width + 7) >> 3; ++ if (width > 0) { ++ rowSize = (width + 7) >> 3; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeMono8: +- rowSize = width; ++ if (width > 0) { ++ rowSize = width; ++ } else { ++ rowSize = -1; ++ } + break; + case splashModeRGB8: + case splashModeBGR8: +- rowSize = width * 3; ++ if (width > 0 && width <= INT_MAX / 3) { ++ rowSize = width * 3; ++ } else { ++ rowSize = -1; ++ } + break; + #if SPLASH_CMYK + case splashModeCMYK8: +- rowSize = width * 4; ++ if (width > 0 && width <= INT_MAX / 4) { ++ rowSize = width * 4; ++ } else { ++ rowSize = -1; ++ } + break; + #endif + } +- rowSize += rowPad - 1; +- rowSize -= rowSize % rowPad; +- data = (SplashColorPtr)gmalloc(rowSize * height); ++ if (rowSize > 0) { ++ rowSize += rowPad - 1; ++ rowSize -= rowSize % rowPad; ++ } ++ data = (SplashColorPtr)gmallocn(height, rowSize); + if (!topDown) { + data += (height - 1) * rowSize; + rowSize = -rowSize; + } + if (alphaA) { +- alpha = (Guchar *)gmalloc(width * height); ++ alpha = (Guchar *)gmallocn(width, height); + } else { + alpha = NULL; + } diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashErrorCodes_h b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashErrorCodes_h new file mode 100644 index 00000000000..dcbe3bea81a --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashErrorCodes_h @@ -0,0 +1,12 @@ +$OpenBSD: patch-kpdf_xpdf_splash_SplashErrorCodes_h,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/splash/SplashErrorCodes.h.orig Mon Jan 15 12:21:56 2007 ++++ kpdf/xpdf/splash/SplashErrorCodes.h Thu Oct 15 16:35:46 2009 +@@ -29,6 +29,8 @@ + + #define splashErrSingularMatrix 8 // matrix is singular + ++#define splashErrBadArg 9 // bad argument ++ + #define splashErrZeroImage 9 // image of 0x0 + + #endif diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_Splash_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_Splash_cc new file mode 100644 index 00000000000..5f5f094f130 --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_Splash_cc @@ -0,0 +1,38 @@ +$OpenBSD: patch-kpdf_xpdf_splash_Splash_cc,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/splash/Splash.cc.orig Tue Aug 19 20:12:37 2008 ++++ kpdf/xpdf/splash/Splash.cc Thu Oct 15 16:35:46 2009 +@@ -12,6 +12,7 @@ + + #include + #include ++#include + #include "gmem.h" + #include "SplashErrorCodes.h" + #include "SplashMath.h" +@@ -1937,7 +1938,10 @@ SplashError Splash::fillImageMask(SplashImageMaskSourc + xq = w % scaledWidth; + + // allocate pixel buffer +- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w); ++ if (yp < 0 || yp > INT_MAX - 1) { ++ return splashErrBadArg; ++ } ++ pixBuf = (SplashColorPtr)gmallocn(yp + 1, w); + + // initialize the pixel pipe + pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha, +@@ -2233,9 +2237,12 @@ SplashError Splash::drawImage(SplashImageSource src, v + xq = w % scaledWidth; + + // allocate pixel buffers +- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); ++ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) { ++ return splashErrBadArg; ++ } ++ colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps); + if (srcAlpha) { +- alphaBuf = (Guchar *)gmalloc((yp + 1) * w); ++ alphaBuf = (Guchar *)gmallocn(yp + 1, w); + } else { + alphaBuf = NULL; + } diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_cc new file mode 100644 index 00000000000..7194c36b6d4 --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_cc @@ -0,0 +1,776 @@ +$OpenBSD: patch-kpdf_xpdf_xpdf_JBIG2Stream_cc,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/xpdf/JBIG2Stream.cc.orig Tue Aug 19 20:12:37 2008 ++++ kpdf/xpdf/xpdf/JBIG2Stream.cc Sun Apr 19 22:57:52 2009 +@@ -422,12 +422,14 @@ void JBIG2HuffmanDecoder::buildTable(JBIG2HuffmanTable + table[i] = table[len]; + + // assign prefixes +- i = 0; +- prefix = 0; +- table[i++].prefix = prefix++; +- for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { +- prefix <<= table[i].prefixLen - table[i-1].prefixLen; +- table[i].prefix = prefix++; ++ if (table[0].rangeLen != jbig2HuffmanEOT) { ++ i = 0; ++ prefix = 0; ++ table[i++].prefix = prefix++; ++ for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { ++ prefix <<= table[i].prefixLen - table[i-1].prefixLen; ++ table[i].prefix = prefix++; ++ } + } + } + +@@ -491,7 +493,7 @@ int JBIG2MMRDecoder::get2DCode() { + } + if (p->bits < 0) { + error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); +- return 0; ++ return EOF; + } + bufLen -= p->bits; + return p->n; +@@ -684,8 +686,9 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA + h = hA; + line = (wA + 7) >> 3; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { +- data = NULL; +- return; ++ // force a call to gmalloc(-1), which will throw an exception ++ h = -1; ++ line = 2; + } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); +@@ -699,8 +702,9 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *b + h = bitmap->h; + line = bitmap->line; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { +- data = NULL; +- return; ++ // force a call to gmalloc(-1), which will throw an exception ++ h = -1; ++ line = 2; + } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); +@@ -755,6 +759,8 @@ void JBIG2Bitmap::clearToOne() { + inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { + if (y < 0 || y >= h || x >= w) { + ptr->p = NULL; ++ ptr->shift = 0; // make gcc happy ++ ptr->x = 0; // make gcc happy + } else if (x < 0) { + ptr->p = &data[y * line]; + ptr->shift = 7; +@@ -799,6 +805,10 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, + Guint src0, src1, src, dest, s1, s2, m1, m2, m3; + GBool oneByte; + ++ // check for the pathological case where y = -2^31 ++ if (y < -0x7fffffff) { ++ return; ++ } + if (y < 0) { + y0 = -y; + } else { +@@ -1012,8 +1022,13 @@ class JBIG2SymbolDict: public JBIG2Segment { (private) + JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA): + JBIG2Segment(segNumA) + { ++ Guint i; ++ + size = sizeA; + bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *)); ++ for (i = 0; i < size; ++i) { ++ bitmaps[i] = NULL; ++ } + genericRegionStats = NULL; + refinementRegionStats = NULL; + } +@@ -1022,7 +1037,9 @@ JBIG2SymbolDict::~JBIG2SymbolDict() { + Guint i; + + for (i = 0; i < size; ++i) { +- delete bitmaps[i]; ++ if (bitmaps[i]) { ++ delete bitmaps[i]; ++ } + } + gfree(bitmaps); + if (genericRegionStats) { +@@ -1301,6 +1318,13 @@ void JBIG2Stream::readSegments() { + // keep track of the start of the segment data + segDataPos = getPos(); + ++ // check for missing page information segment ++ if (!pageBitmap && ((segType >= 4 && segType <= 7) || ++ (segType >= 20 && segType <= 43))) { ++ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); ++ goto syntaxError; ++ } ++ + // read the segment data + switch (segType) { + case 0: +@@ -1455,6 +1479,8 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + Guint i, j, k; + Guchar *p; + ++ symWidths = NULL; ++ + // symbol dictionary flags + if (!readUWord(&flags)) { + goto eofError; +@@ -1515,7 +1541,13 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + // part of it + if ((seg = findSegment(refSegs[i]))) { + if (seg->getType() == jbig2SegSymbolDict) { +- numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); ++ j = ((JBIG2SymbolDict *)seg)->getSize(); ++ if (numInputSyms > UINT_MAX - j) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } ++ numInputSyms += j; + } else if (seg->getType() == jbig2SegCodeTable) { + codeTables->append(seg); + } +@@ -1523,13 +1555,18 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + return gFalse; + } + } ++ if (numInputSyms > UINT_MAX - numNewSyms) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } + + // compute symbol code length +- symCodeLen = 0; +- i = 1; +- while (i < numInputSyms + numNewSyms) { ++ symCodeLen = 1; ++ i = (numInputSyms + numNewSyms) >> 1; ++ while (i) { + ++symCodeLen; +- i <<= 1; ++ i >>= 1; + } + + // get the input symbol bitmaps +@@ -1541,11 +1578,12 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + k = 0; + inputSymbolDict = NULL; + for (i = 0; i < nRefSegs; ++i) { +- seg = findSegment(refSegs[i]); +- if (seg->getType() == jbig2SegSymbolDict) { +- inputSymbolDict = (JBIG2SymbolDict *)seg; +- for (j = 0; j < inputSymbolDict->getSize(); ++j) { +- bitmaps[k++] = inputSymbolDict->getBitmap(j); ++ if ((seg = findSegment(refSegs[i]))) { ++ if (seg->getType() == jbig2SegSymbolDict) { ++ inputSymbolDict = (JBIG2SymbolDict *)seg; ++ for (j = 0; j < inputSymbolDict->getSize(); ++j) { ++ bitmaps[k++] = inputSymbolDict->getBitmap(j); ++ } + } + } + } +@@ -1560,6 +1598,9 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + } else if (huffDH == 1) { + huffDHTable = huffTableE; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDW == 0) { +@@ -1567,17 +1608,26 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + } else if (huffDW == 1) { + huffDWTable = huffTableC; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffBMSize == 0) { + huffBMSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffBMSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffAggInst == 0) { + huffAggInstTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffAggInstTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +@@ -1610,7 +1660,6 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + } + + // allocate symbol widths storage +- symWidths = NULL; + if (huff && !refAgg) { + symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); + } +@@ -1652,6 +1701,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + goto syntaxError; + } + symWidth += dw; ++ if (i >= numNewSyms) { ++ error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + + // using a collective bitmap, so don't read a bitmap here + if (huff && !refAgg) { +@@ -1688,6 +1741,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + arithDecoder->decodeInt(&refDX, iardxStats); + arithDecoder->decodeInt(&refDY, iardyStats); + } ++ if (symID >= numInputSyms + i) { ++ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + refBitmap = bitmaps[symID]; + bitmaps[numInputSyms + i] = + readGenericRefinementRegion(symWidth, symHeight, +@@ -1754,6 +1811,12 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + } else { + arithDecoder->decodeInt(&run, iaexStats); + } ++ if (i + run > numInputSyms + numNewSyms || ++ (ex && j + run > numExSyms)) { ++ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); ++ delete symbolDict; ++ goto syntaxError; ++ } + if (ex) { + for (cnt = 0; cnt < run; ++cnt) { + symbolDict->setBitmap(j++, bitmaps[i++]->copy()); +@@ -1763,6 +1826,11 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + } + ex = !ex; + } ++ if (j != numExSyms) { ++ error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); ++ delete symbolDict; ++ goto syntaxError; ++ } + + for (i = 0; i < numNewSyms; ++i) { + delete bitmaps[numInputSyms + i]; +@@ -1785,6 +1853,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Gui + + return gTrue; + ++ codeTableError: ++ error(getPos(), "Missing code table in JBIG2 symbol dictionary"); ++ delete codeTables; ++ + syntaxError: + for (i = 0; i < numNewSyms; ++i) { + if (bitmaps[numInputSyms + i]) { +@@ -1887,6 +1959,8 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } + } else { + error(getPos(), "Invalid segment reference in JBIG2 text region"); ++ delete codeTables; ++ return; + } + } + symCodeLen = 0; +@@ -1921,6 +1995,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffFS == 1) { + huffFSTable = huffTableG; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDS == 0) { +@@ -1930,6 +2007,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffDS == 2) { + huffDSTable = huffTableJ; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDT == 0) { +@@ -1939,6 +2019,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffDT == 2) { + huffDTTable = huffTableM; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDW == 0) { +@@ -1946,6 +2029,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffRDW == 1) { + huffRDWTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDH == 0) { +@@ -1953,6 +2039,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffRDH == 1) { + huffRDHTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDX == 0) { +@@ -1960,6 +2049,9 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffRDX == 1) { + huffRDXTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRDY == 0) { +@@ -1967,11 +2059,17 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + } else if (huffRDY == 1) { + huffRDYTable = huffTableO; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffRSize == 0) { + huffRSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffRSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +@@ -2066,8 +2164,15 @@ void JBIG2Stream::readTextRegionSeg(Guint segNum, GBoo + + return; + ++ codeTableError: ++ error(getPos(), "Missing code table in JBIG2 text region"); ++ gfree(codeTables); ++ delete syms; ++ return; ++ + eofError: + error(getPos(), "Unexpected EOF in JBIG2 stream"); ++ return; + } + + JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, +@@ -2374,8 +2479,8 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum, + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } +- seg = findSegment(refSegs[0]); +- if (seg->getType() != jbig2SegPatternDict) { ++ if (!(seg = findSegment(refSegs[0])) || ++ seg->getType() != jbig2SegPatternDict) { + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } +@@ -2533,7 +2638,7 @@ void JBIG2Stream::readGenericRegionSeg(Guint segNum, G + + // read the bitmap + bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, +- NULL, atx, aty, mmr ? 0 : length - 18); ++ NULL, atx, aty, mmr ? length - 18 : 0); + + // combine the region bitmap into the page bitmap + if (imm) { +@@ -2555,6 +2660,43 @@ void JBIG2Stream::readGenericRegionSeg(Guint segNum, G + error(getPos(), "Unexpected EOF in JBIG2 stream"); + } + ++inline void JBIG2Stream::mmrAddPixels(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w) { ++ if (a1 > codingLine[*a0i]) { ++ if (a1 > w) { ++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); ++ a1 = w; ++ } ++ if ((*a0i & 1) ^ blackPixels) { ++ ++*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } ++} ++ ++inline void JBIG2Stream::mmrAddPixelsNeg(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w) { ++ if (a1 > codingLine[*a0i]) { ++ if (a1 > w) { ++ error(getPos(), "JBIG2 MMR row is wrong length ({0:d})", a1); ++ a1 = w; ++ } ++ if ((*a0i & 1) ^ blackPixels) { ++ ++*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } else if (a1 < codingLine[*a0i]) { ++ if (a1 < 0) { ++ error(getPos(), "Invalid JBIG2 MMR code"); ++ a1 = 0; ++ } ++ while (*a0i > 0 && a1 <= codingLine[*a0i - 1]) { ++ --*a0i; ++ } ++ codingLine[*a0i] = a1; ++ } ++} ++ + JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, int w, int h, + int templ, GBool tpgdOn, + GBool useSkip, JBIG2Bitmap *skip, +@@ -2567,7 +2709,7 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, + JBIG2BitmapPtr atPtr0, atPtr1, atPtr2, atPtr3; + int *refLine, *codingLine; + int code1, code2, code3; +- int x, y, a0, pix, i, refI, codingI; ++ int x, y, a0i, b1i, blackPixels, pix, i; + + bitmap = new JBIG2Bitmap(0, w, h); + bitmap->clearToZero(); +@@ -2577,9 +2719,18 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, + if (mmr) { + + mmrDecoder->reset(); ++ if (w > INT_MAX - 2) { ++ error(getPos(), "Bad width in JBIG2 generic bitmap"); ++ // force a call to gmalloc(-1), which will throw an exception ++ w = -3; ++ } ++ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = w ++ // ---> max codingLine size = w + 1 ++ // refLine has one extra guard entry at the end ++ // ---> max refLine size = w + 2 ++ codingLine = (int *)gmallocn(w + 1, sizeof(int)); + refLine = (int *)gmallocn(w + 2, sizeof(int)); +- codingLine = (int *)gmallocn(w + 2, sizeof(int)); +- codingLine[0] = codingLine[1] = w; ++ codingLine[0] = w; + + for (y = 0; y < h; ++y) { + +@@ -2587,128 +2738,157 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, + for (i = 0; codingLine[i] < w; ++i) { + refLine[i] = codingLine[i]; + } +- refLine[i] = refLine[i + 1] = w; ++ refLine[i++] = w; ++ refLine[i] = w; + + // decode a line +- refI = 0; // b1 = refLine[refI] +- codingI = 0; // a1 = codingLine[codingI] +- a0 = 0; +- do { ++ codingLine[0] = 0; ++ a0i = 0; ++ b1i = 0; ++ blackPixels = 0; ++ // invariant: ++ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] <= w ++ // exception at left edge: ++ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible ++ // exception at right edge: ++ // refLine[b1i] = refLine[b1i+1] = w is possible ++ while (codingLine[a0i] < w) { + code1 = mmrDecoder->get2DCode(); + switch (code1) { + case twoDimPass: +- if (refLine[refI] < w) { +- a0 = refLine[refI + 1]; +- refI += 2; +- } +- break; ++ mmrAddPixels(refLine[b1i + 1], blackPixels, codingLine, &a0i, w); ++ if (refLine[b1i + 1] < w) { ++ b1i += 2; ++ } ++ break; + case twoDimHoriz: +- if (codingI & 1) { +- code1 = 0; +- do { +- code1 += code3 = mmrDecoder->getBlackCode(); +- } while (code3 >= 64); +- code2 = 0; +- do { +- code2 += code3 = mmrDecoder->getWhiteCode(); +- } while (code3 >= 64); +- } else { +- code1 = 0; +- do { +- code1 += code3 = mmrDecoder->getWhiteCode(); +- } while (code3 >= 64); +- code2 = 0; +- do { +- code2 += code3 = mmrDecoder->getBlackCode(); +- } while (code3 >= 64); +- } +- if (code1 > 0 || code2 > 0) { +- a0 = codingLine[codingI++] = a0 + code1; +- a0 = codingLine[codingI++] = a0 + code2; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVert0: +- a0 = codingLine[codingI++] = refLine[refI]; +- if (refLine[refI] < w) { +- ++refI; +- } +- break; +- case twoDimVertR1: +- a0 = codingLine[codingI++] = refLine[refI] + 1; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVertR2: +- a0 = codingLine[codingI++] = refLine[refI] + 2; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; ++ code1 = code2 = 0; ++ if (blackPixels) { ++ do { ++ code1 += code3 = mmrDecoder->getBlackCode(); ++ } while (code3 >= 64); ++ do { ++ code2 += code3 = mmrDecoder->getWhiteCode(); ++ } while (code3 >= 64); ++ } else { ++ do { ++ code1 += code3 = mmrDecoder->getWhiteCode(); ++ } while (code3 >= 64); ++ do { ++ code2 += code3 = mmrDecoder->getBlackCode(); ++ } while (code3 >= 64); ++ } ++ mmrAddPixels(codingLine[a0i] + code1, blackPixels, ++ codingLine, &a0i, w); ++ if (codingLine[a0i] < w) { ++ mmrAddPixels(codingLine[a0i] + code2, blackPixels ^ 1, ++ codingLine, &a0i, w); ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ break; + case twoDimVertR3: +- a0 = codingLine[codingI++] = refLine[refI] + 3; +- if (refLine[refI] < w) { +- ++refI; +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- } +- break; +- case twoDimVertL1: +- a0 = codingLine[codingI++] = refLine[refI] - 1; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; +- case twoDimVertL2: +- a0 = codingLine[codingI++] = refLine[refI] - 2; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; ++ mmrAddPixels(refLine[b1i] + 3, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertR2: ++ mmrAddPixels(refLine[b1i] + 2, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertR1: ++ mmrAddPixels(refLine[b1i] + 1, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVert0: ++ mmrAddPixels(refLine[b1i], blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ ++b1i; ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; + case twoDimVertL3: +- a0 = codingLine[codingI++] = refLine[refI] - 3; +- if (refI > 0) { +- --refI; +- } else { +- ++refI; +- } +- while (refLine[refI] <= a0 && refLine[refI] < w) { +- refI += 2; +- } +- break; ++ mmrAddPixelsNeg(refLine[b1i] - 3, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertL2: ++ mmrAddPixelsNeg(refLine[b1i] - 2, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case twoDimVertL1: ++ mmrAddPixelsNeg(refLine[b1i] - 1, blackPixels, codingLine, &a0i, w); ++ blackPixels ^= 1; ++ if (codingLine[a0i] < w) { ++ if (b1i > 0) { ++ --b1i; ++ } else { ++ ++b1i; ++ } ++ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < w) { ++ b1i += 2; ++ } ++ } ++ break; ++ case EOF: ++ mmrAddPixels(w, 0, codingLine, &a0i, w); ++ break; + default: + error(getPos(), "Illegal code in JBIG2 MMR bitmap data"); ++ mmrAddPixels(w, 0, codingLine, &a0i, w); + break; + } +- } while (a0 < w); +- codingLine[codingI++] = w; ++ } + + // convert the run lengths to a bitmap line + i = 0; +- while (codingLine[i] < w) { ++ while (1) { + for (x = codingLine[i]; x < codingLine[i+1]; ++x) { + bitmap->setPixel(x, y); + } ++ if (codingLine[i+1] >= w || codingLine[i+2] >= w) { ++ break; ++ } + i += 2; + } + } +@@ -2756,7 +2936,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericBitmap(GBool mmr, + ltp = !ltp; + } + if (ltp) { +- bitmap->duplicateRow(y, y-1); ++ if (y > 0) { ++ bitmap->duplicateRow(y, y-1); ++ } + continue; + } + } +@@ -2959,8 +3141,8 @@ void JBIG2Stream::readGenericRefinementRegionSeg(Guint + return; + } + if (nRefSegs == 1) { +- seg = findSegment(refSegs[0]); +- if (seg->getType() != jbig2SegBitmap) { ++ if (!(seg = findSegment(refSegs[0])) || ++ seg->getType() != jbig2SegBitmap) { + error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); + return; + } +@@ -3054,6 +3236,10 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion( + tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); ++ } else { ++ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy ++ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; ++ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; + } + + for (x = 0; x < w; ++x) { diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_h b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_h new file mode 100644 index 00000000000..09ac0a6ed99 --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_JBIG2Stream_h @@ -0,0 +1,14 @@ +$OpenBSD: patch-kpdf_xpdf_xpdf_JBIG2Stream_h,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/xpdf/JBIG2Stream.h.orig Mon May 14 09:39:30 2007 ++++ kpdf/xpdf/xpdf/JBIG2Stream.h Sun Apr 19 22:28:20 2009 +@@ -78,6 +78,10 @@ class JBIG2Stream: public FilterStream { (private) + Guint *refSegs, Guint nRefSegs); + void readGenericRegionSeg(Guint segNum, GBool imm, + GBool lossless, Guint length); ++ void mmrAddPixels(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w); ++ void mmrAddPixelsNeg(int a1, int blackPixels, ++ int *codingLine, int *a0i, int w); + JBIG2Bitmap *readGenericBitmap(GBool mmr, int w, int h, + int templ, GBool tpgdOn, + GBool useSkip, JBIG2Bitmap *skip, diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_PSOutputDev_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_PSOutputDev_cc new file mode 100644 index 00000000000..50c65c22027 --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_PSOutputDev_cc @@ -0,0 +1,12 @@ +$OpenBSD: patch-kpdf_xpdf_xpdf_PSOutputDev_cc,v 1.1 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/xpdf/PSOutputDev.cc.orig Mon Oct 8 11:48:37 2007 ++++ kpdf/xpdf/xpdf/PSOutputDev.cc Thu Oct 15 16:35:46 2009 +@@ -4386,7 +4386,7 @@ void PSOutputDev::doImageL1Sep(GfxImageColorMap *color + width, -height, height); + + // allocate a line buffer +- lineBuf = (Guchar *)gmalloc(4 * width); ++ lineBuf = (Guchar *)gmallocn(width, 4); + + // set up to process the data stream + imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(), diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_Stream_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_Stream_cc new file mode 100644 index 00000000000..53c67f9046c --- /dev/null +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_Stream_cc @@ -0,0 +1,14 @@ +$OpenBSD: patch-kpdf_xpdf_xpdf_Stream_cc,v 1.2 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/xpdf/Stream.cc.orig Wed Feb 13 10:37:05 2008 ++++ kpdf/xpdf/xpdf/Stream.cc Thu Oct 15 16:35:46 2009 +@@ -323,6 +323,10 @@ ImageStream::ImageStream(Stream *strA, int widthA, int + } else { + imgLineSize = nVals; + } ++ if (width > INT_MAX / nComps) { ++ // force a call to gmallocn(-1,...), which will throw an exception ++ imgLineSize = -1; ++ } + imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); + imgIdx = nVals; + } diff --git a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_XRef_cc b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_XRef_cc index 5a3cacbacf1..61330afb999 100644 --- a/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_XRef_cc +++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_xpdf_XRef_cc @@ -1,27 +1,66 @@ -$OpenBSD: patch-kpdf_xpdf_xpdf_XRef_cc,v 1.1 2008/05/21 09:46:18 ajacoutot Exp $ ---- kpdf/xpdf/xpdf/XRef.cc.orig Fri Apr 25 18:17:39 2008 -+++ kpdf/xpdf/xpdf/XRef.cc Fri Apr 25 18:18:22 2008 -@@ -771,19 +771,19 @@ void XRef::setEncryption(int permFlagsA, GBool ownerPa +$OpenBSD: patch-kpdf_xpdf_xpdf_XRef_cc,v 1.2 2009/10/15 15:50:25 kili Exp $ +--- kpdf/xpdf/xpdf/XRef.cc.orig Thu Oct 15 16:32:56 2009 ++++ kpdf/xpdf/xpdf/XRef.cc Thu Oct 15 16:35:46 2009 +@@ -52,6 +52,8 @@ class ObjectStream { (public) + // generation 0. + ObjectStream(XRef *xref, int objStrNumA); + ++ GBool isOk() { return ok; } ++ + ~ObjectStream(); + + // Return the object number of this object stream. +@@ -67,6 +69,7 @@ class ObjectStream { (public) + int nObjects; // number of objects in the stream + Object *objs; // the objects (length = nObjects) + int *objNums; // the object numbers (length = nObjects) ++ GBool ok; + }; + + ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { +@@ -80,6 +83,7 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) + nObjects = 0; + objs = NULL; + objNums = NULL; ++ ok = gFalse; + + if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { + goto err1; +@@ -105,6 +109,13 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) + goto err1; + } + ++ // this is an arbitrary limit to avoid integer overflow problems ++ // in the 'new Object[nObjects]' call (Acrobat apparently limits ++ // object streams to 100-200 objects) ++ if (nObjects > 1000000) { ++ error(-1, "Too many objects in an object stream"); ++ goto err1; ++ } + objs = new Object[nObjects]; + objNums = (int *)gmallocn(nObjects, sizeof(int)); + offsets = (int *)gmallocn(nObjects, sizeof(int)); +@@ -161,10 +172,10 @@ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) + } + + gfree(offsets); ++ ok = gTrue; + + err1: + objStr.free(); +- return; } - GBool XRef::okToPrint(GBool ignoreOwnerPW) { -- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permPrint); -+ return (1); - } - - GBool XRef::okToChange(GBool ignoreOwnerPW) { -- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permChange); -+ return (1); - } - - GBool XRef::okToCopy(GBool ignoreOwnerPW) { -- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permCopy); -+ return (1); - } - - GBool XRef::okToAddNotes(GBool ignoreOwnerPW) { -- return (!ignoreOwnerPW && ownerPasswordOk) || (permFlags & permNotes); -+ return (1); - } - - Object *XRef::fetch(int num, int gen, Object *obj) { + ObjectStream::~ObjectStream() { +@@ -837,6 +848,11 @@ Object *XRef::fetch(int num, int gen, Object *obj) { + delete objStr; + } + objStr = new ObjectStream(this, e->offset); ++ if (!objStr->isOk()) { ++ delete objStr; ++ objStr = NULL; ++ goto err; ++ } + } + objStr->getObject(e->gen, num, obj); + break;