SECURITY:

Fix a buffer overflow due to insufficient bounds checking while processing a PDF file that provides malicious values in the /Encrypt /Length tag. http://www.idefense.com/application/poi/display?id=186&type=vulnerabilities&flashstatus=false ok robert@
2005-01-19 16:23:16 +00:00 · 2005-01-19 16:23:16 +00:00 · fe99af154b
commit fe99af154b
parent 80d9dac918
2 changed files with 15 additions and 5 deletions
--- a/textproc/xpdf/Makefile
+++ b/textproc/xpdf/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.46 2004/12/22 17:36:24 robert Exp $
+# $OpenBSD: Makefile,v 1.47 2005/01/19 16:23:16 naddy Exp $

 COMMENT=	"PDF viewer for X"

 DISTNAME=	xpdf-3.00
-PKGNAME=	${DISTNAME}p2
+PKGNAME=	${DISTNAME}p3
 CATEGORIES=	textproc x11

 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/
--- a/textproc/xpdf/patches/patch-xpdf_XRef_cc
+++ b/textproc/xpdf/patches/patch-xpdf_XRef_cc
@ -1,6 +1,6 @@
-$OpenBSD: patch-xpdf_XRef_cc,v 1.1 2004/10/23 02:24:37 brad Exp $
--- xpdf/XRef.cc.orig	Wed Jan 21 20:26:45 2004
-+++ xpdf/XRef.cc	Fri Oct 22 21:54:48 2004
+$OpenBSD: patch-xpdf_XRef_cc,v 1.2 2005/01/19 16:23:16 naddy Exp $
+--- xpdf/XRef.cc.orig	Thu Jan 22 02:26:45 2004
+++ xpdf/XRef.cc	Wed Jan 19 14:23:39 2005
@@ -96,7 +96,7 @@ ObjectStream::ObjectStream(XRef *xref, i
   }
   nObjects = obj1.getInt();
@ -264,3 +264,13 @@ $OpenBSD: patch-xpdf_XRef_cc,v 1.1 2004/10/23 02:24:37 brad Exp $
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
+@@ -756,6 +816,9 @@ GBool XRef::checkEncrypted(GString *owne
+ 	  keyLength = lengthObj.getInt() / 8;
+ 	} else {
+ 	  keyLength = 5;
+	}
+	if (keyLength > 16) {
+	  keyLength = 16;
+ 	}
+ 	permFlags = permissions.getInt();
+ 	if (encVersion >= 1 && encVersion <= 2 &&