Author: gotar Date: Mon Jul 6 00:44:40 2009 GMT Module: packages Tag: HEAD ---- Log message: - rel. 6, fixed: CVE-2009-0799 CVE-2009-1181 CVE-2009-1183 CVE-2009-0146 CVE-2009-0147 CVE-2009-0166 CVE-2009-0800 CVE-2009-1179 CVE-2009-1180 CVE-2009-1182
---- Files affected: packages/xpdf: xpdf.spec (1.119 -> 1.120) , xpdf-3.02pl3.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/xpdf/xpdf.spec diff -u packages/xpdf/xpdf.spec:1.119 packages/xpdf/xpdf.spec:1.120 --- packages/xpdf/xpdf.spec:1.119 Mon Apr 20 22:11:02 2009 +++ packages/xpdf/xpdf.spec Mon Jul 6 02:44:35 2009 @@ -18,7 +18,7 @@ Summary(uk.UTF-8): Програма для перегляду PDF файлів Name: xpdf Version: 3.02 -Release: 5 +Release: 6 License: GPL Group: X11/Applications Source0: ftp://ftp.foolabs.com/pub/xpdf/%{name}-%{version}.tar.gz @@ -28,23 +28,12 @@ Source3: %{name}rc Patch0: %{name}-remove_protections.patch Patch1: %{name}-fontdirs.patch -Patch2: %{name}-3.02pl1.patch -Patch3: %{name}-3.02pl2.patch +Patch2: %{name}-%{version}pl1.patch +Patch3: %{name}-%{version}pl2.patch +Patch4: %{name}-%{version}pl3.patch # probably obsoleted -Patch4: %{name}-nonumericlocale.patch +Patch5: %{name}-nonumericlocale.patch URL: http://www.foolabs.com/xpdf/ -# Fix: ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl3.patch -BuildRequires: security(CVE-2009-0799) -BuildRequires: security(CVE-2009-1181) -BuildRequires: security(CVE-2009-1183) -BuildRequires: security(CVE-2009-0146) -BuildRequires: security(CVE-2009-0147) -BuildRequires: security(CVE-2009-0166) -BuildRequires: security(CVE-2009-0800) -BuildRequires: security(CVE-2009-1179) -BuildRequires: security(CVE-2009-1180) -BuildRequires: security(CVE-2009-1182) -#### %{?with_x:BuildRequires: xorg-lib-libX11-devel} BuildRequires: autoconf BuildRequires: freetype-devel >= 2.1.0 @@ -124,6 +113,7 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build %{__autoconf} @@ -187,6 +177,19 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.120 2009/07/06 00:44:35 gotar +- rel. 6, fixed: + CVE-2009-0799 + CVE-2009-1181 + CVE-2009-1183 + CVE-2009-0146 + CVE-2009-0147 + CVE-2009-0166 + CVE-2009-0800 + CVE-2009-1179 + CVE-2009-1180 + CVE-2009-1182 + Revision 1.119 2009/04/20 20:11:02 blues - more CVE blockers with the same solution ================================================================ Index: packages/xpdf/xpdf-3.02pl3.patch diff -u /dev/null packages/xpdf/xpdf-3.02pl3.patch:1.1 --- /dev/null Mon Jul 6 02:44:40 2009 +++ packages/xpdf/xpdf-3.02pl3.patch Mon Jul 6 02:44:35 2009 @@ -0,0 +1,1145 @@ +diff -r -c xpdf-3.02.orig/goo/gmem.cc xpdf-3.02/goo/gmem.cc +*** xpdf-3.02.orig/goo/gmem.cc Tue Feb 27 14:05:51 2007 +--- xpdf-3.02/goo/gmem.cc Thu Mar 19 15:47:25 2009 +*************** +*** 55,61 **** + void *data; + unsigned long *trl, *p; + +! if (size <= 0) { + return NULL; + } + size1 = gMemDataSize(size); +--- 55,69 ---- + void *data; + unsigned long *trl, *p; + +! if (size < 0) { +! #if USE_EXCEPTIONS +! throw GMemException(); +! #else +! fprintf(stderr, "Invalid memory allocation size\n"); +! exit(1); +! #endif +! } +! if (size == 0) { + return NULL; + } + size1 = gMemDataSize(size); +*************** +*** 91,97 **** + #else + void *p; + +! if (size <= 0) { + return NULL; + } + if (!(p = malloc(size))) { +--- 99,113 ---- + #else + void *p; + +! if (size < 0) { +! #if USE_EXCEPTIONS +! throw GMemException(); +! #else +! fprintf(stderr, "Invalid memory allocation size\n"); +! exit(1); +! #endif +! } +! if (size == 0) { + return NULL; + } + if (!(p = malloc(size))) { +*************** +*** 112,118 **** + void *q; + int oldSize; + +! if (size <= 0) { + if (p) { + gfree(p); + } +--- 128,142 ---- + void *q; + int oldSize; + +! if (size < 0) { +! #if USE_EXCEPTIONS +! throw GMemException(); +! #else +! fprintf(stderr, "Invalid memory allocation size\n"); +! exit(1); +! #endif +! } +! if (size == 0) { + if (p) { + gfree(p); + } +*************** +*** 131,137 **** + #else + void *q; + +! if (size <= 0) { + if (p) { + free(p); + } +--- 155,169 ---- + #else + void *q; + +! if (size < 0) { +! #if USE_EXCEPTIONS +! throw GMemException(); +! #else +! fprintf(stderr, "Invalid memory allocation size\n"); +! exit(1); +! #endif +! } +! if (size == 0) { + if (p) { + free(p); + } +diff -r -c xpdf-3.02.orig/xpdf/JBIG2Stream.cc xpdf-3.02/xpdf/JBIG2Stream.cc +*** xpdf-3.02.orig/xpdf/JBIG2Stream.cc Tue Feb 27 14:05:52 2007 +--- xpdf-3.02/xpdf/JBIG2Stream.cc Tue Mar 31 10:55:23 2009 +*************** +*** 422,433 **** + table[i] = table[len]; + + // assign prefixes +! i = 0; +! prefix = 0; +! table[i++].prefix = prefix++; +! for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { +! prefix <<= table[i].prefixLen - table[i-1].prefixLen; +! table[i].prefix = prefix++; + } + } + +--- 422,435 ---- + table[i] = table[len]; + + // assign prefixes +! if (table[0].rangeLen != jbig2HuffmanEOT) { +! i = 0; +! prefix = 0; +! table[i++].prefix = prefix++; +! for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { +! prefix <<= table[i].prefixLen - table[i-1].prefixLen; +! table[i].prefix = prefix++; +! } + } + } + +*************** +*** 491,497 **** + } + if (p->bits < 0) { + error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); +! return 0; + } + bufLen -= p->bits; + return p->n; +--- 493,499 ---- + } + if (p->bits < 0) { + error(str->getPos(), "Bad two dim code in JBIG2 MMR stream"); +! return EOF; + } + bufLen -= p->bits; + return p->n; +*************** +*** 507,513 **** + ++nBytesRead; + } + while (1) { +! if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) { + if (bufLen <= 12) { + code = buf << (12 - bufLen); + } else { +--- 509,515 ---- + ++nBytesRead; + } + while (1) { +! if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) { + if (bufLen <= 12) { + code = buf << (12 - bufLen); + } else { +*************** +*** 550,563 **** + ++nBytesRead; + } + while (1) { +! if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) { + if (bufLen <= 13) { + code = buf << (13 - bufLen); + } else { + code = buf >> (bufLen - 13); + } + p = &blackTab1[code & 0x7f]; +! } else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) { + if (bufLen <= 12) { + code = buf << (12 - bufLen); + } else { +--- 552,566 ---- + ++nBytesRead; + } + while (1) { +! if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) { + if (bufLen <= 13) { + code = buf << (13 - bufLen); + } else { + code = buf >> (bufLen - 13); + } + p = &blackTab1[code & 0x7f]; +! } else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 && +! ((buf >> (bufLen - 6)) & 0x03) != 0) { + if (bufLen <= 12) { + code = buf << (12 - bufLen); + } else { +*************** +*** 683,690 **** + h = hA; + line = (wA + 7) >> 3; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { +! data = NULL; +! return; + } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); +--- 686,694 ---- + h = hA; + line = (wA + 7) >> 3; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { +! // force a call to gmalloc(-1), which will throw an exception +! h = -1; +! line = 2; + } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); +*************** +*** 698,705 **** + h = bitmap->h; + line = bitmap->line; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { +! data = NULL; +! return; + } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); +--- 702,710 ---- + h = bitmap->h; + line = bitmap->line; + if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { +! // force a call to gmalloc(-1), which will throw an exception +! h = -1; +! line = 2; + } + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); +*************** +*** 754,759 **** +--- 759,766 ---- + inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { + if (y < 0 || y >= h || x >= w) { + ptr->p = NULL; ++ ptr->shift = 0; // make gcc happy ++ ptr->x = 0; // make gcc happy + } else if (x < 0) { + ptr->p = &data[y * line]; + ptr->shift = 7; +*************** +*** 798,803 **** +--- 805,814 ---- + Guint src0, src1, src, dest, s1, s2, m1, m2, m3; + GBool oneByte; + ++ // check for the pathological case where y = -2^31 ++ if (y < -0x7fffffff) { ++ return; ++ } + if (y < 0) { + y0 = -y; + } else { +*************** +*** 1011,1018 **** +--- 1022,1034 ---- + JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA): + JBIG2Segment(segNumA) + { ++ Guint i; ++ + size = sizeA; + bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *)); ++ for (i = 0; i < size; ++i) { ++ bitmaps[i] = NULL; ++ } + genericRegionStats = NULL; + refinementRegionStats = NULL; + } +*************** +*** 1021,1027 **** + Guint i; + + for (i = 0; i < size; ++i) { +! delete bitmaps[i]; + } + gfree(bitmaps); + if (genericRegionStats) { +--- 1037,1045 ---- + Guint i; + + for (i = 0; i < size; ++i) { +! if (bitmaps[i]) { +! delete bitmaps[i]; +! } + } + gfree(bitmaps); + if (genericRegionStats) { +*************** +*** 1296,1301 **** +--- 1314,1326 ---- + goto eofError2; + } + ++ // check for missing page information segment ++ if (!pageBitmap && ((segType >= 4 && segType <= 7) || ++ (segType >= 20 && segType <= 43))) { ++ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); ++ goto syntaxError; ++ } ++ + // read the segment data + switch (segType) { + case 0: +*************** +*** 1411,1416 **** +--- 1436,1443 ---- + Guint i, j, k; + Guchar *p; + ++ symWidths = NULL; ++ + // symbol dictionary flags + if (!readUWord(&flags)) { + goto eofError; +*************** +*** 1466,1485 **** + codeTables = new GList(); + numInputSyms = 0; + for (i = 0; i < nRefSegs; ++i) { +! seg = findSegment(refSegs[i]); +! if (seg->getType() == jbig2SegSymbolDict) { +! numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); +! } else if (seg->getType() == jbig2SegCodeTable) { +! codeTables->append(seg); + } + } + + // compute symbol code length +! symCodeLen = 0; +! i = 1; +! while (i < numInputSyms + numNewSyms) { + ++symCodeLen; +! i <<= 1; + } + + // get the input symbol bitmaps +--- 1493,1524 ---- + codeTables = new GList(); + numInputSyms = 0; + for (i = 0; i < nRefSegs; ++i) { +! if ((seg = findSegment(refSegs[i]))) { +! if (seg->getType() == jbig2SegSymbolDict) { +! j = ((JBIG2SymbolDict *)seg)->getSize(); +! if (numInputSyms > UINT_MAX - j) { +! error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); +! delete codeTables; +! goto eofError; +! } +! numInputSyms += j; +! } else if (seg->getType() == jbig2SegCodeTable) { +! codeTables->append(seg); +! } + } + } ++ if (numInputSyms > UINT_MAX - numNewSyms) { ++ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ++ delete codeTables; ++ goto eofError; ++ } + + // compute symbol code length +! symCodeLen = 1; +! i = (numInputSyms + numNewSyms) >> 1; +! while (i) { + ++symCodeLen; +! i >>= 1; + } + + // get the input symbol bitmaps +*************** +*** 1491,1501 **** + k = 0; + inputSymbolDict = NULL; + for (i = 0; i < nRefSegs; ++i) { +! seg = findSegment(refSegs[i]); +! if (seg->getType() == jbig2SegSymbolDict) { +! inputSymbolDict = (JBIG2SymbolDict *)seg; +! for (j = 0; j < inputSymbolDict->getSize(); ++j) { +! bitmaps[k++] = inputSymbolDict->getBitmap(j); + } + } + } +--- 1530,1541 ---- + k = 0; + inputSymbolDict = NULL; + for (i = 0; i < nRefSegs; ++i) { +! if ((seg = findSegment(refSegs[i]))) { +! if (seg->getType() == jbig2SegSymbolDict) { +! inputSymbolDict = (JBIG2SymbolDict *)seg; +! for (j = 0; j < inputSymbolDict->getSize(); ++j) { +! bitmaps[k++] = inputSymbolDict->getBitmap(j); +! } + } + } + } +*************** +*** 1510,1515 **** +--- 1550,1558 ---- + } else if (huffDH == 1) { + huffDHTable = huffTableE; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffDW == 0) { +*************** +*** 1517,1533 **** +--- 1560,1585 ---- + } else if (huffDW == 1) { + huffDWTable = huffTableC; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffBMSize == 0) { + huffBMSizeTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffBMSizeTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } + if (huffAggInst == 0) { + huffAggInstTable = huffTableA; + } else { ++ if (i >= (Guint)codeTables->getLength()) { ++ goto codeTableError; ++ } + huffAggInstTable = + ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); + } +*************** +*** 1560,1566 **** + } + + // allocate symbol widths storage +- symWidths = NULL; + if (huff && !refAgg) { + symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); + } +--- 1612,1617 ---- +*************** +*** 1602,1607 **** +--- 1653,1662 ---- + goto syntaxError; + } + symWidth += dw; ++ if (i >= numNewSyms) { ++ error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + + // using a collective bitmap, so don't read a bitmap here + if (huff && !refAgg) { +*************** +*** 1638,1643 **** +--- 1693,1702 ---- + arithDecoder->decodeInt(&refDX, iardxStats); + arithDecoder->decodeInt(&refDY, iardyStats); + } ++ if (symID >= numInputSyms + i) { ++ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); ++ goto syntaxError; ++ } + refBitmap = bitmaps[symID]; + bitmaps[numInputSyms + i] = + readGenericRefinementRegion(symWidth, symHeight, +*************** +*** 1704,1709 **** +--- 1763,1774 ---- + } else { + arithDecoder->decodeInt(&run, iaexStats); + } ++ if (i + run > numInputSyms + numNewSyms || ++ (ex && j + run > numExSyms)) { ++ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); ++ delete symbolDict; ++ goto syntaxError; ++ } + if (ex) { + for (cnt = 0; cnt < run; ++cnt) { + symbolDict->setBitmap(j++, bitmaps[i++]->copy()); +*************** +*** 1713,1718 **** +--- 1778,1788 ---- + } + ex = !ex; + } ++ if (j != numExSyms) { ++ error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); ++ delete symbolDict; ++ goto syntaxError; ++ } + + for (i = 0; i < numNewSyms; ++i) { + delete bitmaps[numInputSyms + i]; +*************** +*** 1735,1740 **** +--- 1805,1814 ---- + + return gTrue; + ++ codeTableError: <<Diff was trimmed, longer than 597 lines>> ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/xpdf/xpdf.spec?r1=1.119&r2=1.120&f=u _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
