OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Michael Schloh
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 28-Oct-2004 10:51:39
Branch: HEAD Handle: 2004102809513800
Modified files:
openpkg-src/pdflib pdflib.patch pdflib.spec
Log:
modifying package: pdflib-6.0.0p1 20040804 -> 20041028
Summary:
Revision Changes Path
1.5 +16 -403 openpkg-src/pdflib/pdflib.patch
1.32 +6 -3 openpkg-src/pdflib/pdflib.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/pdflib/pdflib.patch
============================================================================
$ cvs diff -u -r1.4 -r1.5 pdflib.patch
--- openpkg-src/pdflib/pdflib.patch 4 Aug 2004 14:01:52 -0000 1.4
+++ openpkg-src/pdflib/pdflib.patch 28 Oct 2004 08:51:38 -0000 1.5
@@ -10,409 +10,22 @@
@-if test "$(WITH_SHARED)" = "yes"; then \
$(LIBTOOL) -n --finish $(libdir);\
else\
-
-Steve G <[EMAIL PROTECTED]>
-Libpng accesses memory that is out of bounds when creating an error message
-
-Index: pngerror.c
---- libs/png/pngerror.c.orig 2002-10-03 13:32:27.000000000 +0200
-+++ libs/png/pngerror.c 2004-04-28 13:24:22.000000000 +0200
-@@ -135,10 +135,13 @@
- buffer[iout] = 0;
- else
- {
-+ png_size_t len;
-+ if ((len = png_strlen(error_message)) > 63)
-+ len = 63;
- buffer[iout++] = ':';
- buffer[iout++] = ' ';
-- png_memcpy(buffer+iout, error_message, 64);
-- buffer[iout+63] = 0;
-+ png_memcpy(buffer+iout, error_message, len);
-+ buffer[iout+len] = 0;
- }
- }
+Index: configure
+--- configure.orig 2004-07-07 20:29:08.000000000 +0200
++++ configure 2004-10-27 17:04:45.110483011 +0200
+@@ -8866,6 +8866,7 @@
+
+
+ # pnglib
++if [ ".$PNGLIBINC" = . -a ".$PNGLIBLINK" = . ]; then
+ if test -d libs/png ; then
+ PNGLIBINC="-I\$(top_builddir)/libs/png"
+ PNGLIBLINK="\$(top_builddir)/libs/png/libpng\$(LA)"
+@@ -8875,6 +8876,7 @@
+ PNGLIBINC=""
+ PNGLIBLINK=""
+ fi
++fi
-Index: libs/png/pngrtran.c
---- libs/png/pngrtran.c.orig 2004-01-26 14:30:33 +0100
-+++ libs/png/pngrtran.c 2004-07-01 12:10:25 +0200
-@@ -1890,8 +1890,8 @@
- /* This changes the data from GG to GGXX */
- if (flags & PNG_FLAG_FILLER_AFTER)
- {
-- png_bytep sp = row + (png_size_t)row_width;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 2;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 1; i < row_width; i++)
- {
- *(--dp) = hi_filler;
-@@ -1908,8 +1908,8 @@
- /* This changes the data from GG to XXGG */
- else
- {
-- png_bytep sp = row + (png_size_t)row_width;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 2;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 0; i < row_width; i++)
- {
- *(--dp) = *(--sp);
-@@ -1966,8 +1966,8 @@
- /* This changes the data from RRGGBB to RRGGBBXX */
- if (flags & PNG_FLAG_FILLER_AFTER)
- {
-- png_bytep sp = row + (png_size_t)row_width * 3;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 6;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 1; i < row_width; i++)
- {
- *(--dp) = hi_filler;
-@@ -1988,8 +1988,8 @@
- /* This changes the data from RRGGBB to XXRRGGBB */
- else
- {
-- png_bytep sp = row + (png_size_t)row_width * 3;
-- png_bytep dp = sp + (png_size_t)row_width;
-+ png_bytep sp = row + (png_size_t)row_width * 6;
-+ png_bytep dp = sp + (png_size_t)row_width * 2;
- for (i = 0; i < row_width; i++)
- {
- *(--dp) = *(--sp);
-
-http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt
-
-> [Problems discovered and fixed by] Chris Evans
->
-> 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c)
-> 2) Dangerous code in png_handle_sBIT (pngrutil.c)
-CAN-2004-0597
-
-> 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c)
-> this flaw is duplicated in multiple other locations.
-CAN-2004-0598
-
-> 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c)
-> 5) Integer overflow in png_read_png (pngread.c)
-> 6) Integer overflows during progressive reading.
-> 7) Other flaws. [integer overflows]
-CAN-2004-0599
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt
- Use to patch libpng-1.0.9 through 1.2.5
- This fixes the most dangerous of the newly reported vulnerabilities
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c
---- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ libs/png/pngrutil.c Fri Jul 23 18:54:36 2004
-@@ -1241,7 +1241,8 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Missing PLTE before tRNS");
- }
-- else if (length > (png_uint_32)png_ptr->num_palette)
-+ if (length > (png_uint_32)png_ptr->num_palette ||
-+ length > PNG_MAX_PALETTE_LENGTH)
- {
- png_warning(png_ptr, "Incorrect tRNS chunk length");
- png_crc_finish(png_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt
- Use to patch libpng-1.0.6 through 1.2.5
- This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX,
- and png_get_uint_31(), which are needed by patches 05-08.
-
-diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h
---- libs/png/png.h.orig Thu Oct 3 06:32:26 2002
-+++ libs/png/png.h Fri Jul 23 18:56:27 2004
-@@ -833,7 +833,11 @@
- typedef png_info FAR * FAR * png_infopp;
- /* Maximum positive integer used in PNG is (2^31)-1 */
--#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_32_MAX (~((png_uint_32)0))
-+#define PNG_SIZE_MAX (~((png_size_t)0))
-+/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
-+#define PNG_MAX_UINT PNG_UINT_31_MAX
- /* These describe the color_type field in png_info. */
- /* color type masks */
-@@ -2655,6 +2659,8 @@
- PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
- PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
- #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
-+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
-+ png_bytep buf));
-
- /* Initialize png_ptr struct for reading, and allocate any other memory.
- * (old interface - DEPRECATED - use png_create_read_struct instead).
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c
---- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ libs/png/pngrutil.c Fri Jul 23 18:56:27 2004
-@@ -38,6 +38,14 @@
- # endif
- #endif
-
-+png_uint_32 /* PRIVATE */
-+png_get_uint_31(png_structp png_ptr, png_bytep buf)
-+{
-+ png_uint_32 i = png_get_uint_32(buf);
-+ if (i > PNG_UINT_31_MAX)
-+ png_error(png_ptr, "PNG unsigned integer out of range.\n");
-+ return (i);
-+}
- #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
- /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
- png_uint_32 /* PRIVATE */
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt
- Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5.
- Requires libpng-patch04-*
-
-diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c
---- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002
-+++ libs/png/pngread.c Fri Jul 23 18:59:57 2004
-@@ -384,7 +384,7 @@
- png_uint_32 length;
-
- png_read_data(png_ptr, chunk_length, 4);
-- length = png_get_uint_32(chunk_length);
-+ length = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -392,9 +392,6 @@
- png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name,
- length);
-
-- if (length > PNG_MAX_UINT)
-- png_error(png_ptr, "Invalid chunk length.");
--
- /* This should be a binary subdivision search or a hash for
- * matching the chunk name rather than a linear search.
- */
-@@ -673,10 +670,7 @@
- png_crc_finish(png_ptr, 0);
-
- png_read_data(png_ptr, chunk_length, 4);
-- png_ptr->idat_size = png_get_uint_32(chunk_length);
--
-- if (png_ptr->idat_size > PNG_MAX_UINT)
-- png_error(png_ptr, "Invalid chunk length.");
-+ png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -946,15 +940,12 @@
- #endif /* PNG_GLOBAL_ARRAYS */
-
- png_read_data(png_ptr, chunk_length, 4);
-- length = png_get_uint_32(chunk_length);
-+ length = png_get_uint_31(png_ptr,chunk_length);
-
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-
- png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name);
--
-- if (length > PNG_MAX_UINT)
-- png_error(png_ptr, "Invalid chunk length.");
-
- if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
- png_handle_IHDR(png_ptr, info_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt
- Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't
implement png_read_png().
- Requires libpng-patch04-*
-
-diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c
---- libs/png/pngread.c.orig Thu Oct 3 06:32:29 2002
-+++ libs/png/pngread.c Fri Jul 23 19:01:39 2004
-@@ -1299,6 +1299,9 @@
- */
- png_read_info(png_ptr, info_ptr);
-
-+ if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
-+ png_error(png_ptr,"Image is too high to process with png_read_png()");
-+
- /* -------------- image transformations start here ------------------- */
-
- #if defined(PNG_READ_16_TO_8_SUPPORTED)
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt
- Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't
implement png_read_png().
- Requires libpng-patch04-*
-
-The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package
maintainer)
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c
---- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ libs/png/pngrutil.c Fri Jul 23 19:02:48 2004
-@@ -1154,8 +1154,18 @@
- }
-
- new_palette.nentries = data_length / entry_size;
-- new_palette.entries = (png_sPLT_entryp)png_malloc(
-+ if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
-+ {
-+ png_warning(png_ptr, "sPLT chunk too long");
-+ return;
-+ }
-+ new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
- png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
-+ if (new_palette.entries == NULL)
-+ {
-+ png_warning(png_ptr, "sPLT chunk requires too much memory");
-+ return;
-+ }
-
- #ifndef PNG_NO_POINTER_INDEXING
- for (i = 0; i < new_palette.nentries; i++)
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt
- Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8.
- Libpng-1.0.5 and earlier didn't implement iCCP chunk reading.
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c
---- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ libs/png/pngrutil.c Fri Jul 23 19:04:28 2004
-@@ -977,8 +977,7 @@
- png_bytep pC;
- png_charp profile;
- png_uint_32 skip = 0;
-- png_uint_32 profile_size = 0;
-- png_uint_32 profile_length = 0;
-+ png_uint_32 profile_size, profile_length;
- png_size_t slength, prefix_length, data_length;
-
- png_debug(1, "in png_handle_iCCP\n");
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt
- Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and
earlier.
- No security problem. The bugs are similar to the one fixed in patch
- 03, but the only effect is that libpng will fail to detect misplaced
- harmless duplicate chunks.
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c
---- libs/png/pngrutil.c.orig Thu Oct 3 06:32:30 2002
-+++ libs/png/pngrutil.c Fri Jul 23 19:05:40 2004
-@@ -579,7 +579,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place gAMA chunk");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
- #if defined(PNG_READ_sRGB_SUPPORTED)
- && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -660,7 +660,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place sBIT chunk");
- }
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
- {
- png_warning(png_ptr, "Duplicate sBIT chunk");
- png_crc_finish(png_ptr, length);
-@@ -729,7 +729,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Missing PLTE before cHRM");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
- #if defined(PNG_READ_sRGB_SUPPORTED)
- && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -891,7 +891,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place sRGB chunk");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
- {
- png_warning(png_ptr, "Duplicate sRGB chunk");
- png_crc_finish(png_ptr, length);
-@@ -995,7 +995,7 @@
- /* Should be an error, but we can cope with it */
- png_warning(png_ptr, "Out of place iCCP chunk");
-
-- else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
-+ if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
- {
- png_warning(png_ptr, "Duplicate iCCP chunk");
- png_crc_finish(png_ptr, length);
-
-This patch from Chris Evans avoids a host of security problems related
-to buffer overflows that might occur when processing very large images.
-It causes the reader to reject any images claiming to have more rows or
-columns the png format supports.
-
-diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h
---- libs/png/png.h.orig 2002-10-03 12:32:26.000000000 +0100
-+++ libs/png/png.h 2004-07-13 23:18:10.000000000 +0100
-@@ -835,6 +835,9 @@
- /* Maximum positive integer used in PNG is (2^31)-1 */
- #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-
-+/* Constraints on width, height, (2 ^ 24) - 1*/
-+#define PNG_MAX_DIMENSION 16777215
-+
- /* These describe the color_type field in png_info. */
- /* color type masks */
- #define PNG_COLOR_MASK_PALETTE 1
-diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c
---- libs/png/pngrutil.c.orig 2004-07-13 13:36:37.000000000 +0100
-+++ libs/png/pngrutil.c 2004-07-13 23:43:02.000000000 +0100
-@@ -350,7 +350,11 @@
- png_crc_finish(png_ptr, 0);
-
- width = png_get_uint_32(buf);
-+ if (width > PNG_MAX_DIMENSION)
-+ png_error(png_ptr, "Width is too large");
- height = png_get_uint_32(buf + 4);
-+ if (height > PNG_MAX_DIMENSION)
-+ png_error(png_ptr, "Height is too large");
- bit_depth = buf[8];
- color_type = buf[9];
- compression_type = buf[10];
-@@ -675,7 +679,7 @@
- else
- truelen = (png_size_t)png_ptr->channels;
-
-- if (length != truelen)
-+ if (length != truelen || length > 4)
- {
- png_warning(png_ptr, "Incorrect sBIT chunk length");
- png_crc_finish(png_ptr, length);
-@@ -1400,7 +1405,7 @@
- void /* PRIVATE */
- png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
- {
-- int num, i;
-+ unsigned int num, i;
- png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
-
- png_debug(1, "in png_handle_hIST\n");
-@@ -1426,8 +1431,8 @@
- return;
- }
-
-- num = (int)length / 2 ;
-- if (num != png_ptr->num_palette)
-+ num = length / 2 ;
-+ if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
- {
- png_warning(png_ptr, "Incorrect hIST chunk length");
- png_crc_finish(png_ptr, length);
-@@ -2868,6 +2873,9 @@
- png_read_data(png_ptr, chunk_length, 4);
- png_ptr->idat_size = png_get_uint_32(chunk_length);
-
-+ if (png_ptr->idat_size > PNG_MAX_UINT)
-+ png_error(png_ptr, "Invalid chunk length.");
-+
- png_reset_crc(png_ptr);
- png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))
-
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/pdflib/pdflib.spec
============================================================================
$ cvs diff -u -r1.31 -r1.32 pdflib.spec
--- openpkg-src/pdflib/pdflib.spec 4 Aug 2004 14:01:52 -0000 1.31
+++ openpkg-src/pdflib/pdflib.spec 28 Oct 2004 08:51:38 -0000 1.32
@@ -38,7 +38,7 @@
Group: Graphics
License: PDFlib
Version: %{V_long}
-Release: 20040804
+Release: 20041028
# list of sources
Source0:
http://www.pdflib.com/products/pdflib/download/%{V_comp}src/PDFlib-Lite-%{V_long}.tar.gz
@@ -47,8 +47,8 @@
# build information
Prefix: %{l_prefix}
BuildRoot: %{l_buildroot}
-BuildPreReq: OpenPKG, openpkg >= 20040130, make
-PreReq: OpenPKG, openpkg >= 20040130
+BuildPreReq: OpenPKG, openpkg >= 20040130, png, make
+PreReq: OpenPKG, openpkg >= 20040130, png
AutoReq: no
AutoReqProv: no
@@ -66,12 +66,15 @@
%prep
%setup -q -n PDFlib-Lite-%{V_long}
+ rm -rf libs/png
%patch -p0
%build
CC="%{l_cc}" \
CFLAGS="%{l_cflags -O}" \
INSTALL="%{l_shtool} install -c" \
+ PNGLIBINC="-I%{l_prefix}/include/libpng" \
+ PNGLIBLINK="-lpng -lz" \
./configure \
--prefix=%{l_prefix} \
--disable-shared
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
