From b5ba305851ca8136abc55b5acca02ff17efc1e33 Mon Sep 17 00:00:00 2001 From: naddy Date: Mon, 22 Aug 2005 22:37:12 +0000 Subject: [PATCH] SECURITY: Catch up with xpdf 3.00 pl2 and pl3 for various vulnerabilities, and a fix for CAN-2005-2097 from Kristian Hoegsberg. ok mbalmer@, pvalchev@ --- textproc/gpdf/Makefile | 3 +- .../gpdf/patches/patch-xpdf_GPOutputDev_cc | 56 +++++++++++++++++++ textproc/gpdf/patches/patch-xpdf_GfxState_cc | 24 ++++++++ textproc/gpdf/patches/patch-xpdf_Gfx_cc | 14 +++++ textproc/gpdf/patches/patch-xpdf_XRef_cc | 13 +++++ 5 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 textproc/gpdf/patches/patch-xpdf_GPOutputDev_cc create mode 100644 textproc/gpdf/patches/patch-xpdf_GfxState_cc create mode 100644 textproc/gpdf/patches/patch-xpdf_Gfx_cc create mode 100644 textproc/gpdf/patches/patch-xpdf_XRef_cc diff --git a/textproc/gpdf/Makefile b/textproc/gpdf/Makefile index a9e3652ff9b..88674cd1444 100644 --- a/textproc/gpdf/Makefile +++ b/textproc/gpdf/Makefile @@ -1,8 +1,9 @@ -# $OpenBSD: Makefile,v 1.9 2005/02/21 16:54:19 alek Exp $ +# $OpenBSD: Makefile,v 1.10 2005/08/22 22:37:12 naddy Exp $ COMMENT= "PDF viewer for GNOME" DISTNAME= gpdf-2.8.1 +PKGNAME= ${DISTNAME}p0 CATEGORIES= textproc x11/gnome HOMEPAGE= http://www.inf.tu-dresden.de/~mk793652/gpdf/ diff --git a/textproc/gpdf/patches/patch-xpdf_GPOutputDev_cc b/textproc/gpdf/patches/patch-xpdf_GPOutputDev_cc new file mode 100644 index 00000000000..58329396ce8 --- /dev/null +++ b/textproc/gpdf/patches/patch-xpdf_GPOutputDev_cc @@ -0,0 +1,56 @@ +$OpenBSD: patch-xpdf_GPOutputDev_cc,v 1.1 2005/08/22 22:37:12 naddy Exp $ +--- xpdf/GPOutputDev.cc.orig Sat Aug 20 22:36:27 2005 ++++ xpdf/GPOutputDev.cc Sat Aug 20 22:38:32 2005 +@@ -257,26 +257,14 @@ GnomeFontFace *GPOFontMap::getFontFaceEm + } + case fontTrueType: { + FoFiTrueType *ff; +- gint fd; +- gchar *temp_name; +- FILE *f; + gushort *code_to_gid; + + ff = FoFiTrueType::make((char *)contents, length); // FIXME error handling + + code_to_gid = ((Gfx8BitFont *)font)->getCodeToGIDMap(ff); // this is g(oo)malloc'd + +- fd = g_file_open_tmp("gpdf-ttf-XXXXXX", &temp_name, NULL); +- f = fdopen(fd, "wb"); +- ff->writeTTF(&fileWrite, f); + delete ff; +- g_free(contents); +- fclose(f); + +- g_file_get_contents(temp_name, (gchar **)&contents, &length, NULL); +- unlink(temp_name); +- g_free(temp_name); +- + gff = gpdf_font_face_download((const guchar *)font_name, + (const guchar *)"", + GNOME_FONT_REGULAR, FALSE, +@@ -318,25 +306,8 @@ GnomeFontFace *GPOFontMap::getFontFaceEm + break; + } + case fontCIDType2: { +- FoFiTrueType *ff; +- gint fd; +- gchar *temp_name; +- FILE *f; + gint n_cids; + gushort *code_to_gid; +- +- ff = FoFiTrueType::make((char *)contents, length); // FIXME error handling +- +- fd = g_file_open_tmp("gpdf-ttf-XXXXXX", &temp_name, NULL); +- f = fdopen(fd, "wb"); +- ff->writeTTF(&fileWrite, f); +- delete ff; +- g_free(contents); +- fclose(f); +- +- g_file_get_contents(temp_name, (gchar **)&contents, &length, NULL); +- unlink(temp_name); +- g_free(temp_name); + + gff = gpdf_font_face_download((const guchar *)font_name, + (const guchar *)"", diff --git a/textproc/gpdf/patches/patch-xpdf_GfxState_cc b/textproc/gpdf/patches/patch-xpdf_GfxState_cc new file mode 100644 index 00000000000..c02e9383e4b --- /dev/null +++ b/textproc/gpdf/patches/patch-xpdf_GfxState_cc @@ -0,0 +1,24 @@ +$OpenBSD: patch-xpdf_GfxState_cc,v 1.1 2005/08/22 22:37:12 naddy Exp $ +--- xpdf/GfxState.cc.orig Sat Aug 20 22:10:30 2005 ++++ xpdf/GfxState.cc Sat Aug 20 22:12:38 2005 +@@ -714,6 +714,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa + } + nCompsA = obj2.getInt(); + obj2.free(); ++ if (nCompsA > gfxColorMaxComps) { ++ error(-1, "ICCBased color space with too many (%d > %d) components", ++ nCompsA, gfxColorMaxComps); ++ nCompsA = gfxColorMaxComps; ++ } + if (dict->lookup("Alternate", &obj2)->isNull() || + !(altA = GfxColorSpace::parse(&obj2))) { + switch (nCompsA) { +@@ -1060,7 +1065,7 @@ GfxColorSpace *GfxDeviceNColorSpace::par + } + nCompsA = obj1.arrayGetLength(); + if (nCompsA > gfxColorMaxComps) { +- error(-1, "DeviceN color space with more than %d > %d components", ++ error(-1, "DeviceN color space with too many (%d > %d) components", + nCompsA, gfxColorMaxComps); + nCompsA = gfxColorMaxComps; + } diff --git a/textproc/gpdf/patches/patch-xpdf_Gfx_cc b/textproc/gpdf/patches/patch-xpdf_Gfx_cc new file mode 100644 index 00000000000..d0a6ba6dd02 --- /dev/null +++ b/textproc/gpdf/patches/patch-xpdf_Gfx_cc @@ -0,0 +1,14 @@ +$OpenBSD: patch-xpdf_Gfx_cc,v 1.1 2005/08/22 22:37:12 naddy Exp $ +--- xpdf/Gfx.cc.orig Sat Aug 20 22:09:21 2005 ++++ xpdf/Gfx.cc Sat Aug 20 22:10:22 2005 +@@ -2654,7 +2654,9 @@ void Gfx::doImage(Object *ref, Stream *s + haveMask = gFalse; + dict->lookup("Mask", &maskObj); + if (maskObj.isArray()) { +- for (i = 0; i < maskObj.arrayGetLength(); ++i) { ++ for (i = 0; ++ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; ++ ++i) { + maskObj.arrayGet(i, &obj1); + maskColors[i] = obj1.getInt(); + obj1.free(); diff --git a/textproc/gpdf/patches/patch-xpdf_XRef_cc b/textproc/gpdf/patches/patch-xpdf_XRef_cc new file mode 100644 index 00000000000..23043d16c96 --- /dev/null +++ b/textproc/gpdf/patches/patch-xpdf_XRef_cc @@ -0,0 +1,13 @@ +$OpenBSD: patch-xpdf_XRef_cc,v 1.1 2005/08/22 22:37:12 naddy Exp $ +--- xpdf/XRef.cc.orig Sat Aug 20 22:14:19 2005 ++++ xpdf/XRef.cc Sat Aug 20 22:16:10 2005 +@@ -819,6 +819,9 @@ GBool XRef::checkEncrypted(GString *owne + } else { + keyLength = 5; + } ++ if (keyLength > 16) { ++ keyLength = 16; ++ } + permFlags = permissions.getInt(); + if (encVersion >= 1 && encVersion <= 2 && + encRevision >= 2 && encRevision <= 3) {