rpms/xpdf/F-11 xpdf-3.02pl4.patch,NONE,1.1 xpdf.spec,1.16,1.17
Tom Callaway
spot at fedoraproject.org
Fri Oct 16 20:46:12 UTC 2009
Author: spot
Update of /cvs/pkgs/rpms/xpdf/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29746/F-11
Modified Files:
xpdf.spec
Added Files:
xpdf-3.02pl4.patch
Log Message:
3.02pl4
xpdf-3.02pl4.patch:
splash/SplashBitmap.cc | 35 +!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
xpdf-3.02/splash/Splash.cc | 13 +!!!!!!!!!!!!
xpdf-3.02/splash/SplashErrorCodes.h | 2 ++
xpdf/PSOutputDev.cc | 2 !!
xpdf/Stream.cc | 4 ++++
xpdf/XRef.cc | 18 +++++++++++++++++-
6 files changed, 25 insertions(+), 1 deletion(-), 48 modifications(!)
--- NEW FILE xpdf-3.02pl4.patch ---
*** xpdf-3.02.orig/xpdf/Stream.cc Fri Jul 24 14:30:46 2009
--- xpdf-3.02/xpdf/Stream.cc Mon Oct 5 11:07:49 2009
***************
*** 323,328 ****
--- 323,332 ----
} else {
imgLineSize = nVals;
}
+ if (width > INT_MAX / nComps) {
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
imgIdx = nVals;
}
*** xpdf-3.02.orig/xpdf/PSOutputDev.cc Tue Feb 27 14:05:52 2007
--- xpdf-3.02/xpdf/PSOutputDev.cc Fri Oct 2 12:38:58 2009
***************
*** 4301,4307 ****
width, -height, height);
// allocate a line buffer
! lineBuf = (Guchar *)gmalloc(4 * width);
// set up to process the data stream
imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
--- 4301,4307 ----
width, -height, height);
// allocate a line buffer
! lineBuf = (Guchar *)gmallocn(width, 4);
// set up to process the data stream
imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
diff -r -c xpdf-3.02.orig/splash/Splash.cc xpdf-3.02/splash/Splash.cc
*** xpdf-3.02.orig/splash/Splash.cc Tue Feb 27 14:05:52 2007
--- xpdf-3.02/splash/Splash.cc Fri Aug 14 14:05:08 2009
***************
*** 12,17 ****
--- 12,18 ----
#include <stdlib.h>
#include <string.h>
+ #include <limits.h>
#include "gmem.h"
#include "SplashErrorCodes.h"
#include "SplashMath.h"
***************
*** 1912,1918 ****
xq = w % scaledWidth;
// allocate pixel buffer
! pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
// initialize the pixel pipe
pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
--- 1913,1922 ----
xq = w % scaledWidth;
// allocate pixel buffer
! if (yp < 0 || yp > INT_MAX - 1) {
! return splashErrBadArg;
! }
! pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
// initialize the pixel pipe
pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
***************
*** 2208,2216 ****
xq = w % scaledWidth;
// allocate pixel buffers
! colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
if (srcAlpha) {
! alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
} else {
alphaBuf = NULL;
}
--- 2212,2223 ----
xq = w % scaledWidth;
// allocate pixel buffers
! if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
! return splashErrBadArg;
! }
! colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
if (srcAlpha) {
! alphaBuf = (Guchar *)gmallocn(yp + 1, w);
} else {
alphaBuf = NULL;
}
diff -r -c xpdf-3.02.orig/splash/SplashErrorCodes.h xpdf-3.02/splash/SplashErrorCodes.h
*** xpdf-3.02.orig/splash/SplashErrorCodes.h Tue Feb 27 14:05:52 2007
--- xpdf-3.02/splash/SplashErrorCodes.h Fri Aug 14 14:03:46 2009
***************
*** 29,32 ****
--- 29,34 ----
#define splashErrSingularMatrix 8 // matrix is singular
+ #define splashErrBadArg 9 // bad argument
+
#endif
*** xpdf-3.02.orig/splash/SplashBitmap.cc Tue Feb 27 14:05:52 2007
--- xpdf-3.02/splash/SplashBitmap.cc Wed Aug 19 14:55:39 2009
***************
*** 11,16 ****
--- 11,17 ----
#endif
#include <stdio.h>
+ #include <limits.h>
#include "gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
***************
*** 27,56 ****
mode = modeA;
switch (mode) {
case splashModeMono1:
! rowSize = (width + 7) >> 3;
break;
case splashModeMono8:
! rowSize = width;
break;
case splashModeRGB8:
case splashModeBGR8:
! rowSize = width * 3;
break;
#if SPLASH_CMYK
case splashModeCMYK8:
! rowSize = width * 4;
break;
#endif
}
! rowSize += rowPad - 1;
! rowSize -= rowSize % rowPad;
! data = (SplashColorPtr)gmalloc(rowSize * height);
if (!topDown) {
data += (height - 1) * rowSize;
rowSize = -rowSize;
}
if (alphaA) {
! alpha = (Guchar *)gmalloc(width * height);
} else {
alpha = NULL;
}
--- 28,75 ----
mode = modeA;
switch (mode) {
case splashModeMono1:
! if (width > 0) {
! rowSize = (width + 7) >> 3;
! } else {
! rowSize = -1;
! }
break;
case splashModeMono8:
! if (width > 0) {
! rowSize = width;
! } else {
! rowSize = -1;
! }
break;
case splashModeRGB8:
case splashModeBGR8:
! if (width > 0 && width <= INT_MAX / 3) {
! rowSize = width * 3;
! } else {
! rowSize = -1;
! }
break;
#if SPLASH_CMYK
case splashModeCMYK8:
! if (width > 0 && width <= INT_MAX / 4) {
! rowSize = width * 4;
! } else {
! rowSize = -1;
! }
break;
#endif
}
! if (rowSize > 0) {
! rowSize += rowPad - 1;
! rowSize -= rowSize % rowPad;
! }
! data = (SplashColorPtr)gmallocn(height, rowSize);
if (!topDown) {
data += (height - 1) * rowSize;
rowSize = -rowSize;
}
if (alphaA) {
! alpha = (Guchar *)gmallocn(width, height);
} else {
alpha = NULL;
}
*** xpdf-3.02.orig/xpdf/XRef.cc Tue Feb 27 14:05:52 2007
--- xpdf-3.02/xpdf/XRef.cc Tue Oct 13 11:57:24 2009
***************
*** 52,57 ****
--- 52,59 ----
// generation 0.
ObjectStream(XRef *xref, int objStrNumA);
+ GBool isOk() { return ok; }
+
~ObjectStream();
// Return the object number of this object stream.
***************
*** 67,72 ****
--- 69,75 ----
int nObjects; // number of objects in the stream
Object *objs; // the objects (length = nObjects)
int *objNums; // the object numbers (length = nObjects)
+ GBool ok;
};
ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
***************
*** 80,85 ****
--- 83,89 ----
nObjects = 0;
objs = NULL;
objNums = NULL;
+ ok = gFalse;
if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
goto err1;
***************
*** 105,110 ****
--- 109,121 ----
goto err1;
}
+ // this is an arbitrary limit to avoid integer overflow problems
+ // in the 'new Object[nObjects]' call (Acrobat apparently limits
+ // object streams to 100-200 objects)
+ if (nObjects > 1000000) {
+ error(-1, "Too many objects in an object stream");
+ goto err1;
+ }
objs = new Object[nObjects];
objNums = (int *)gmallocn(nObjects, sizeof(int));
offsets = (int *)gmallocn(nObjects, sizeof(int));
***************
*** 161,170 ****
}
gfree(offsets);
err1:
objStr.free();
- return;
}
ObjectStream::~ObjectStream() {
--- 172,181 ----
}
gfree(offsets);
+ ok = gTrue;
err1:
objStr.free();
}
ObjectStream::~ObjectStream() {
***************
*** 837,842 ****
--- 848,858 ----
delete objStr;
}
objStr = new ObjectStream(this, e->offset);
+ if (!objStr->isOk()) {
+ delete objStr;
+ objStr = NULL;
+ goto err;
+ }
}
objStr->getObject(e->gen, num, obj);
break;
Index: xpdf.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xpdf/F-11/xpdf.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -p -r1.16 -r1.17
--- xpdf.spec 16 Apr 2009 21:08:10 -0000 1.16
+++ xpdf.spec 16 Oct 2009 20:46:11 -0000 1.17
@@ -1,7 +1,7 @@
Summary: A PDF file viewer for the X Window System
Name: xpdf
Version: 3.02
-Release: 13%{?dist}
+Release: 15%{?dist}
License: GPLv2
Epoch: 1
Url: http://www.foolabs.com/xpdf/
@@ -52,6 +52,7 @@ Patch20: xpdf-3.02-mousebuttons_view.pat
Patch100: xpdf-3.02pl1.patch
Patch101: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl2.patch
Patch102: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl3.patch
+Patch103: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
# Debian patches
Patch200: 02_permissions.dpatch
@@ -117,6 +118,7 @@ standard X fonts.
%patch100 -p1 -b .security
%patch101 -p1 -b .security2
%patch102 -p1 -b .security3
+%patch103 -p1 -b .security4
# debian patches
%patch200 -p1 -b .permissions
@@ -271,6 +273,14 @@ update-desktop-database &> /dev/null ||:
%{_datadir}/xpdf/latin2
%changelog
+* Fri Oct 16 2009 Tom "spot" Callaway <tcallawa at redhat.com> - 1:3.02-15
+- apply xpdf-3.02pl4 security patch to fix:
+ CVE-2009-3603, CVE-2009-3604, CVE-2009-3605, CVE-2009-3606
+ CVE-2009-3608, CVE-2009-3609
+
+* Mon Jul 27 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:3.02-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
* Thu Apr 16 2009 Tom "spot" Callaway <tcallawa at redhat.com> - 1:3.02-13
- apply xpdf-3.02pl3 security patch to fix:
CVE-2009-0799, CVE-2009-0800, CVE-2009-1179, CVE-2009-1180
More information about the fedora-extras-commits
mailing list