OpenSDE
/
rocklinux
mirror of https://github.com/amery/rocklinux.git
2
0
Fork 0
Code Releases Wiki Activity
mirror of the now-defunct rocklinux.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3991 Commits
1 Branch
0 Tags
34 MiB
Tree: f0d07470bd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f0d07470bd'
${ noResults }
rocklinux/package/rene/xpdf/xpdf-3.00pl1-overflowfix.pa...

231 lines
5.5 KiB
Raw Normal View History

fake: xpdf: add a small patch updating it to 3.00pl1 SECURITY FIX, please add to -stable, fixes CAN-2004-0888 and CAN-2004-0889. [2004112415184020731] (https://www.rocklinux.net/submaster) git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@4812 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
20 years ago
  1. --- ./xpdf/XRef.cc.orig 2004-11-24 15:01:16.444656632 +0100
  2. +++ ./xpdf/XRef.cc 2004-11-24 15:00:57.007611512 +0100
  3. @@ -96,7 +96,7 @@
  4. }
  5. nObjects = obj1.getInt();
  6. obj1.free();
  7. - if (nObjects == 0) {
  8. + if (nObjects <= 0) {
  9. goto err1;
  10. }
  12. @@ -106,6 +106,9 @@
  13. }
  14. first = obj1.getInt();
  15. obj1.free();
  16. + if (first < 0) {
  17. + goto err1;
  18. + }
  20. objs = new Object[nObjects];
  21. objNums = (int *)gmalloc(nObjects * sizeof(int));
  22. @@ -130,6 +133,12 @@
  23. offsets[i] = obj2.getInt();
  24. obj1.free();
  25. obj2.free();
  26. + if (objNums[i] < 0 || offsets[i] < 0 ||
  27. + (i > 0 && offsets[i] < offsets[i-1])) {
  28. + delete parser;
  29. + gfree(offsets);
  30. + goto err1;
  31. + }
  32. }
  33. while (str->getChar() != EOF) ;
  34. delete parser;
  35. @@ -369,10 +378,16 @@
  36. }
  37. n = obj.getInt();
  38. obj.free();
  39. + if (first < 0 || n < 0 || first + n < 0) {
  40. + goto err1;
  41. + }
  42. if (first + n > size) {
  43. for (newSize = size ? 2 * size : 1024;
  44. - first + n > newSize;
  45. + first + n > newSize && newSize > 0;
  46. newSize <<= 1) ;
  47. + if (newSize < 0) {
  48. + goto err1;
  49. + }
  50. entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
  51. for (i = size; i < newSize; ++i) {
  52. entries[i].offset = 0xffffffff;
  53. @@ -443,7 +458,7 @@
  55. // check for an 'XRefStm' key
  56. if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
  57. - pos2 = obj2.getInt();
  58. + pos2 = (Guint)obj2.getInt();
  59. readXRef(&pos2);
  60. if (!ok) {
  61. goto err1;
  62. @@ -474,6 +489,9 @@
  63. }
  64. newSize = obj.getInt();
  65. obj.free();
  66. + if (newSize < 0) {
  67. + goto err1;
  68. + }
  69. if (newSize > size) {
  70. entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
  71. for (i = size; i < newSize; ++i) {
  72. @@ -494,6 +512,9 @@
  73. }
  74. w[i] = obj2.getInt();
  75. obj2.free();
  76. + if (w[i] < 0 || w[i] > 4) {
  77. + goto err1;
  78. + }
  79. }
  80. obj.free();
  82. @@ -513,13 +534,14 @@
  83. }
  84. n = obj.getInt();
  85. obj.free();
  86. - if (!readXRefStreamSection(xrefStr, w, first, n)) {
  87. + if (first < 0 || n < 0 ||
  88. + !readXRefStreamSection(xrefStr, w, first, n)) {
  89. idx.free();
  90. goto err0;
  91. }
  92. }
  93. } else {
  94. - if (!readXRefStreamSection(xrefStr, w, 0, size)) {
  95. + if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
  96. idx.free();
  97. goto err0;
  98. }
  99. @@ -551,10 +573,16 @@
  100. Guint offset;
  101. int type, gen, c, newSize, i, j;
  103. + if (first + n < 0) {
  104. + return gFalse;
  105. + }
  106. if (first + n > size) {
  107. for (newSize = size ? 2 * size : 1024;
  108. - first + n > newSize;
  109. + first + n > newSize && newSize > 0;
  110. newSize <<= 1) ;
  111. + if (newSize < 0) {
  112. + return gFalse;
  113. + }
  114. entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
  115. for (i = size; i < newSize; ++i) {
  116. entries[i].offset = 0xffffffff;
  117. @@ -585,24 +613,26 @@
  118. }
  119. gen = (gen << 8) + c;
  120. }
  121. - switch (type) {
  122. - case 0:
  123. - entries[i].offset = offset;
  124. - entries[i].gen = gen;
  125. - entries[i].type = xrefEntryFree;
  126. - break;
  127. - case 1:
  128. - entries[i].offset = offset;
  129. - entries[i].gen = gen;
  130. - entries[i].type = xrefEntryUncompressed;
  131. - break;
  132. - case 2:
  133. - entries[i].offset = offset;
  134. - entries[i].gen = gen;
  135. - entries[i].type = xrefEntryCompressed;
  136. - break;
  137. - default:
  138. - return gFalse;
  139. + if (entries[i].offset == 0xffffffff) {
  140. + switch (type) {
  141. + case 0:
  142. + entries[i].offset = offset;
  143. + entries[i].gen = gen;
  144. + entries[i].type = xrefEntryFree;
  145. + break;
  146. + case 1:
  147. + entries[i].offset = offset;
  148. + entries[i].gen = gen;
  149. + entries[i].type = xrefEntryUncompressed;
  150. + break;
  151. + case 2:
  152. + entries[i].offset = offset;
  153. + entries[i].gen = gen;
  154. + entries[i].type = xrefEntryCompressed;
  155. + break;
  156. + default:
  157. + return gFalse;
  158. + }
  159. }
  160. }
  162. @@ -664,38 +694,44 @@
  163. // look for object
  164. } else if (isdigit(*p)) {
  165. num = atoi(p);
  166. - do {
  167. - ++p;
  168. - } while (*p && isdigit(*p));
  169. - if (isspace(*p)) {
  170. + if (num > 0) {
  171. do {
  172. ++p;
  173. - } while (*p && isspace(*p));
  174. - if (isdigit(*p)) {
  175. - gen = atoi(p);
  176. + } while (*p && isdigit(*p));
  177. + if (isspace(*p)) {
  178. do {
  179. ++p;
  180. - } while (*p && isdigit(*p));
  181. - if (isspace(*p)) {
  182. + } while (*p && isspace(*p));
  183. + if (isdigit(*p)) {
  184. + gen = atoi(p);
  185. do {
  186. ++p;
  187. - } while (*p && isspace(*p));
  188. - if (!strncmp(p, "obj", 3)) {
  189. - if (num >= size) {
  190. - newSize = (num + 1 + 255) & ~255;
  191. - entries = (XRefEntry *)
  192. - grealloc(entries, newSize * sizeof(XRefEntry));
  193. - for (i = size; i < newSize; ++i) {
  194. - entries[i].offset = 0xffffffff;
  195. - entries[i].type = xrefEntryFree;
  196. + } while (*p && isdigit(*p));
  197. + if (isspace(*p)) {
  198. + do {
  199. + ++p;
  200. + } while (*p && isspace(*p));
  201. + if (!strncmp(p, "obj", 3)) {
  202. + if (num >= size) {
  203. + newSize = (num + 1 + 255) & ~255;
  204. + if (newSize < 0) {
  205. + error(-1, "Bad object number");
  206. + return gFalse;
  207. + }
  208. + entries = (XRefEntry *)
  209. + grealloc(entries, newSize * sizeof(XRefEntry));
  210. + for (i = size; i < newSize; ++i) {
  211. + entries[i].offset = 0xffffffff;
  212. + entries[i].type = xrefEntryFree;
  213. + }
  214. + size = newSize;
  215. + }
  216. + if (entries[num].type == xrefEntryFree ||
  217. + gen >= entries[num].gen) {
  218. + entries[num].offset = pos - start;
  219. + entries[num].gen = gen;
  220. + entries[num].type = xrefEntryUncompressed;
  221. }
  222. - size = newSize;
  223. - }
  224. - if (entries[num].type == xrefEntryFree ||
  225. - gen >= entries[num].gen) {
  226. - entries[num].offset = pos - start;
  227. - entries[num].gen = gen;
  228. - entries[num].type = xrefEntryUncompressed;
  229. }
  230. }
  231. }