Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Alexis Ballier (aballier)" <aballier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in app-text/tetex/files: tetex-3.0_p1-dvips_bufferoverflow.patch xpdf-3.02pl2.patch digest-tetex-3.0_p1-r5
Date: Wed, 07 Nov 2007 23:05:31
Message-Id: E1IptxY-0004ge-U4@stork.gentoo.org
1 aballier 07/11/07 23:05:20
2
3 Added: tetex-3.0_p1-dvips_bufferoverflow.patch
4 xpdf-3.02pl2.patch digest-tetex-3.0_p1-r5
5 Log:
6 security fixes for dvips, dviljk bug #198238 and libxpdf bug #196735; quote variables
7 (Portage version: 2.1.3.19)
8
9 Revision Changes Path
10 1.1 app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch
11
12 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch?rev=1.1&view=markup
13 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch?rev=1.1&content-type=text/plain
14
15 Index: tetex-3.0_p1-dvips_bufferoverflow.patch
16 ===================================================================
17 hps.c (stamp_external, stamp_hps): protext against long strings.
18 From Bastien Roucaries via Norbert, 21 Oct 2007 13:22:19,
19 Debian bug 447081.
20
21 Index: texk/dvipsk/hps.c
22 ===================================================================
23 --- texk/dvipsk/hps.c (revision 5253)
24 +++ texk/dvipsk/hps.c (revision 5254)
25 @@ -441,20 +441,29 @@
26
27 void stamp_hps P1C(Hps_link *, pl)
28 {
29 - char tmpbuf[200] ;
30 + char * tmpbuf;
31 if (pl == NULL) {
32 - error("Null pointer, oh no!") ;
33 + error("stamp_hps: null pl pointer, oh no!") ;
34 return ;
35 - } else {
36 - /* print out the proper pdfm with local page info only
37 - * target info will be in the target dictionary */
38 - (void)sprintf(tmpbuf,
39 - " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
40 - pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
41 - pl->color[0], pl->color[1], pl->color[2]) ;
42 - cmdout(tmpbuf) ;
43 - }
44 + }
45 + if(pl->title == NULL) {
46 + error("stamp_hps: null pl->title pointer, oh no!") ;
47 + return ;
48 + }
49 +
50 + tmpbuf = (char *) xmalloc(strlen(pl->title)+200);
51 +
52 + /* print out the proper pdfm with local page info only
53 + * target info will be in the target dictionary */
54 + (void)sprintf(tmpbuf,
55 + " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ",
56 + pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
57 + pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
58 + pl->color[0], pl->color[1], pl->color[2]) ;
59 + cmdout(tmpbuf) ;
60 + free(tmpbuf);
61
62 +
63 }
64
65 /* For external URL's, we just pass them through as a string. The hyperps
66 @@ -462,18 +471,27 @@
67 */
68 void stamp_external P2C(char *, s, Hps_link *, pl)
69 {
70 - char tmpbuf[200];
71 + char *tmpbuf;
72 if (pl == NULL) {
73 - error("Null pointer, oh no!") ;
74 + error("stamp_external: null pl pointer, oh no!") ;
75 return ;
76 - } else {
77 - /* print out the proper pdfm with local page info only
78 - * target info will be in the target dictionary */
79 - (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
80 - pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
81 - pl->color[0], pl->color[1], pl->color[2], s) ;
82 - cmdout(tmpbuf) ;
83 - }
84 + }
85 +
86 + if (s == NULL) {
87 + error("stamp_external: null s pointer, oh no!") ;
88 + return ;
89 + }
90 +
91 + tmpbuf = (char *) xmalloc(strlen(s) + 200);
92 +
93 + /* print out the proper pdfm with local page info only
94 + * target info will be in the target dictionary */
95 + (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ",
96 + pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
97 + pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
98 + pl->color[0], pl->color[1], pl->color[2], s) ;
99 + cmdout(tmpbuf) ;
100 + free(tmpbuf);
101 }
102
103 void finish_hps P1H(void) {
104
105
106
107 1.1 app-text/tetex/files/xpdf-3.02pl2.patch
108
109 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/xpdf-3.02pl2.patch?rev=1.1&view=markup
110 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/xpdf-3.02pl2.patch?rev=1.1&content-type=text/plain
111
112 Index: xpdf-3.02pl2.patch
113 ===================================================================
114 Index: tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
115 ===================================================================
116 --- tetex-src-3.0.orig/libs/xpdf/xpdf/Stream.cc
117 +++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc
118 @@ -1285,19 +1285,24 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
119 error (-1, "invalid number of columns: %d\n", columns);
120 exit (1);
121 }
122 + else if (columns > INT_MAX - 2) columns = INT_MAX - 2;
123 rows = rowsA;
124 endOfBlock = endOfBlockA;
125 black = blackA;
126 - refLine = (short *)gmallocn(columns + 4, sizeof(short));
127 - codingLine = (short *)gmallocn(columns + 3, sizeof(short));
128 + // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns
129 + // ---> max codingLine size = columns + 1
130 + // refLine has one extra guard entry at the end
131 + // ---> max refLine size = columns + 2
132 + codingLine = (int *)gmallocn(columns + 1, sizeof(int));
133 + refLine = (int *)gmallocn(columns + 2, sizeof(int));
134
135 eof = gFalse;
136 row = 0;
137 nextLine2D = encoding < 0;
138 inputBits = 0;
139 - codingLine[0] = 0;
140 - codingLine[1] = refLine[2] = columns;
141 - a0 = 1;
142 + codingLine[0] = columns;
143 + a0i = 0;
144 + outputBits = 0;
145
146 buf = EOF;
147 }
148 @@ -1316,9 +1321,9 @@ void CCITTFaxStream::reset() {
149 row = 0;
150 nextLine2D = encoding < 0;
151 inputBits = 0;
152 - codingLine[0] = 0;
153 - codingLine[1] = refLine[2] = columns;
154 - a0 = 1;
155 + codingLine[0] = columns;
156 + a0i = 0;
157 + outputBits = 0;
158 buf = EOF;
159
160 // skip any initial zero bits and end-of-line marker, and get the 2D
161 @@ -1335,164 +1340,228 @@ void CCITTFaxStream::reset() {
162 }
163 }
164
165 +inline void CCITTFaxStream::addPixels(int a1, int blackPixels) {
166 + if (a1 > codingLine[a0i]) {
167 + if (a1 > columns) {
168 + error(getPos(), "CCITTFax row is wrong length (%d)", a1);
169 + err = gTrue;
170 + a1 = columns;
171 + }
172 + if ((a0i & 1) ^ blackPixels) {
173 + ++a0i;
174 + }
175 + codingLine[a0i] = a1;
176 + }
177 +}
178 +
179 +inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) {
180 + if (a1 > codingLine[a0i]) {
181 + if (a1 > columns) {
182 + error(getPos(), "CCITTFax row is wrong length (%d)", a1);
183 + err = gTrue;
184 + a1 = columns;
185 + }
186 + if ((a0i & 1) ^ blackPixels) {
187 + ++a0i;
188 + }
189 + codingLine[a0i] = a1;
190 + } else if (a1 < codingLine[a0i]) {
191 + if (a1 < 0) {
192 + error(getPos(), "Invalid CCITTFax code");
193 + err = gTrue;
194 + a1 = 0;
195 + }
196 + while (a0i > 0 && a1 <= codingLine[a0i - 1]) {
197 + --a0i;
198 + }
199 + codingLine[a0i] = a1;
200 + }
201 +}
202 +
203 int CCITTFaxStream::lookChar() {
204 short code1, code2, code3;
205 - int a0New;
206 - GBool err, gotEOL;
207 - int ret;
208 - int bits, i;
209 -
210 - // if at eof just return EOF
211 - if (eof && codingLine[a0] >= columns) {
212 - return EOF;
213 + int b1i, blackPixels, i, bits;
214 + GBool gotEOL;
215 +
216 + if (buf != EOF) {
217 + return buf;
218 }
219
220 // read the next row
221 - err = gFalse;
222 - if (codingLine[a0] >= columns) {
223 + if (outputBits == 0) {
224
225 + // if at eof just return EOF
226 + if (eof) {
227 + return EOF;
228 + }
229 +
230 + err = gFalse;
231 +
232 // 2-D encoding
233 if (nextLine2D) {
234 for (i = 0; codingLine[i] < columns; ++i)
235 refLine[i] = codingLine[i];
236 - refLine[i] = refLine[i + 1] = columns;
237 - b1 = 1;
238 - a0New = codingLine[a0 = 0] = 0;
239 - do {
240 - code1 = getTwoDimCode();
241 + refLine[i++] = columns;
242 + refLine[i] = columns;
243 + codingLine[0] = 0;
244 + a0i = 0;
245 + b1i = 0;
246 + blackPixels = 0;
247 + // invariant:
248 + // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1]
249 + // <= columns
250 + // exception at left edge:
251 + // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible
252 + // exception at right edge:
253 + // refLine[b1i] = refLine[b1i+1] = columns is possible
254 + while (codingLine[a0i] < columns) {
255 + code1 = getTwoDimCode();
256 switch (code1) {
257 - case twoDimPass:
258 - if (refLine[b1] < columns) {
259 - a0New = refLine[b1 + 1];
260 - b1 += 2;
261 - }
262 - break;
263 - case twoDimHoriz:
264 - if ((a0 & 1) == 0) {
265 - code1 = code2 = 0;
266 - do {
267 - code1 += code3 = getWhiteCode();
268 - } while (code3 >= 64);
269 - do {
270 - code2 += code3 = getBlackCode();
271 - } while (code3 >= 64);
272 - } else {
273 - code1 = code2 = 0;
274 - do {
275 - code1 += code3 = getBlackCode();
276 - } while (code3 >= 64);
277 - do {
278 - code2 += code3 = getWhiteCode();
279 - } while (code3 >= 64);
280 - }
281 - if (code1 > 0 || code2 > 0) {
282 - codingLine[a0 + 1] = a0New + code1;
283 - ++a0;
284 - a0New = codingLine[a0 + 1] = codingLine[a0] + code2;
285 - ++a0;
286 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
287 - b1 += 2;
288 - }
289 - break;
290 - case twoDimVert0:
291 - a0New = codingLine[++a0] = refLine[b1];
292 - if (refLine[b1] < columns) {
293 - ++b1;
294 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
295 - b1 += 2;
296 - }
297 - break;
298 - case twoDimVertR1:
299 - a0New = codingLine[++a0] = refLine[b1] + 1;
300 - if (refLine[b1] < columns) {
301 - ++b1;
302 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
303 - b1 += 2;
304 - }
305 - break;
306 - case twoDimVertL1:
307 - if (a0 == 0 || refLine[b1] - 1 > a0New) {
308 - a0New = codingLine[++a0] = refLine[b1] - 1;
309 - --b1;
310 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
311 - b1 += 2;
312 - }
313 - break;
314 - case twoDimVertR2:
315 - a0New = codingLine[++a0] = refLine[b1] + 2;
316 - if (refLine[b1] < columns) {
317 - ++b1;
318 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
319 - b1 += 2;
320 - }
321 - break;
322 - case twoDimVertL2:
323 - if (a0 == 0 || refLine[b1] - 2 > a0New) {
324 - a0New = codingLine[++a0] = refLine[b1] - 2;
325 - --b1;
326 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
327 - b1 += 2;
328 - }
329 - break;
330 - case twoDimVertR3:
331 - a0New = codingLine[++a0] = refLine[b1] + 3;
332 - if (refLine[b1] < columns) {
333 - ++b1;
334 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
335 - b1 += 2;
336 - }
337 - break;
338 - case twoDimVertL3:
339 - if (a0 == 0 || refLine[b1] - 3 > a0New) {
340 - a0New = codingLine[++a0] = refLine[b1] - 3;
341 - --b1;
342 - while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns)
343 - b1 += 2;
344 - }
345 - break;
346 - case EOF:
347 - eof = gTrue;
348 - codingLine[a0 = 0] = columns;
349 - return EOF;
350 - default:
351 - error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
352 - err = gTrue;
353 - break;
354 + case twoDimPass:
355 + addPixels(refLine[b1i + 1], blackPixels);
356 + if (refLine[b1i + 1] < columns) {
357 + b1i += 2;
358 + }
359 + break;
360 + case twoDimHoriz:
361 + code1 = code2 = 0;
362 + if (blackPixels) {
363 + do {
364 + code1 += code3 = getBlackCode();
365 + } while (code3 >= 64);
366 + do {
367 + code2 += code3 = getWhiteCode();
368 + } while (code3 >= 64);
369 + } else {
370 + do {
371 + code1 += code3 = getWhiteCode();
372 + } while (code3 >= 64);
373 + do {
374 + code2 += code3 = getBlackCode();
375 + } while (code3 >= 64);
376 + }
377 + addPixels(codingLine[a0i] + code1, blackPixels);
378 + if (codingLine[a0i] < columns) {
379 + addPixels(codingLine[a0i] + code2, blackPixels ^ 1);
380 + }
381 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
382 + b1i += 2;
383 + }
384 + break;
385 + case twoDimVertR3:
386 + addPixels(refLine[b1i] + 3, blackPixels);
387 + blackPixels ^= 1;
388 + if (codingLine[a0i] < columns) {
389 + ++b1i;
390 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
391 + b1i += 2;
392 + }
393 + }
394 + break;
395 + case twoDimVertR2:
396 + addPixels(refLine[b1i] + 2, blackPixels);
397 + blackPixels ^= 1;
398 + if (codingLine[a0i] < columns) {
399 + ++b1i;
400 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
401 + b1i += 2;
402 + }
403 + }
404 + break;
405 + case twoDimVertR1:
406 + addPixels(refLine[b1i] + 1, blackPixels);
407 + blackPixels ^= 1;
408 + if (codingLine[a0i] < columns) {
409 + ++b1i;
410 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
411 + b1i += 2;
412 + }
413 + }
414 + break;
415 + case twoDimVert0:
416 + addPixels(refLine[b1i], blackPixels);
417 + blackPixels ^= 1;
418 + if (codingLine[a0i] < columns) {
419 + ++b1i;
420 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
421 + b1i += 2;
422 + }
423 + }
424 + break;
425 + case twoDimVertL3:
426 + addPixelsNeg(refLine[b1i] - 3, blackPixels);
427 + blackPixels ^= 1;
428 + if (codingLine[a0i] < columns) {
429 + if (b1i > 0) {
430 + --b1i;
431 + } else {
432 + ++b1i;
433 + }
434 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
435 + b1i += 2;
436 + }
437 + }
438 + break;
439 + case twoDimVertL2:
440 + addPixelsNeg(refLine[b1i] - 2, blackPixels);
441 + blackPixels ^= 1;
442 + if (codingLine[a0i] < columns) {
443 + if (b1i > 0) {
444 + --b1i;
445 + } else {
446 + ++b1i;
447 + }
448 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
449 + b1i += 2;
450 + }
451 + }
452 + break;
453 + case twoDimVertL1:
454 + addPixelsNeg(refLine[b1i] - 1, blackPixels);
455 + blackPixels ^= 1;
456 + if (codingLine[a0i] < columns) {
457 + if (b1i > 0) {
458 + --b1i;
459 + } else {
460 + ++b1i;
461 + }
462 + while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) {
463 + b1i += 2;
464 + }
465 + }
466 + break;
467 + case EOF:
468 + addPixels(columns, 0);
469 + eof = gTrue;
470 + break;
471 + default:
472 + error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1);
473 + addPixels(columns, 0);
474 + err = gTrue;
475 + break;
476 + }
477 }
478 - } while (codingLine[a0] < columns);
479
480 // 1-D encoding
481 } else {
482 - codingLine[a0 = 0] = 0;
483 - while (1) {
484 - code1 = 0;
485 - do {
486 - code1 += code3 = getWhiteCode();
487 - } while (code3 >= 64);
488 - codingLine[a0+1] = codingLine[a0] + code1;
489 - ++a0;
490 - if (codingLine[a0] >= columns)
491 - break;
492 - code2 = 0;
493 - do {
494 - code2 += code3 = getBlackCode();
495 - } while (code3 >= 64);
496 - codingLine[a0+1] = codingLine[a0] + code2;
497 - ++a0;
498 - if (codingLine[a0] >= columns)
499 - break;
500 - }
501 - }
502 -
503 - if (codingLine[a0] != columns) {
504 - error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]);
505 - // force the row to be the correct length
506 - while (codingLine[a0] > columns) {
507 - --a0;
508 + codingLine[0] = 0;
509 + a0i = 0;
510 + blackPixels = 0;
511 + while (codingLine[a0i] < columns) {
512 + code1 = 0;
513 + if (blackPixels) {
514 + do {
515 + code1 += code3 = getBlackCode();
516 + } while (code3 >= 64);
517 + } else {
518 + do {
519 + code1 += code3 = getWhiteCode();
520 + } while (code3 >= 64);
521 + }
522 + addPixels(codingLine[a0i] + code1, blackPixels);
523 + blackPixels ^= 1;
524 + }
525 }
526 - codingLine[++a0] = columns;
527 - err = gTrue;
528 - }
529
530 // byte-align the row
531 if (byteAlign) {
532 @@ -1552,14 +1621,17 @@ int CCITTFaxStream::lookChar() {
533 // this if we know the stream contains end-of-line markers because
534 // the "just plow on" technique tends to work better otherwise
535 } else if (err && endOfLine) {
536 - do {
537 + while (1) {
538 + code1 = lookBits(13);
539 if (code1 == EOF) {
540 eof = gTrue;
541 return EOF;
542 }
543 + if ((code1 >> 1) == 0x001) {
544 + break;
545 + }
546 eatBits(1);
547 - code1 = lookBits(13);
548 - } while ((code1 >> 1) != 0x001);
549 + }
550 eatBits(12);
551 if (encoding > 0) {
552 eatBits(1);
553 @@ -1567,11 +1639,11 @@ int CCITTFaxStream::lookChar() {
554 }
555 }
556
557 - a0 = 0;
558 - outputBits = codingLine[1] - codingLine[0];
559 - if (outputBits == 0) {
560 - a0 = 1;
561 - outputBits = codingLine[2] - codingLine[1];
562 + // set up for output
563 + if (codingLine[0] > 0) {
564 + outputBits = codingLine[a0i = 0];
565 + } else {
566 + outputBits = codingLine[a0i = 1];
567 }
568
569 ++row;
570 @@ -1579,39 +1651,43 @@ int CCITTFaxStream::lookChar() {
571
572 // get a byte
573 if (outputBits >= 8) {
574 - ret = ((a0 & 1) == 0) ? 0xff : 0x00;
575 - if ((outputBits -= 8) == 0) {
576 - ++a0;
577 - if (codingLine[a0] < columns) {
578 - outputBits = codingLine[a0 + 1] - codingLine[a0];
579 - }
580 + buf = (a0i & 1) ? 0x00 : 0xff;
581 + outputBits -= 8;
582 + if (outputBits == 0 && codingLine[a0i] < columns) {
583 + ++a0i;
584 + outputBits = codingLine[a0i] - codingLine[a0i - 1];
585 }
586 } else {
587 bits = 8;
588 - ret = 0;
589 + buf = 0;
590 do {
591 if (outputBits > bits) {
592 - i = bits;
593 - bits = 0;
594 - if ((a0 & 1) == 0) {
595 - ret |= 0xff >> (8 - i);
596 + buf <<= bits;
597 + if (!(a0i & 1)) {
598 + buf |= 0xff >> (8 - bits);
599 }
600 - outputBits -= i;
601 + outputBits -= bits;
602 + bits = 0;
603 } else {
604 - i = outputBits;
605 - bits -= outputBits;
606 - if ((a0 & 1) == 0) {
607 - ret |= (0xff >> (8 - i)) << bits;
608 + buf <<= outputBits;
609 + if (!(a0i & 1)) {
610 + buf |= 0xff >> (8 - outputBits);
611 }
612 + bits -= outputBits;
613 outputBits = 0;
614 - ++a0;
615 - if (codingLine[a0] < columns) {
616 - outputBits = codingLine[a0 + 1] - codingLine[a0];
617 + if (codingLine[a0i] < columns) {
618 + ++a0i;
619 + outputBits = codingLine[a0i] - codingLine[a0i - 1];
620 + } else if (bits > 0) {
621 + buf <<= bits;
622 + bits = 0;
623 }
624 }
625 - } while (bits > 0 && codingLine[a0] < columns);
626 + } while (bits);
627 + }
628 + if (black) {
629 + buf ^= 0xff;
630 }
631 - buf = black ? (ret ^ 0xff) : ret;
632 return buf;
633 }
634
635 @@ -1653,6 +1729,9 @@ short CCITTFaxStream::getWhiteCode() {
636 code = 0; // make gcc happy
637 if (endOfBlock) {
638 code = lookBits(12);
639 + if (code == EOF) {
640 + return 1;
641 + }
642 if ((code >> 5) == 0) {
643 p = &whiteTab1[code];
644 } else {
645 @@ -1665,6 +1744,9 @@ short CCITTFaxStream::getWhiteCode() {
646 } else {
647 for (n = 1; n <= 9; ++n) {
648 code = lookBits(n);
649 + if (code == EOF) {
650 + return 1;
651 + }
652 if (n < 9) {
653 code <<= 9 - n;
654 }
655 @@ -1676,6 +1758,9 @@ short CCITTFaxStream::getWhiteCode() {
656 }
657 for (n = 11; n <= 12; ++n) {
658 code = lookBits(n);
659 + if (code == EOF) {
660 + return 1;
661 + }
662 if (n < 12) {
663 code <<= 12 - n;
664 }
665 @@ -1701,6 +1786,9 @@ short CCITTFaxStream::getBlackCode() {
666 code = 0; // make gcc happy
667 if (endOfBlock) {
668 code = lookBits(13);
669 + if (code == EOF) {
670 + return 1;
671 + }
672 if ((code >> 7) == 0) {
673 p = &blackTab1[code];
674 } else if ((code >> 9) == 0) {
675 @@ -1715,6 +1803,9 @@ short CCITTFaxStream::getBlackCode() {
676 } else {
677 for (n = 2; n <= 6; ++n) {
678 code = lookBits(n);
679 + if (code == EOF) {
680 + return 1;
681 + }
682 if (n < 6) {
683 code <<= 6 - n;
684 }
685 @@ -1726,6 +1817,9 @@ short CCITTFaxStream::getBlackCode() {
686 }
687 for (n = 7; n <= 12; ++n) {
688 code = lookBits(n);
689 + if (code == EOF) {
690 + return 1;
691 + }
692 if (n < 12) {
693 code <<= 12 - n;
694 }
695 @@ -1739,6 +1833,9 @@ short CCITTFaxStream::getBlackCode() {
696 }
697 for (n = 10; n <= 13; ++n) {
698 code = lookBits(n);
699 + if (code == EOF) {
700 + return 1;
701 + }
702 if (n < 13) {
703 code <<= 13 - n;
704 }
705 @@ -1961,6 +2058,12 @@ void DCTStream::reset() {
706 // allocate a buffer for the whole image
707 bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth;
708 bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight;
709 + if (bufWidth <= 0 || bufHeight <= 0 ||
710 + bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) {
711 + error(getPos(), "Invalid image size in DCT stream");
712 + y = height;
713 + return;
714 + }
715 for (i = 0; i < numComps; ++i) {
716 frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int));
717 memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int));
718 @@ -3024,6 +3127,11 @@ GBool DCTStream::readScanInfo() {
719 }
720 scanInfo.firstCoeff = str->getChar();
721 scanInfo.lastCoeff = str->getChar();
722 + if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 ||
723 + scanInfo.firstCoeff > scanInfo.lastCoeff) {
724 + error(getPos(), "Bad DCT coefficient numbers in scan info block");
725 + return gFalse;
726 + }
727 c = str->getChar();
728 scanInfo.ah = (c >> 4) & 0x0f;
729 scanInfo.al = c & 0x0f;
730 Index: tetex-src-3.0/libs/xpdf/xpdf/Stream.h
731 ===================================================================
732 --- tetex-src-3.0.orig/libs/xpdf/xpdf/Stream.h
733 +++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h
734 @@ -519,13 +519,15 @@ private:
735 int row; // current row
736 int inputBuf; // input buffer
737 int inputBits; // number of bits in input buffer
738 - short *refLine; // reference line changing elements
739 - int b1; // index into refLine
740 - short *codingLine; // coding line changing elements
741 - int a0; // index into codingLine
742 + int *codingLine; // coding line changing elements
743 + int *refLine; // reference line changing elements
744 + int a0i; // index into codingLine
745 + GBool err; // error on current line
746 int outputBits; // remaining ouput bits
747 int buf; // character buffer
748
749 + void addPixels(int a1, int black);
750 + void addPixelsNeg(int a1, int black);
751 short getTwoDimCode();
752 short getWhiteCode();
753 short getBlackCode();
754
755
756
757 1.1 app-text/tetex/files/digest-tetex-3.0_p1-r5
758
759 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/digest-tetex-3.0_p1-r5?rev=1.1&view=markup
760 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/digest-tetex-3.0_p1-r5?rev=1.1&content-type=text/plain
761
762 Index: digest-tetex-3.0_p1-r5
763 ===================================================================
764 MD5 e7cb60ace25c8c4a964c32895508e3e7 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797
765 RMD160 ac8499fcc818c4d8fe69b9e2d7fcbe04514d3a04 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797
766 SHA256 30e14cbed1ac1f2f6b5c5f0066c54394d7f2f215fb96ec3870282947ad33c520 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797
767 MD5 24568263880f911452936573211fa4e8 tetex-3.0_p1-gentoo.tar.gz 604
768 RMD160 5da9d211792ab81d072f0fed65ac737aa3074a6b tetex-3.0_p1-gentoo.tar.gz 604
769 SHA256 4e9236349a6d849db06fefcbbf5af7c333199312b461a06840cb8fd2eddd1ac6 tetex-3.0_p1-gentoo.tar.gz 604
770 MD5 0f82ade673335256226d0321e6c5e2cf tetex-src-3.0_p1.tar.gz 13357541
771 RMD160 24d5029619675ce597782562bc1b87052235d461 tetex-src-3.0_p1.tar.gz 13357541
772 SHA256 e67fff941ba95222ac8f0e17395446723fd78045fc2ff548ca40cc72086a4cc1 tetex-src-3.0_p1.tar.gz 13357541
773 MD5 ed9d30d9162d16ac8d5065cde6e0f6fa tetex-texmf-3.0.tar.gz 91402377
774 RMD160 a1e87733fa3cbef04e39a690ed8549aeaaddb241 tetex-texmf-3.0.tar.gz 91402377
775 SHA256 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2 tetex-texmf-3.0.tar.gz 91402377
776
777
778
779 --
780 gentoo-commits@g.o mailing list
Report Message
Find on MARC Find on Google Groups