Fix heap based buffer overflow.

From KDE. http://www.kde.org/info/security/advisory-20060202-1.txt

ok steven@
This commit is contained in:
bernd 2006-02-05 09:59:38 +00:00
parent 5cef0e1aee
commit e3f3b3470d
2 changed files with 53 additions and 2 deletions

View File

@ -1,9 +1,9 @@
# $OpenBSD: Makefile,v 1.13 2006/01/18 05:40:33 steven Exp $
# $OpenBSD: Makefile,v 1.14 2006/02/05 09:59:38 bernd Exp $
COMMENT= "PDF viewer for GNOME"
DISTNAME= gpdf-2.8.1
PKGNAME= ${DISTNAME}p3
PKGNAME= ${DISTNAME}p4
CATEGORIES= textproc x11/gnome
HOMEPAGE= http://www.inf.tu-dresden.de/~mk793652/gpdf/

View File

@ -0,0 +1,51 @@
$OpenBSD: patch-splash_SplashXPathScanner_cc,v 1.1 2006/02/05 09:59:38 bernd Exp $
--- splash/SplashXPathScanner.cc.orig Sat Feb 4 14:44:27 2006
+++ splash/SplashXPathScanner.cc Sat Feb 4 14:46:44 2006
@@ -182,7 +182,7 @@ GBool SplashXPathScanner::getNextSpan(in
}
void SplashXPathScanner::computeIntersections(int y) {
- SplashCoord ySegMin, ySegMax, xx0, xx1;
+ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
@@ -232,19 +232,27 @@ void SplashXPathScanner::computeIntersec
} else if (seg->flags & splashXPathVert) {
xx0 = xx1 = seg->x0;
} else {
- if (ySegMin <= y) {
- // intersection with top edge
- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy;
+ if (seg->x0 < seg->x1) {
+ xSegMin = seg->x0;
+ xSegMax = seg->x1;
} else {
- // x coord of segment endpoint with min y coord
- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
+ xSegMin = seg->x1;
+ xSegMax = seg->x0;
}
- if (ySegMax >= y + 1) {
- // intersection with bottom edge
- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy;
- } else {
- // x coord of segment endpoint with max y coord
- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
+ // intersection with top edge
+ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+ // intersection with bottom edge
+ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+ // the segment may not actually extend to the top and/or bottom edges
+ if (xx0 < xSegMin) {
+ xx0 = xSegMin;
+ } else if (xx0 > xSegMax) {
+ xx0 = xSegMax;
+ }
+ if (xx1 < xSegMin) {
+ xx1 = xSegMin;
+ } else if (xx1 > xSegMax) {
+ xx1 = xSegMax;
}
}
if (xx0 < xx1) {