rpms/tetex/devel tetex-3.0-CVE-2005-3193.patch, 1.3, 1.4 tetex.spec, 1.79, 1.80
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jan 17 12:14:16 UTC 2006
Author: jnovy
Update of /cvs/dist/rpms/tetex/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv29958
Modified Files:
tetex-3.0-CVE-2005-3193.patch tetex.spec
Log Message:
* Tue Jan 17 2006 Jindrich Novy <jnovy at redhat.com> 3.0-15
- apply the latest patch to fix new xpdf flaws found since the latest
update, thanks to Ludwig Nussel and others (#177912)
tetex-3.0-CVE-2005-3193.patch:
goo/gmem.c | 22 ++++++++++++++++++++++
goo/gmem.h | 9 +++++++++
xpdf/JPXStream.cc | 11 ++++++++---
xpdf/Stream.cc | 33 ++++++++++++++++++++++++++++++++-
xpdf/Stream.h | 3 +++
5 files changed, 74 insertions(+), 4 deletions(-)
Index: tetex-3.0-CVE-2005-3193.patch
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex-3.0-CVE-2005-3193.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- tetex-3.0-CVE-2005-3193.patch 11 Jan 2006 14:41:32 -0000 1.3
+++ tetex-3.0-CVE-2005-3193.patch 17 Jan 2006 12:14:12 -0000 1.4
@@ -1,14 +1,55 @@
---- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2006-01-09 15:15:27.000000000 +0100
-@@ -7,6 +7,7 @@
- //========================================================================
-
- #include <aconf.h>
-+#include <limits.h>
+--- tetex-src-3.0/libs/xpdf/goo/gmem.c.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/goo/gmem.c 2006-01-16 15:41:04.000000000 +0100
+@@ -135,6 +135,28 @@ void *grealloc(void *p, int size) {
+ #endif
+ }
- #ifdef USE_GCC_PRAGMAS
- #pragma implementation
-@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le
++void *gmallocn(int nObjs, int objSize) {
++ int n;
++
++ n = nObjs * objSize;
++ if (objSize == 0 || n / objSize != nObjs) {
++ fprintf(stderr, "Bogus memory allocation size\n");
++ exit(1);
++ }
++ return gmalloc(n);
++}
++
++void *greallocn(void *p, int nObjs, int objSize) {
++ int n;
++
++ n = nObjs * objSize;
++ if (objSize == 0 || n / objSize != nObjs) {
++ fprintf(stderr, "Bogus memory allocation size\n");
++ exit(1);
++ }
++ return grealloc(p, n);
++}
++
+ void gfree(void *p) {
+ #ifdef DEBUG_MEM
+ int size;
+--- tetex-src-3.0/libs/xpdf/goo/gmem.h.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/goo/gmem.h 2006-01-16 15:41:04.000000000 +0100
+@@ -28,6 +28,15 @@ extern void *gmalloc(int size);
+ extern void *grealloc(void *p, int size);
+
+ /*
++ * These are similar to gmalloc and grealloc, but take an object count
++ * and size. The result is similar to allocating nObjs * objSize
++ * bytes, but there is an additional error check that the total size
++ * doesn't overflow an int.
++ */
++extern void *gmallocn(int nObjs, int objSize);
++extern void *greallocn(void *p, int nObjs, int objSize);
++
++/*
+ * Same as free, but checks for and ignores NULL pointers.
+ */
+ extern void gfree(void *p);
+--- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2006-01-16 15:41:04.000000000 +0100
+@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
@@ -17,30 +58,24 @@
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -701,8 +702,19 @@ GBool JPXStream::readCodestream(Guint le
+@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
- sizeof(JPXTile));
-+ // check for overflow before allocating memory
-+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
-+ img.nXTiles >= INT_MAX/img.nYTiles) {
-+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
-+ return gFalse;
-+ }
+ nTiles = img.nXTiles * img.nYTiles;
-+ if (nTiles >= INT_MAX/sizeof(JPXTile)) {
++ // check for overflow before allocating memory
++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
-+ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
-+
++ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
sizeof(JPXTileComp));
--- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2006-01-09 15:15:27.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2006-01-16 15:41:04.000000000 +0100
@@ -233,6 +233,8 @@ public:
~StreamPredictor();
@@ -59,33 +94,31 @@
//------------------------------------------------------------------------
--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2006-01-09 15:15:27.000000000 +0100
-@@ -15,6 +15,7 @@
- #include <stdio.h>
- #include <stdlib.h>
- #include <stddef.h>
-+#include <limits.h>
- #ifndef WIN32
- #include <unistd.h>
- #endif
-@@ -412,13 +413,28 @@ StreamPredictor::StreamPredictor(Stream
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2006-01-16 15:41:04.000000000 +0100
+@@ -407,18 +407,33 @@ void ImageStream::skipLine() {
+
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ int widthA, int nCompsA, int nBitsA) {
++ int totalBits;
++
+ str = strA;
+ predictor = predictorA;
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
-+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
-+ nComps >= INT_MAX/nBits ||
-+ width >= INT_MAX/nComps/nBits) {
-+ return;
-+ }
nVals = width * nComps;
-+ if (nVals * nBits + 7 <= 0) {
++ totalBits = nVals * nBits;
++ if (totalBits == 0 ||
++ (totalBits / nBits) / nComps != width ||
++ totalBits + 7 < 0) {
+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+ if (rowBytes < 0) {
+ return;
+ }
@@ -97,7 +130,7 @@
}
StreamPredictor::~StreamPredictor() {
-@@ -1012,6 +1028,10 @@ LZWStream::LZWStream(Stream *strA, int p
+@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -108,81 +141,22 @@
} else {
pred = NULL;
}
-@@ -1260,6 +1280,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
- endOfLine = endOfLineA;
- byteAlign = byteAlignA;
- columns = columnsA;
-+ if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
-+ error(-1, "invalid number of columns: %d", columns);
-+ exit(1);
-+ }
- rows = rowsA;
- endOfBlock = endOfBlockA;
- black = blackA;
-@@ -2897,6 +2921,11 @@ GBool DCTStream::readBaselineSOF() {
+@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
++ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
- if (prec != 8) {
- error(getPos(), "Bad DCT precision %d", prec);
- return gFalse;
-@@ -2923,6 +2952,11 @@ GBool DCTStream::readProgressiveSOF() {
- height = read16();
- width = read16();
- numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
-+ numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
++ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
-@@ -2945,6 +2979,11 @@ GBool DCTStream::readScanInfo() {
-
- length = read16() - 2;
- scanInfo.numComps = str->getChar();
-+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
-+ scanInfo.numComps = 0;
-+ error(getPos(), "Bad number of components in DCT stream");
-+ return gFalse;
-+ }
- --length;
- if (length != 2 * scanInfo.numComps + 3) {
- error(getPos(), "Bad DCT scan info block");
-@@ -3019,12 +3058,12 @@ GBool DCTStream::readHuffmanTables() {
- while (length > 0) {
- index = str->getChar();
- --length;
-- if ((index & 0x0f) >= 4) {
-+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
- error(getPos(), "Bad DCT Huffman table");
- return gFalse;
- }
- if (index & 0x10) {
-- index &= 0x0f;
-+ index &= 0x03;
- if (index >= numACHuffTables)
- numACHuffTables = index+1;
- tbl = &acHuffTables[index];
-@@ -3142,9 +3181,11 @@ int DCTStream::readMarker() {
- do {
- do {
- c = str->getChar();
-+ if(c == EOF) return EOF;
- } while (c != 0xff);
- do {
- c = str->getChar();
-+ if(c == EOF) return EOF;
- } while (c == 0xff);
- } while (c == 0x00);
- return c;
-@@ -3255,6 +3296,10 @@ FlateStream::FlateStream(Stream *strA, i
+@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
@@ -193,95 +167,3 @@
} else {
pred = NULL;
}
---- tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/JBIG2Stream.cc 2006-01-09 15:15:27.000000000 +0100
-@@ -7,6 +7,7 @@
- //========================================================================
-
- #include <aconf.h>
-+#include <limits.h>
-
- #ifdef USE_GCC_PRAGMAS
- #pragma implementation
-@@ -681,7 +682,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
- w = wA;
- h = hA;
- line = (wA + 7) >> 3;
-- data = (Guchar *)gmalloc(h * line);
-+
-+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
-+ error(-1, "invalid width/height");
-+ data = NULL;
-+ return;
-+ }
-+
-+ // need to allocate one extra guard byte for use in combine()
-+ data = (Guchar *)gmalloc(h * line + 1);
-+ data[h * line] = 0;
- }
-
- JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
-@@ -690,8 +700,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
- w = bitmap->w;
- h = bitmap->h;
- line = bitmap->line;
-- data = (Guchar *)gmalloc(h * line);
-+
-+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
-+ error(-1, "invalid width/height");
-+ data = NULL;
-+ return;
-+ }
-+
-+ // need to allocate one extra guard byte for use in combine()
-+ data = (Guchar *)gmalloc(h * line + 1);
- memcpy(data, bitmap->data, h * line);
-+ data[h * line] = 0;
- }
-
- JBIG2Bitmap::~JBIG2Bitmap() {
-@@ -716,10 +735,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
- }
-
- void JBIG2Bitmap::expand(int newH, Guint pixel) {
-- if (newH <= h) {
-+ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
-+ error(-1, "invalid width/height");
-+ gfree(data);
-+ data = NULL;
- return;
- }
-- data = (Guchar *)grealloc(data, newH * line);
-+ // need to allocate one extra guard byte for use in combine()
-+ data = (Guchar *)grealloc(data, newH * line + 1);
- if (pixel) {
- memset(data + h * line, 0xff, (newH - h) * line);
- } else {
-@@ -2256,6 +2279,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
- error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
- return;
- }
-+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
-+ error(getPos(), "Bad size in JBIG2 halftone segment");
-+ return;
-+ }
-+ if (w == 0 || h >= INT_MAX / w) {
-+ error(getPos(), "Bad size in JBIG2 bitmap segment");
-+ return;
-+ }
-+
- patternDict = (JBIG2PatternDict *)seg;
- bpp = 0;
- i = 1;
-@@ -2887,6 +2919,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
- JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
- int x, y, pix;
-
-+ if (w < 0 || h <= 0 || w >= INT_MAX / h) {
-+ error(-1, "invalid width/height");
-+ return NULL;
-+ }
-+
- bitmap = new JBIG2Bitmap(0, w, h);
- bitmap->clearToZero();
-
Index: tetex.spec
===================================================================
RCS file: /cvs/dist/rpms/tetex/devel/tetex.spec,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- tetex.spec 11 Jan 2006 14:41:32 -0000 1.79
+++ tetex.spec 17 Jan 2006 12:14:12 -0000 1.80
@@ -11,7 +11,7 @@
Summary: The TeX text formatting system.
Name: tetex
Version: 3.0
-Release: 14
+Release: 15
License: distributable
Group: Applications/Publishing
Requires: tmpwatch, dialog, ed
@@ -789,6 +789,10 @@
%defattr(-,root,root)
%changelog
+* Tue Jan 17 2006 Jindrich Novy <jnovy at redhat.com> 3.0-15
+- apply the latest patch to fix new xpdf flaws found since the latest
+ update, thanks to Ludwig Nussel and others (#177912)
+
* Mon Jan 11 2006 Jindrich Novy <jnovy at redhat.com> 3.0-14
- apply additional patch to fix xpdf flaws from Ludwig Nussel
(CVE-2005-3191, CVE-2005-3192 and CVE-2005-3193) (#177128)
More information about the fedora-cvs-commits
mailing list