Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070907073719-dd049-d06bc819f4c2baf1e0ab04aec21c73b41106d56b.gz;
[tetex-3.0-11terminus1-i686 voroskoi <[EMAIL PROTECTED]>**20070907073719 secfix relbump, closes #2310 ] { hunk ./source/xapps-extra/tetex/FrugalBuild 7 -pkgrel=10 +pkgrel=11terminus1 hunk ./source/xapps-extra/tetex/FrugalBuild 15 -source=(ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-texmf-$pkgver.tar.gz ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-$pkgver.tar.gz) -sha1sums=('10f7d2fa007c95ca066d899fca0e9a8446108824' \ - '7637789f7f4929694aed1b89820f5bad4753e8fc') +source=(ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-texmf-$pkgver.tar.gz \ + ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-$pkgver.tar.gz \ + tetex-3.0-CVE-2005-3193.patch tetex-3.0-CVE-2007-0650.patch tetex-3.0-CVE-2007-3387.patch) +sha1sums=('1be97f57a26a6e9b72ebfd932e45914a959aff16' \ + '7637789f7f4929694aed1b89820f5bad4753e8fc' \ + '4a275b1d9a211e94bc13286d05ef619cdf873770' \ + '28208eb13f493c1c9c6538f254f04fc0c2aaff1e' \ + '3ad00a8f16dd16acc765953e10dc68f181e0a156') hunk ./source/xapps-extra/tetex/FrugalBuild 54 + Fpatchall hunk ./source/xapps-extra/tetex/FrugalBuild 87 -# optimalization OK - -# vim: ft=sh +# optimization OK addfile ./source/xapps-extra/tetex/tetex-3.0-CVE-2005-3193.patch hunk ./source/xapps-extra/tetex/tetex-3.0-CVE-2005-3193.patch 1 +--- tetex-src-3.0/libs/xpdf/goo/gmem.c.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100 ++++ tetex-src-3.0/libs/xpdf/goo/gmem.c 2006-01-16 15:41:04.000000000 +0100 +@@ -135,6 +135,28 @@ void *grealloc(void *p, int size) { + #endif + } + ++void *gmallocn(int nObjs, int objSize) { ++ int n; ++ ++ n = nObjs * objSize; ++ if (objSize == 0 || n / objSize != nObjs) { ++ fprintf(stderr, "Bogus memory allocation size\n"); ++ exit(1); ++ } ++ return gmalloc(n); ++} ++ ++void *greallocn(void *p, int nObjs, int objSize) { ++ int n; ++ ++ n = nObjs * objSize; ++ if (objSize == 0 || n / objSize != nObjs) { ++ fprintf(stderr, "Bogus memory allocation size\n"); ++ exit(1); ++ } ++ return grealloc(p, n); ++} ++ + void gfree(void *p) { + #ifdef DEBUG_MEM + int size; +--- tetex-src-3.0/libs/xpdf/goo/gmem.h.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100 ++++ tetex-src-3.0/libs/xpdf/goo/gmem.h 2006-01-16 15:41:04.000000000 +0100 +@@ -28,6 +28,15 @@ extern void *gmalloc(int size); + extern void *grealloc(void *p, int size); + + /* ++ * These are similar to gmalloc and grealloc, but take an object count ++ * and size. The result is similar to allocating nObjs * objSize ++ * bytes, but there is an additional error check that the total size ++ * doesn't overflow an int. ++ */ ++extern void *gmallocn(int nObjs, int objSize); ++extern void *greallocn(void *p, int nObjs, int objSize); ++ ++/* + * Same as free, but checks for and ignores NULL pointers. + */ + extern void gfree(void *p); +--- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100 ++++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2006-01-16 15:41:04.000000000 +0100 +@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le + int segType; + GBool haveSIZ, haveCOD, haveQCD, haveSOT; + Guint precinctSize, style; +- Guint segLen, capabilities, comp, i, j, r; ++ Guint segLen, capabilities, nTiles, comp, i, j, r; + + //----- main header + haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; +@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * +- sizeof(JPXTile)); ++ nTiles = img.nXTiles * img.nYTiles; ++ // check for overflow before allocating memory ++ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * + sizeof(JPXTileComp)); +--- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100 ++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2006-01-16 15:41:04.000000000 +0100 +@@ -233,6 +233,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -250,6 +252,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------ +--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100 ++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2006-01-16 15:41:04.000000000 +0100 +@@ -407,18 +407,33 @@ void ImageStream::skipLine() { + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { ++ int totalBits; ++ + str = strA; + predictor = predictorA; + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + + nVals = width * nComps; ++ totalBits = nVals * nBits; ++ if (totalBits == 0 || ++ (totalBits / nBits) / nComps != width || ++ totalBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } ++ if (numComps <= 0 || numComps > 4) { ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } addfile ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-0650.patch hunk ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-0650.patch 1 +--- tetex-src-3.0/texk/makeindexk/mkind.c.CVE-2007-0650 2002-10-02 14:26:37.000000000 +0200 ++++ tetex-src-3.0/texk/makeindexk/mkind.c 2007-02-02 12:29:31.000000000 +0100 +@@ -179,7 +179,9 @@ + argc--; + if (argc <= 0) + FATAL("Expected -p <num>\n",""); +- strcpy(pageno, *++argv); ++ if (strlen(*++argv) >= sizeof(pageno)) ++ FATAL("Page number too high\n",""); ++ strcpy(pageno, *argv); + init_page = TRUE; + if (STREQ(pageno, EVEN)) { + log_given = TRUE; +@@ -230,7 +232,7 @@ + char tmp[STRING_MAX + 5]; + + /* base set by last call to check_idx */ +- sprintf (tmp, "%s%s", base, INDEX_STY); ++ snprintf (tmp, sizeof(tmp), "%s%s", base, INDEX_STY); + if (0 == access(tmp, R_OK)) { + open_sty (tmp); + sty_given = TRUE; +@@ -405,9 +407,9 @@ + STRING_MAX,totmem); + #endif /* DEBUG */ + +- if ((idx_fn = (char *) malloc(STRING_MAX)) == NULL) ++ if ((idx_fn = (char *) malloc(STRING_MAX+5)) == NULL) + FATAL("Not enough core...abort.\n", ""); +- sprintf(idx_fn, "%s%s", base, INDEX_IDX); ++ snprintf(idx_fn, STRING_MAX+5, "%s%s", base, INDEX_IDX); + if ((open_fn && + ((idx_fp = OPEN_IN(idx_fn)) == NULL) + ) || +@@ -434,7 +436,7 @@ + + /* index output file */ + if (!ind_given) { +- sprintf(ind, "%s%s", base, INDEX_IND); ++ snprintf(ind, sizeof(ind), "%s%s", base, INDEX_IND); + ind_fn = ind; + } + if ((ind_fp = OPEN_OUT(ind_fn)) == NULL) +@@ -442,14 +444,14 @@ + + /* index transcript file */ + if (!ilg_given) { +- sprintf(ilg, "%s%s", base, INDEX_ILG); ++ snprintf(ilg, sizeof(ilg), "%s%s", base, INDEX_ILG); + ilg_fn = ilg; + } + if ((ilg_fp = OPEN_OUT(ilg_fn)) == NULL) + FATAL("Can't create transcript file %s.\n", ilg_fn); + + if (log_given) { +- sprintf(log_fn, "%s%s", base, INDEX_LOG); ++ snprintf(log_fn, sizeof(log_fn), "%s%s", base, INDEX_LOG); + if ((log_fp = OPEN_IN(log_fn)) == NULL) { + FATAL("Source log file %s not found.\n", log_fn); + } else { +@@ -505,6 +507,9 @@ + if ((found = kpse_find_file (fn, kpse_ist_format, 1)) == NULL) { + FATAL("Index style file %s not found.\n", fn); + } else { ++ if (strlen(found) >= sizeof(sty_fn)) { ++ FATAL("Style file %s too long.\n", found); ++ } + strcpy(sty_fn,found); + if ((sty_fp = OPEN_IN(sty_fn)) == NULL) { + FATAL("Could not open style file %s.\n", sty_fn); +@@ -512,6 +517,9 @@ + } + #else + if ((path = getenv(STYLE_PATH)) == NULL) { ++ if (strlen(fn) >= sizeof(sty_fn)) { ++ FATAL("Style file %s too long.\n", fn); ++ } + /* style input path not defined */ + strcpy(sty_fn, fn); + sty_fp = OPEN_IN(sty_fn); addfile ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-3387.patch hunk ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-3387.patch 1 +--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2007-3387 2007-07-26 17:13:02.000000000 +0200 ++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2007-07-26 17:21:58.000000000 +0200 +@@ -15,6 +15,7 @@ + #include <stdio.h> + #include <stdlib.h> + #include <stddef.h> ++#include <limits.h> + #ifndef WIN32 + #include <unistd.h> + #endif +@@ -32,6 +33,7 @@ + #include "JBIG2Stream.h" + #include "JPXStream.h" + #include "Stream-CCITT.h" ++#include "GfxState.h" + + #ifdef __DJGPP__ + static GBool setDJSYSFLAGS = gFalse; +@@ -429,6 +431,13 @@ StreamPredictor::StreamPredictor(Stream + if (rowBytes < 0) { + return; + } ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps > gfxColorMaxComps || ++ nBits > 16 || ++ width >= INT_MAX / nComps || // check for overflow in nVals ++ nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; } _______________________________________________ Frugalware-darcs mailing list Frugalware-darcs@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-darcs