KDE Security Advisory: kpdf/xpdf heap based buffer overflow

http://www.kde.org/info/security/advisory-20060202-1.txt
2006-02-04 13:25:36 +00:00 · 2006-02-04 13:25:36 +00:00 · e628d749dc
commit e628d749dc
parent d9861dc5fe
2 changed files with 53 additions and 2 deletions
--- a/x11/kde/graphics3/Makefile
+++ b/x11/kde/graphics3/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.56 2006/02/03 18:42:01 espie Exp $
+# $OpenBSD: Makefile,v 1.57 2006/02/04 13:25:36 espie Exp $

 COMMENT=		"K Desktop Environment, graphic applications"
 COMMENT-kamera=		"KDE interface to digital cameras"
@ -12,7 +12,7 @@ MODKDE_VERSION=		3.5
 FLAVORS=debug
 SEPARATE_BUILD=flavored
 MULTI_PACKAGES=-kpov -kamera -sane
-PKGNAME=${DISTNAME}
+PKGNAME=${DISTNAME}p0
 PKGNAME-kamera=kamera-${VERSION}
 PKGNAME-kpov=kpovmodeller-${VERSION}
 PKGNAME-sane=ksane-${VERSION}
--- a/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashXPathScanner_cc
+++ b/x11/kde/graphics3/patches/patch-kpdf_xpdf_splash_SplashXPathScanner_cc
@ -0,0 +1,51 @@
+$OpenBSD: patch-kpdf_xpdf_splash_SplashXPathScanner_cc,v 1.1 2006/02/04 13:25:36 espie Exp $
+--- kpdf/xpdf/splash/SplashXPathScanner.cc.orig	Sat Sep 10 10:18:43 2005
+++ kpdf/xpdf/splash/SplashXPathScanner.cc	Sat Feb  4 14:21:47 2006
+@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in
+ }
+ 
+ void SplashXPathScanner::computeIntersections(int y) {
+-  SplashCoord ySegMin, ySegMax, xx0, xx1;
+  SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
+   SplashXPathSeg *seg;
+   int i, j;
+ 
+@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec
+     } else if (seg->flags & splashXPathVert) {
+       xx0 = xx1 = seg->x0;
+     } else {
+-      if (ySegMin <= y) {
+-	// intersection with top edge
+-	xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+      if (seg->x0 < seg->x1) {
+	xSegMin = seg->x0;
+	xSegMax = seg->x1;
+       } else {
+-	// x coord of segment endpoint with min y coord
+-	xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
+	xSegMin = seg->x1;
+	xSegMax = seg->x0;
+       }
+-      if (ySegMax >= y + 1) {
+-	// intersection with bottom edge
+-	xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+-      } else {
+-	// x coord of segment endpoint with max y coord
+-	xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
+      // intersection with top edge
+      xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+      // intersection with bottom edge
+      xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+      // the segment may not actually extend to the top and/or bottom edges
+      if (xx0 < xSegMin) {
+	xx0 = xSegMin;
+      } else if (xx0 > xSegMax) {
+	xx0 = xSegMax;
+      }
+      if (xx1 < xSegMin) {
+	xx1 = xSegMin;
+      } else if (xx1 > xSegMax) {
+	xx1 = xSegMax;
+       }
+     }
+     if (xx0 < xx1) {