From e3f3b3470d7fec4276403f05dac961a799b39cc8 Mon Sep 17 00:00:00 2001 From: bernd Date: Sun, 5 Feb 2006 09:59:38 +0000 Subject: [PATCH] Fix heap based buffer overflow. From KDE. http://www.kde.org/info/security/advisory-20060202-1.txt ok steven@ --- textproc/gpdf/Makefile | 4 +- .../patch-splash_SplashXPathScanner_cc | 51 +++++++++++++++++++ 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 textproc/gpdf/patches/patch-splash_SplashXPathScanner_cc diff --git a/textproc/gpdf/Makefile b/textproc/gpdf/Makefile index 5c8f1eb63ba..14b5310dded 100644 --- a/textproc/gpdf/Makefile +++ b/textproc/gpdf/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.13 2006/01/18 05:40:33 steven Exp $ +# $OpenBSD: Makefile,v 1.14 2006/02/05 09:59:38 bernd Exp $ COMMENT= "PDF viewer for GNOME" DISTNAME= gpdf-2.8.1 -PKGNAME= ${DISTNAME}p3 +PKGNAME= ${DISTNAME}p4 CATEGORIES= textproc x11/gnome HOMEPAGE= http://www.inf.tu-dresden.de/~mk793652/gpdf/ diff --git a/textproc/gpdf/patches/patch-splash_SplashXPathScanner_cc b/textproc/gpdf/patches/patch-splash_SplashXPathScanner_cc new file mode 100644 index 00000000000..91f7e3fee69 --- /dev/null +++ b/textproc/gpdf/patches/patch-splash_SplashXPathScanner_cc @@ -0,0 +1,51 @@ +$OpenBSD: patch-splash_SplashXPathScanner_cc,v 1.1 2006/02/05 09:59:38 bernd Exp $ +--- splash/SplashXPathScanner.cc.orig Sat Feb 4 14:44:27 2006 ++++ splash/SplashXPathScanner.cc Sat Feb 4 14:46:44 2006 +@@ -182,7 +182,7 @@ GBool SplashXPathScanner::getNextSpan(in + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -232,19 +232,27 @@ void SplashXPathScanner::computeIntersec + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; + } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; ++ } ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) {