Author: adamg Date: Tue Aug 16 08:29:10 2005 GMT Module: SOURCES Tag: HEAD ---- Log message: - fix for a DoS vulnerability (CAN-2005-2097) - release 10
---- Files affected: SOURCES: xpdf-CAN-2005-2097.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: SOURCES/xpdf-CAN-2005-2097.patch diff -u /dev/null SOURCES/xpdf-CAN-2005-2097.patch:1.1 --- /dev/null Tue Aug 16 10:29:10 2005 +++ SOURCES/xpdf-CAN-2005-2097.patch Tue Aug 16 10:29:05 2005 @@ -0,0 +1,57 @@ +--- xpdf-3.00/fofi/FoFiTrueType.cc (revision 439182) ++++ xpdf-3.00/fofi/FoFiTrueType.cc (working copy) +@@ -1343,6 +1343,27 @@ + return; + } + ++ // make sure the loca table is sane (correct length and entries are ++ // in bounds) ++ i = seekTable("loca"); ++ if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) { ++ parsedOk = gFalse; ++ return; ++ } ++ for (j = 0; j <= nGlyphs; ++j) { ++ if (locaFmt) { ++ pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk); ++ } else { ++ pos = getU16BE(tables[i].offset + j*2, &parsedOk); ++ } ++ if (pos < 0 || pos > len) { ++ parsedOk = gFalse; ++ } ++ } ++ if (!parsedOk) { ++ return; ++ } ++ + // read the post table + readPostTable(); + if (!parsedOk) { +--- xpdf-3.00/xpdf/SplashOutputDev.cc (revision 439182) ++++ xpdf-3.00/xpdf/SplashOutputDev.cc (working copy) +@@ -621,16 +621,19 @@ + } + break; + case fontTrueType: +- if (!(ff = FoFiTrueType::load(fileName->getCString()))) { +- goto err2; ++ if ((ff = FoFiTrueType::load(fileName->getCString()))) { ++ codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff); ++ n = 256; ++ delete ff; ++ } else { ++ codeToGID = NULL; ++ n = 0; + } +- codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff); +- delete ff; + if (!(fontFile = fontEngine->loadTrueTypeFont( + id, + fileName->getCString(), + fileName == tmpFileName, +- codeToGID, 256))) { ++ codeToGID, n))) { + error(-1, "Couldn't create a font for '%s'", + gfxFont->getName() ? gfxFont->getName()->getCString() + : "(unnamed)"); ================================================================ _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit