SOURCES: xpdf-CAN-2005-2097.patch (NEW) - fix for a DoS vulnerabil...

Tue, 16 Aug 2005 01:30:30 -0700 

Author: adamg                        Date: Tue Aug 16 08:29:10 2005 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fix for a DoS vulnerability (CAN-2005-2097)
- release 10

---- Files affected:
SOURCES:
   xpdf-CAN-2005-2097.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/xpdf-CAN-2005-2097.patch
diff -u /dev/null SOURCES/xpdf-CAN-2005-2097.patch:1.1
--- /dev/null   Tue Aug 16 10:29:10 2005
+++ SOURCES/xpdf-CAN-2005-2097.patch    Tue Aug 16 10:29:05 2005
@@ -0,0 +1,57 @@
+--- xpdf-3.00/fofi/FoFiTrueType.cc     (revision 439182)
++++ xpdf-3.00/fofi/FoFiTrueType.cc     (working copy)
+@@ -1343,6 +1343,27 @@
+     return;
+   }
+ 
++  // make sure the loca table is sane (correct length and entries are
++  // in bounds)
++  i = seekTable("loca");
++  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
++    parsedOk = gFalse;
++    return;
++  }
++  for (j = 0; j <= nGlyphs; ++j) {
++    if (locaFmt) {
++      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
++    } else {
++      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
++    }
++    if (pos < 0 || pos > len) {
++      parsedOk = gFalse;
++    }
++  }
++  if (!parsedOk) {
++    return;
++  }
++
+   // read the post table
+   readPostTable();
+   if (!parsedOk) {
+--- xpdf-3.00/xpdf/SplashOutputDev.cc  (revision 439182)
++++ xpdf-3.00/xpdf/SplashOutputDev.cc  (working copy)
+@@ -621,16 +621,19 @@
+       }
+       break;
+     case fontTrueType:
+-      if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
+-      goto err2;
++      if ((ff = FoFiTrueType::load(fileName->getCString()))) {
++      codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
++      n = 256;
++      delete ff;
++      } else {
++      codeToGID = NULL;
++      n = 0;
+       }
+-      codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+-      delete ff;
+       if (!(fontFile = fontEngine->loadTrueTypeFont(
+                          id,
+                          fileName->getCString(),
+                          fileName == tmpFileName,
+-                         codeToGID, 256))) {
++                         codeToGID, n))) {
+       error(-1, "Couldn't create a font for '%s'",
+             gfxFont->getName() ? gfxFont->getName()->getCString()
+                                : "(unnamed)");
================================================================
_______________________________________________
pld-cvs-commit mailing list
pld-cvs-commit@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to