1 |
aballier 07/11/07 23:05:20 |
2 |
|
3 |
Added: tetex-3.0_p1-dvips_bufferoverflow.patch |
4 |
xpdf-3.02pl2.patch digest-tetex-3.0_p1-r5 |
5 |
Log: |
6 |
security fixes for dvips, dviljk bug #198238 and libxpdf bug #196735; quote variables |
7 |
(Portage version: 2.1.3.19) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/tetex-3.0_p1-dvips_bufferoverflow.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: tetex-3.0_p1-dvips_bufferoverflow.patch |
16 |
=================================================================== |
17 |
hps.c (stamp_external, stamp_hps): protext against long strings. |
18 |
From Bastien Roucaries via Norbert, 21 Oct 2007 13:22:19, |
19 |
Debian bug 447081. |
20 |
|
21 |
Index: texk/dvipsk/hps.c |
22 |
=================================================================== |
23 |
--- texk/dvipsk/hps.c (revision 5253) |
24 |
+++ texk/dvipsk/hps.c (revision 5254) |
25 |
@@ -441,20 +441,29 @@ |
26 |
|
27 |
void stamp_hps P1C(Hps_link *, pl) |
28 |
{ |
29 |
- char tmpbuf[200] ; |
30 |
+ char * tmpbuf; |
31 |
if (pl == NULL) { |
32 |
- error("Null pointer, oh no!") ; |
33 |
+ error("stamp_hps: null pl pointer, oh no!") ; |
34 |
return ; |
35 |
- } else { |
36 |
- /* print out the proper pdfm with local page info only |
37 |
- * target info will be in the target dictionary */ |
38 |
- (void)sprintf(tmpbuf, |
39 |
- " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury, |
40 |
- pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4], |
41 |
- pl->color[0], pl->color[1], pl->color[2]) ; |
42 |
- cmdout(tmpbuf) ; |
43 |
- } |
44 |
+ } |
45 |
+ if(pl->title == NULL) { |
46 |
+ error("stamp_hps: null pl->title pointer, oh no!") ; |
47 |
+ return ; |
48 |
+ } |
49 |
+ |
50 |
+ tmpbuf = (char *) xmalloc(strlen(pl->title)+200); |
51 |
+ |
52 |
+ /* print out the proper pdfm with local page info only |
53 |
+ * target info will be in the target dictionary */ |
54 |
+ (void)sprintf(tmpbuf, |
55 |
+ " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", |
56 |
+ pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury, |
57 |
+ pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4], |
58 |
+ pl->color[0], pl->color[1], pl->color[2]) ; |
59 |
+ cmdout(tmpbuf) ; |
60 |
+ free(tmpbuf); |
61 |
|
62 |
+ |
63 |
} |
64 |
|
65 |
/* For external URL's, we just pass them through as a string. The hyperps |
66 |
@@ -462,18 +471,27 @@ |
67 |
*/ |
68 |
void stamp_external P2C(char *, s, Hps_link *, pl) |
69 |
{ |
70 |
- char tmpbuf[200]; |
71 |
+ char *tmpbuf; |
72 |
if (pl == NULL) { |
73 |
- error("Null pointer, oh no!") ; |
74 |
+ error("stamp_external: null pl pointer, oh no!") ; |
75 |
return ; |
76 |
- } else { |
77 |
- /* print out the proper pdfm with local page info only |
78 |
- * target info will be in the target dictionary */ |
79 |
- (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury, |
80 |
- pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4], |
81 |
- pl->color[0], pl->color[1], pl->color[2], s) ; |
82 |
- cmdout(tmpbuf) ; |
83 |
- } |
84 |
+ } |
85 |
+ |
86 |
+ if (s == NULL) { |
87 |
+ error("stamp_external: null s pointer, oh no!") ; |
88 |
+ return ; |
89 |
+ } |
90 |
+ |
91 |
+ tmpbuf = (char *) xmalloc(strlen(s) + 200); |
92 |
+ |
93 |
+ /* print out the proper pdfm with local page info only |
94 |
+ * target info will be in the target dictionary */ |
95 |
+ (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", |
96 |
+ pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury, |
97 |
+ pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4], |
98 |
+ pl->color[0], pl->color[1], pl->color[2], s) ; |
99 |
+ cmdout(tmpbuf) ; |
100 |
+ free(tmpbuf); |
101 |
} |
102 |
|
103 |
void finish_hps P1H(void) { |
104 |
|
105 |
|
106 |
|
107 |
1.1 app-text/tetex/files/xpdf-3.02pl2.patch |
108 |
|
109 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/xpdf-3.02pl2.patch?rev=1.1&view=markup |
110 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/xpdf-3.02pl2.patch?rev=1.1&content-type=text/plain |
111 |
|
112 |
Index: xpdf-3.02pl2.patch |
113 |
=================================================================== |
114 |
Index: tetex-src-3.0/libs/xpdf/xpdf/Stream.cc |
115 |
=================================================================== |
116 |
--- tetex-src-3.0.orig/libs/xpdf/xpdf/Stream.cc |
117 |
+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc |
118 |
@@ -1285,19 +1285,24 @@ CCITTFaxStream::CCITTFaxStream(Stream *s |
119 |
error (-1, "invalid number of columns: %d\n", columns); |
120 |
exit (1); |
121 |
} |
122 |
+ else if (columns > INT_MAX - 2) columns = INT_MAX - 2; |
123 |
rows = rowsA; |
124 |
endOfBlock = endOfBlockA; |
125 |
black = blackA; |
126 |
- refLine = (short *)gmallocn(columns + 4, sizeof(short)); |
127 |
- codingLine = (short *)gmallocn(columns + 3, sizeof(short)); |
128 |
+ // 0 <= codingLine[0] < codingLine[1] < ... < codingLine[n] = columns |
129 |
+ // ---> max codingLine size = columns + 1 |
130 |
+ // refLine has one extra guard entry at the end |
131 |
+ // ---> max refLine size = columns + 2 |
132 |
+ codingLine = (int *)gmallocn(columns + 1, sizeof(int)); |
133 |
+ refLine = (int *)gmallocn(columns + 2, sizeof(int)); |
134 |
|
135 |
eof = gFalse; |
136 |
row = 0; |
137 |
nextLine2D = encoding < 0; |
138 |
inputBits = 0; |
139 |
- codingLine[0] = 0; |
140 |
- codingLine[1] = refLine[2] = columns; |
141 |
- a0 = 1; |
142 |
+ codingLine[0] = columns; |
143 |
+ a0i = 0; |
144 |
+ outputBits = 0; |
145 |
|
146 |
buf = EOF; |
147 |
} |
148 |
@@ -1316,9 +1321,9 @@ void CCITTFaxStream::reset() { |
149 |
row = 0; |
150 |
nextLine2D = encoding < 0; |
151 |
inputBits = 0; |
152 |
- codingLine[0] = 0; |
153 |
- codingLine[1] = refLine[2] = columns; |
154 |
- a0 = 1; |
155 |
+ codingLine[0] = columns; |
156 |
+ a0i = 0; |
157 |
+ outputBits = 0; |
158 |
buf = EOF; |
159 |
|
160 |
// skip any initial zero bits and end-of-line marker, and get the 2D |
161 |
@@ -1335,164 +1340,228 @@ void CCITTFaxStream::reset() { |
162 |
} |
163 |
} |
164 |
|
165 |
+inline void CCITTFaxStream::addPixels(int a1, int blackPixels) { |
166 |
+ if (a1 > codingLine[a0i]) { |
167 |
+ if (a1 > columns) { |
168 |
+ error(getPos(), "CCITTFax row is wrong length (%d)", a1); |
169 |
+ err = gTrue; |
170 |
+ a1 = columns; |
171 |
+ } |
172 |
+ if ((a0i & 1) ^ blackPixels) { |
173 |
+ ++a0i; |
174 |
+ } |
175 |
+ codingLine[a0i] = a1; |
176 |
+ } |
177 |
+} |
178 |
+ |
179 |
+inline void CCITTFaxStream::addPixelsNeg(int a1, int blackPixels) { |
180 |
+ if (a1 > codingLine[a0i]) { |
181 |
+ if (a1 > columns) { |
182 |
+ error(getPos(), "CCITTFax row is wrong length (%d)", a1); |
183 |
+ err = gTrue; |
184 |
+ a1 = columns; |
185 |
+ } |
186 |
+ if ((a0i & 1) ^ blackPixels) { |
187 |
+ ++a0i; |
188 |
+ } |
189 |
+ codingLine[a0i] = a1; |
190 |
+ } else if (a1 < codingLine[a0i]) { |
191 |
+ if (a1 < 0) { |
192 |
+ error(getPos(), "Invalid CCITTFax code"); |
193 |
+ err = gTrue; |
194 |
+ a1 = 0; |
195 |
+ } |
196 |
+ while (a0i > 0 && a1 <= codingLine[a0i - 1]) { |
197 |
+ --a0i; |
198 |
+ } |
199 |
+ codingLine[a0i] = a1; |
200 |
+ } |
201 |
+} |
202 |
+ |
203 |
int CCITTFaxStream::lookChar() { |
204 |
short code1, code2, code3; |
205 |
- int a0New; |
206 |
- GBool err, gotEOL; |
207 |
- int ret; |
208 |
- int bits, i; |
209 |
- |
210 |
- // if at eof just return EOF |
211 |
- if (eof && codingLine[a0] >= columns) { |
212 |
- return EOF; |
213 |
+ int b1i, blackPixels, i, bits; |
214 |
+ GBool gotEOL; |
215 |
+ |
216 |
+ if (buf != EOF) { |
217 |
+ return buf; |
218 |
} |
219 |
|
220 |
// read the next row |
221 |
- err = gFalse; |
222 |
- if (codingLine[a0] >= columns) { |
223 |
+ if (outputBits == 0) { |
224 |
|
225 |
+ // if at eof just return EOF |
226 |
+ if (eof) { |
227 |
+ return EOF; |
228 |
+ } |
229 |
+ |
230 |
+ err = gFalse; |
231 |
+ |
232 |
// 2-D encoding |
233 |
if (nextLine2D) { |
234 |
for (i = 0; codingLine[i] < columns; ++i) |
235 |
refLine[i] = codingLine[i]; |
236 |
- refLine[i] = refLine[i + 1] = columns; |
237 |
- b1 = 1; |
238 |
- a0New = codingLine[a0 = 0] = 0; |
239 |
- do { |
240 |
- code1 = getTwoDimCode(); |
241 |
+ refLine[i++] = columns; |
242 |
+ refLine[i] = columns; |
243 |
+ codingLine[0] = 0; |
244 |
+ a0i = 0; |
245 |
+ b1i = 0; |
246 |
+ blackPixels = 0; |
247 |
+ // invariant: |
248 |
+ // refLine[b1i-1] <= codingLine[a0i] < refLine[b1i] < refLine[b1i+1] |
249 |
+ // <= columns |
250 |
+ // exception at left edge: |
251 |
+ // codingLine[a0i = 0] = refLine[b1i = 0] = 0 is possible |
252 |
+ // exception at right edge: |
253 |
+ // refLine[b1i] = refLine[b1i+1] = columns is possible |
254 |
+ while (codingLine[a0i] < columns) { |
255 |
+ code1 = getTwoDimCode(); |
256 |
switch (code1) { |
257 |
- case twoDimPass: |
258 |
- if (refLine[b1] < columns) { |
259 |
- a0New = refLine[b1 + 1]; |
260 |
- b1 += 2; |
261 |
- } |
262 |
- break; |
263 |
- case twoDimHoriz: |
264 |
- if ((a0 & 1) == 0) { |
265 |
- code1 = code2 = 0; |
266 |
- do { |
267 |
- code1 += code3 = getWhiteCode(); |
268 |
- } while (code3 >= 64); |
269 |
- do { |
270 |
- code2 += code3 = getBlackCode(); |
271 |
- } while (code3 >= 64); |
272 |
- } else { |
273 |
- code1 = code2 = 0; |
274 |
- do { |
275 |
- code1 += code3 = getBlackCode(); |
276 |
- } while (code3 >= 64); |
277 |
- do { |
278 |
- code2 += code3 = getWhiteCode(); |
279 |
- } while (code3 >= 64); |
280 |
- } |
281 |
- if (code1 > 0 || code2 > 0) { |
282 |
- codingLine[a0 + 1] = a0New + code1; |
283 |
- ++a0; |
284 |
- a0New = codingLine[a0 + 1] = codingLine[a0] + code2; |
285 |
- ++a0; |
286 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
287 |
- b1 += 2; |
288 |
- } |
289 |
- break; |
290 |
- case twoDimVert0: |
291 |
- a0New = codingLine[++a0] = refLine[b1]; |
292 |
- if (refLine[b1] < columns) { |
293 |
- ++b1; |
294 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
295 |
- b1 += 2; |
296 |
- } |
297 |
- break; |
298 |
- case twoDimVertR1: |
299 |
- a0New = codingLine[++a0] = refLine[b1] + 1; |
300 |
- if (refLine[b1] < columns) { |
301 |
- ++b1; |
302 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
303 |
- b1 += 2; |
304 |
- } |
305 |
- break; |
306 |
- case twoDimVertL1: |
307 |
- if (a0 == 0 || refLine[b1] - 1 > a0New) { |
308 |
- a0New = codingLine[++a0] = refLine[b1] - 1; |
309 |
- --b1; |
310 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
311 |
- b1 += 2; |
312 |
- } |
313 |
- break; |
314 |
- case twoDimVertR2: |
315 |
- a0New = codingLine[++a0] = refLine[b1] + 2; |
316 |
- if (refLine[b1] < columns) { |
317 |
- ++b1; |
318 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
319 |
- b1 += 2; |
320 |
- } |
321 |
- break; |
322 |
- case twoDimVertL2: |
323 |
- if (a0 == 0 || refLine[b1] - 2 > a0New) { |
324 |
- a0New = codingLine[++a0] = refLine[b1] - 2; |
325 |
- --b1; |
326 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
327 |
- b1 += 2; |
328 |
- } |
329 |
- break; |
330 |
- case twoDimVertR3: |
331 |
- a0New = codingLine[++a0] = refLine[b1] + 3; |
332 |
- if (refLine[b1] < columns) { |
333 |
- ++b1; |
334 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
335 |
- b1 += 2; |
336 |
- } |
337 |
- break; |
338 |
- case twoDimVertL3: |
339 |
- if (a0 == 0 || refLine[b1] - 3 > a0New) { |
340 |
- a0New = codingLine[++a0] = refLine[b1] - 3; |
341 |
- --b1; |
342 |
- while (refLine[b1] <= codingLine[a0] && refLine[b1] < columns) |
343 |
- b1 += 2; |
344 |
- } |
345 |
- break; |
346 |
- case EOF: |
347 |
- eof = gTrue; |
348 |
- codingLine[a0 = 0] = columns; |
349 |
- return EOF; |
350 |
- default: |
351 |
- error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); |
352 |
- err = gTrue; |
353 |
- break; |
354 |
+ case twoDimPass: |
355 |
+ addPixels(refLine[b1i + 1], blackPixels); |
356 |
+ if (refLine[b1i + 1] < columns) { |
357 |
+ b1i += 2; |
358 |
+ } |
359 |
+ break; |
360 |
+ case twoDimHoriz: |
361 |
+ code1 = code2 = 0; |
362 |
+ if (blackPixels) { |
363 |
+ do { |
364 |
+ code1 += code3 = getBlackCode(); |
365 |
+ } while (code3 >= 64); |
366 |
+ do { |
367 |
+ code2 += code3 = getWhiteCode(); |
368 |
+ } while (code3 >= 64); |
369 |
+ } else { |
370 |
+ do { |
371 |
+ code1 += code3 = getWhiteCode(); |
372 |
+ } while (code3 >= 64); |
373 |
+ do { |
374 |
+ code2 += code3 = getBlackCode(); |
375 |
+ } while (code3 >= 64); |
376 |
+ } |
377 |
+ addPixels(codingLine[a0i] + code1, blackPixels); |
378 |
+ if (codingLine[a0i] < columns) { |
379 |
+ addPixels(codingLine[a0i] + code2, blackPixels ^ 1); |
380 |
+ } |
381 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
382 |
+ b1i += 2; |
383 |
+ } |
384 |
+ break; |
385 |
+ case twoDimVertR3: |
386 |
+ addPixels(refLine[b1i] + 3, blackPixels); |
387 |
+ blackPixels ^= 1; |
388 |
+ if (codingLine[a0i] < columns) { |
389 |
+ ++b1i; |
390 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
391 |
+ b1i += 2; |
392 |
+ } |
393 |
+ } |
394 |
+ break; |
395 |
+ case twoDimVertR2: |
396 |
+ addPixels(refLine[b1i] + 2, blackPixels); |
397 |
+ blackPixels ^= 1; |
398 |
+ if (codingLine[a0i] < columns) { |
399 |
+ ++b1i; |
400 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
401 |
+ b1i += 2; |
402 |
+ } |
403 |
+ } |
404 |
+ break; |
405 |
+ case twoDimVertR1: |
406 |
+ addPixels(refLine[b1i] + 1, blackPixels); |
407 |
+ blackPixels ^= 1; |
408 |
+ if (codingLine[a0i] < columns) { |
409 |
+ ++b1i; |
410 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
411 |
+ b1i += 2; |
412 |
+ } |
413 |
+ } |
414 |
+ break; |
415 |
+ case twoDimVert0: |
416 |
+ addPixels(refLine[b1i], blackPixels); |
417 |
+ blackPixels ^= 1; |
418 |
+ if (codingLine[a0i] < columns) { |
419 |
+ ++b1i; |
420 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
421 |
+ b1i += 2; |
422 |
+ } |
423 |
+ } |
424 |
+ break; |
425 |
+ case twoDimVertL3: |
426 |
+ addPixelsNeg(refLine[b1i] - 3, blackPixels); |
427 |
+ blackPixels ^= 1; |
428 |
+ if (codingLine[a0i] < columns) { |
429 |
+ if (b1i > 0) { |
430 |
+ --b1i; |
431 |
+ } else { |
432 |
+ ++b1i; |
433 |
+ } |
434 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
435 |
+ b1i += 2; |
436 |
+ } |
437 |
+ } |
438 |
+ break; |
439 |
+ case twoDimVertL2: |
440 |
+ addPixelsNeg(refLine[b1i] - 2, blackPixels); |
441 |
+ blackPixels ^= 1; |
442 |
+ if (codingLine[a0i] < columns) { |
443 |
+ if (b1i > 0) { |
444 |
+ --b1i; |
445 |
+ } else { |
446 |
+ ++b1i; |
447 |
+ } |
448 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
449 |
+ b1i += 2; |
450 |
+ } |
451 |
+ } |
452 |
+ break; |
453 |
+ case twoDimVertL1: |
454 |
+ addPixelsNeg(refLine[b1i] - 1, blackPixels); |
455 |
+ blackPixels ^= 1; |
456 |
+ if (codingLine[a0i] < columns) { |
457 |
+ if (b1i > 0) { |
458 |
+ --b1i; |
459 |
+ } else { |
460 |
+ ++b1i; |
461 |
+ } |
462 |
+ while (refLine[b1i] <= codingLine[a0i] && refLine[b1i] < columns) { |
463 |
+ b1i += 2; |
464 |
+ } |
465 |
+ } |
466 |
+ break; |
467 |
+ case EOF: |
468 |
+ addPixels(columns, 0); |
469 |
+ eof = gTrue; |
470 |
+ break; |
471 |
+ default: |
472 |
+ error(getPos(), "Bad 2D code %04x in CCITTFax stream", code1); |
473 |
+ addPixels(columns, 0); |
474 |
+ err = gTrue; |
475 |
+ break; |
476 |
+ } |
477 |
} |
478 |
- } while (codingLine[a0] < columns); |
479 |
|
480 |
// 1-D encoding |
481 |
} else { |
482 |
- codingLine[a0 = 0] = 0; |
483 |
- while (1) { |
484 |
- code1 = 0; |
485 |
- do { |
486 |
- code1 += code3 = getWhiteCode(); |
487 |
- } while (code3 >= 64); |
488 |
- codingLine[a0+1] = codingLine[a0] + code1; |
489 |
- ++a0; |
490 |
- if (codingLine[a0] >= columns) |
491 |
- break; |
492 |
- code2 = 0; |
493 |
- do { |
494 |
- code2 += code3 = getBlackCode(); |
495 |
- } while (code3 >= 64); |
496 |
- codingLine[a0+1] = codingLine[a0] + code2; |
497 |
- ++a0; |
498 |
- if (codingLine[a0] >= columns) |
499 |
- break; |
500 |
- } |
501 |
- } |
502 |
- |
503 |
- if (codingLine[a0] != columns) { |
504 |
- error(getPos(), "CCITTFax row is wrong length (%d)", codingLine[a0]); |
505 |
- // force the row to be the correct length |
506 |
- while (codingLine[a0] > columns) { |
507 |
- --a0; |
508 |
+ codingLine[0] = 0; |
509 |
+ a0i = 0; |
510 |
+ blackPixels = 0; |
511 |
+ while (codingLine[a0i] < columns) { |
512 |
+ code1 = 0; |
513 |
+ if (blackPixels) { |
514 |
+ do { |
515 |
+ code1 += code3 = getBlackCode(); |
516 |
+ } while (code3 >= 64); |
517 |
+ } else { |
518 |
+ do { |
519 |
+ code1 += code3 = getWhiteCode(); |
520 |
+ } while (code3 >= 64); |
521 |
+ } |
522 |
+ addPixels(codingLine[a0i] + code1, blackPixels); |
523 |
+ blackPixels ^= 1; |
524 |
+ } |
525 |
} |
526 |
- codingLine[++a0] = columns; |
527 |
- err = gTrue; |
528 |
- } |
529 |
|
530 |
// byte-align the row |
531 |
if (byteAlign) { |
532 |
@@ -1552,14 +1621,17 @@ int CCITTFaxStream::lookChar() { |
533 |
// this if we know the stream contains end-of-line markers because |
534 |
// the "just plow on" technique tends to work better otherwise |
535 |
} else if (err && endOfLine) { |
536 |
- do { |
537 |
+ while (1) { |
538 |
+ code1 = lookBits(13); |
539 |
if (code1 == EOF) { |
540 |
eof = gTrue; |
541 |
return EOF; |
542 |
} |
543 |
+ if ((code1 >> 1) == 0x001) { |
544 |
+ break; |
545 |
+ } |
546 |
eatBits(1); |
547 |
- code1 = lookBits(13); |
548 |
- } while ((code1 >> 1) != 0x001); |
549 |
+ } |
550 |
eatBits(12); |
551 |
if (encoding > 0) { |
552 |
eatBits(1); |
553 |
@@ -1567,11 +1639,11 @@ int CCITTFaxStream::lookChar() { |
554 |
} |
555 |
} |
556 |
|
557 |
- a0 = 0; |
558 |
- outputBits = codingLine[1] - codingLine[0]; |
559 |
- if (outputBits == 0) { |
560 |
- a0 = 1; |
561 |
- outputBits = codingLine[2] - codingLine[1]; |
562 |
+ // set up for output |
563 |
+ if (codingLine[0] > 0) { |
564 |
+ outputBits = codingLine[a0i = 0]; |
565 |
+ } else { |
566 |
+ outputBits = codingLine[a0i = 1]; |
567 |
} |
568 |
|
569 |
++row; |
570 |
@@ -1579,39 +1651,43 @@ int CCITTFaxStream::lookChar() { |
571 |
|
572 |
// get a byte |
573 |
if (outputBits >= 8) { |
574 |
- ret = ((a0 & 1) == 0) ? 0xff : 0x00; |
575 |
- if ((outputBits -= 8) == 0) { |
576 |
- ++a0; |
577 |
- if (codingLine[a0] < columns) { |
578 |
- outputBits = codingLine[a0 + 1] - codingLine[a0]; |
579 |
- } |
580 |
+ buf = (a0i & 1) ? 0x00 : 0xff; |
581 |
+ outputBits -= 8; |
582 |
+ if (outputBits == 0 && codingLine[a0i] < columns) { |
583 |
+ ++a0i; |
584 |
+ outputBits = codingLine[a0i] - codingLine[a0i - 1]; |
585 |
} |
586 |
} else { |
587 |
bits = 8; |
588 |
- ret = 0; |
589 |
+ buf = 0; |
590 |
do { |
591 |
if (outputBits > bits) { |
592 |
- i = bits; |
593 |
- bits = 0; |
594 |
- if ((a0 & 1) == 0) { |
595 |
- ret |= 0xff >> (8 - i); |
596 |
+ buf <<= bits; |
597 |
+ if (!(a0i & 1)) { |
598 |
+ buf |= 0xff >> (8 - bits); |
599 |
} |
600 |
- outputBits -= i; |
601 |
+ outputBits -= bits; |
602 |
+ bits = 0; |
603 |
} else { |
604 |
- i = outputBits; |
605 |
- bits -= outputBits; |
606 |
- if ((a0 & 1) == 0) { |
607 |
- ret |= (0xff >> (8 - i)) << bits; |
608 |
+ buf <<= outputBits; |
609 |
+ if (!(a0i & 1)) { |
610 |
+ buf |= 0xff >> (8 - outputBits); |
611 |
} |
612 |
+ bits -= outputBits; |
613 |
outputBits = 0; |
614 |
- ++a0; |
615 |
- if (codingLine[a0] < columns) { |
616 |
- outputBits = codingLine[a0 + 1] - codingLine[a0]; |
617 |
+ if (codingLine[a0i] < columns) { |
618 |
+ ++a0i; |
619 |
+ outputBits = codingLine[a0i] - codingLine[a0i - 1]; |
620 |
+ } else if (bits > 0) { |
621 |
+ buf <<= bits; |
622 |
+ bits = 0; |
623 |
} |
624 |
} |
625 |
- } while (bits > 0 && codingLine[a0] < columns); |
626 |
+ } while (bits); |
627 |
+ } |
628 |
+ if (black) { |
629 |
+ buf ^= 0xff; |
630 |
} |
631 |
- buf = black ? (ret ^ 0xff) : ret; |
632 |
return buf; |
633 |
} |
634 |
|
635 |
@@ -1653,6 +1729,9 @@ short CCITTFaxStream::getWhiteCode() { |
636 |
code = 0; // make gcc happy |
637 |
if (endOfBlock) { |
638 |
code = lookBits(12); |
639 |
+ if (code == EOF) { |
640 |
+ return 1; |
641 |
+ } |
642 |
if ((code >> 5) == 0) { |
643 |
p = &whiteTab1[code]; |
644 |
} else { |
645 |
@@ -1665,6 +1744,9 @@ short CCITTFaxStream::getWhiteCode() { |
646 |
} else { |
647 |
for (n = 1; n <= 9; ++n) { |
648 |
code = lookBits(n); |
649 |
+ if (code == EOF) { |
650 |
+ return 1; |
651 |
+ } |
652 |
if (n < 9) { |
653 |
code <<= 9 - n; |
654 |
} |
655 |
@@ -1676,6 +1758,9 @@ short CCITTFaxStream::getWhiteCode() { |
656 |
} |
657 |
for (n = 11; n <= 12; ++n) { |
658 |
code = lookBits(n); |
659 |
+ if (code == EOF) { |
660 |
+ return 1; |
661 |
+ } |
662 |
if (n < 12) { |
663 |
code <<= 12 - n; |
664 |
} |
665 |
@@ -1701,6 +1786,9 @@ short CCITTFaxStream::getBlackCode() { |
666 |
code = 0; // make gcc happy |
667 |
if (endOfBlock) { |
668 |
code = lookBits(13); |
669 |
+ if (code == EOF) { |
670 |
+ return 1; |
671 |
+ } |
672 |
if ((code >> 7) == 0) { |
673 |
p = &blackTab1[code]; |
674 |
} else if ((code >> 9) == 0) { |
675 |
@@ -1715,6 +1803,9 @@ short CCITTFaxStream::getBlackCode() { |
676 |
} else { |
677 |
for (n = 2; n <= 6; ++n) { |
678 |
code = lookBits(n); |
679 |
+ if (code == EOF) { |
680 |
+ return 1; |
681 |
+ } |
682 |
if (n < 6) { |
683 |
code <<= 6 - n; |
684 |
} |
685 |
@@ -1726,6 +1817,9 @@ short CCITTFaxStream::getBlackCode() { |
686 |
} |
687 |
for (n = 7; n <= 12; ++n) { |
688 |
code = lookBits(n); |
689 |
+ if (code == EOF) { |
690 |
+ return 1; |
691 |
+ } |
692 |
if (n < 12) { |
693 |
code <<= 12 - n; |
694 |
} |
695 |
@@ -1739,6 +1833,9 @@ short CCITTFaxStream::getBlackCode() { |
696 |
} |
697 |
for (n = 10; n <= 13; ++n) { |
698 |
code = lookBits(n); |
699 |
+ if (code == EOF) { |
700 |
+ return 1; |
701 |
+ } |
702 |
if (n < 13) { |
703 |
code <<= 13 - n; |
704 |
} |
705 |
@@ -1961,6 +2058,12 @@ void DCTStream::reset() { |
706 |
// allocate a buffer for the whole image |
707 |
bufWidth = ((width + mcuWidth - 1) / mcuWidth) * mcuWidth; |
708 |
bufHeight = ((height + mcuHeight - 1) / mcuHeight) * mcuHeight; |
709 |
+ if (bufWidth <= 0 || bufHeight <= 0 || |
710 |
+ bufWidth > INT_MAX / bufWidth / (int)sizeof(int)) { |
711 |
+ error(getPos(), "Invalid image size in DCT stream"); |
712 |
+ y = height; |
713 |
+ return; |
714 |
+ } |
715 |
for (i = 0; i < numComps; ++i) { |
716 |
frameBuf[i] = (int *)gmallocn(bufWidth * bufHeight, sizeof(int)); |
717 |
memset(frameBuf[i], 0, bufWidth * bufHeight * sizeof(int)); |
718 |
@@ -3024,6 +3127,11 @@ GBool DCTStream::readScanInfo() { |
719 |
} |
720 |
scanInfo.firstCoeff = str->getChar(); |
721 |
scanInfo.lastCoeff = str->getChar(); |
722 |
+ if (scanInfo.firstCoeff < 0 || scanInfo.lastCoeff > 63 || |
723 |
+ scanInfo.firstCoeff > scanInfo.lastCoeff) { |
724 |
+ error(getPos(), "Bad DCT coefficient numbers in scan info block"); |
725 |
+ return gFalse; |
726 |
+ } |
727 |
c = str->getChar(); |
728 |
scanInfo.ah = (c >> 4) & 0x0f; |
729 |
scanInfo.al = c & 0x0f; |
730 |
Index: tetex-src-3.0/libs/xpdf/xpdf/Stream.h |
731 |
=================================================================== |
732 |
--- tetex-src-3.0.orig/libs/xpdf/xpdf/Stream.h |
733 |
+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h |
734 |
@@ -519,13 +519,15 @@ private: |
735 |
int row; // current row |
736 |
int inputBuf; // input buffer |
737 |
int inputBits; // number of bits in input buffer |
738 |
- short *refLine; // reference line changing elements |
739 |
- int b1; // index into refLine |
740 |
- short *codingLine; // coding line changing elements |
741 |
- int a0; // index into codingLine |
742 |
+ int *codingLine; // coding line changing elements |
743 |
+ int *refLine; // reference line changing elements |
744 |
+ int a0i; // index into codingLine |
745 |
+ GBool err; // error on current line |
746 |
int outputBits; // remaining ouput bits |
747 |
int buf; // character buffer |
748 |
|
749 |
+ void addPixels(int a1, int black); |
750 |
+ void addPixelsNeg(int a1, int black); |
751 |
short getTwoDimCode(); |
752 |
short getWhiteCode(); |
753 |
short getBlackCode(); |
754 |
|
755 |
|
756 |
|
757 |
1.1 app-text/tetex/files/digest-tetex-3.0_p1-r5 |
758 |
|
759 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/digest-tetex-3.0_p1-r5?rev=1.1&view=markup |
760 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-text/tetex/files/digest-tetex-3.0_p1-r5?rev=1.1&content-type=text/plain |
761 |
|
762 |
Index: digest-tetex-3.0_p1-r5 |
763 |
=================================================================== |
764 |
MD5 e7cb60ace25c8c4a964c32895508e3e7 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797 |
765 |
RMD160 ac8499fcc818c4d8fe69b9e2d7fcbe04514d3a04 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797 |
766 |
SHA256 30e14cbed1ac1f2f6b5c5f0066c54394d7f2f215fb96ec3870282947ad33c520 tetex-3.0_p1-dviljk-security-fixes.patch.bz2 8797 |
767 |
MD5 24568263880f911452936573211fa4e8 tetex-3.0_p1-gentoo.tar.gz 604 |
768 |
RMD160 5da9d211792ab81d072f0fed65ac737aa3074a6b tetex-3.0_p1-gentoo.tar.gz 604 |
769 |
SHA256 4e9236349a6d849db06fefcbbf5af7c333199312b461a06840cb8fd2eddd1ac6 tetex-3.0_p1-gentoo.tar.gz 604 |
770 |
MD5 0f82ade673335256226d0321e6c5e2cf tetex-src-3.0_p1.tar.gz 13357541 |
771 |
RMD160 24d5029619675ce597782562bc1b87052235d461 tetex-src-3.0_p1.tar.gz 13357541 |
772 |
SHA256 e67fff941ba95222ac8f0e17395446723fd78045fc2ff548ca40cc72086a4cc1 tetex-src-3.0_p1.tar.gz 13357541 |
773 |
MD5 ed9d30d9162d16ac8d5065cde6e0f6fa tetex-texmf-3.0.tar.gz 91402377 |
774 |
RMD160 a1e87733fa3cbef04e39a690ed8549aeaaddb241 tetex-texmf-3.0.tar.gz 91402377 |
775 |
SHA256 6c3b8fa619749cbb28ca0f8847e56773d13e0bb92f1ea34287420950373640c2 tetex-texmf-3.0.tar.gz 91402377 |
776 |
|
777 |
|
778 |
|
779 |
-- |
780 |
gentoo-commits@g.o mailing list |