rpms/xpdf/FC-4 xpdf-3.01-CAN-2005-3193.patch, NONE, 1.1 xpdf.spec, 1.56, 1.57
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jan 10 13:01:18 UTC 2006
Author: karsten
Update of /cvs/dist/rpms/xpdf/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv20841
Modified Files:
xpdf.spec
Added Files:
xpdf-3.01-CAN-2005-3193.patch
Log Message:
- fix CAN-2005-3193
xpdf-3.01-CAN-2005-3193.patch:
goo/gmem.c | 5 +++--
xpdf/JBIG2Stream.cc | 6 ++++++
xpdf/Stream.cc | 13 ++++++++++---
3 files changed, 19 insertions(+), 5 deletions(-)
--- NEW FILE xpdf-3.01-CAN-2005-3193.patch ---
diff -urN xpdf-3.01_old/goo/gmem.c xpdf-3.01_new/goo/gmem.c
--- xpdf-3.01_old/goo/gmem.c 2006-01-10 12:56:54.000000000 +0100
+++ xpdf-3.01_new/goo/gmem.c 2006-01-10 13:01:13.000000000 +0100
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
+#include <limits.h>
#include "gmem.h"
#ifdef DEBUG_MEM
@@ -141,7 +142,7 @@
int n;
n = nObjs * objSize;
- if (objSize == 0 || n / objSize != nObjs) {
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
@@ -152,7 +153,7 @@
int n;
n = nObjs * objSize;
- if (objSize == 0 || n / objSize != nObjs) {
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
diff -urN xpdf-3.01_old/xpdf/JBIG2Stream.cc xpdf-3.01_new/xpdf/JBIG2Stream.cc
--- xpdf-3.01_old/xpdf/JBIG2Stream.cc 2006-01-10 12:56:54.000000000 +0100
+++ xpdf-3.01_new/xpdf/JBIG2Stream.cc 2006-01-10 13:08:26.000000000 +0100
@@ -684,6 +684,7 @@
line = (wA + 7) >> 3;
if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ error(-1, "invalid width/height");
data = NULL;
}
else {
@@ -701,6 +702,7 @@
line = bitmap->line;
if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ error(-1, "invalid width/height");
data = NULL;
return;
}
@@ -734,6 +736,9 @@
void JBIG2Bitmap::expand(int newH, Guint pixel) {
if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
+ error(-1, "invalid width/height");
+ gfree(data);
+ data = NULL;
return;
}
// need to allocate one extra guard byte for use in combine()
@@ -2959,6 +2964,7 @@
int x, y, pix;
if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ error(-1, "invalid width/height");
return NULL;
bitmap = new JBIG2Bitmap(0, w, h);
diff -urN xpdf-3.01_old/xpdf/Stream.cc xpdf-3.01_new/xpdf/Stream.cc
--- xpdf-3.01_old/xpdf/Stream.cc 2006-01-10 12:56:54.000000000 +0100
+++ xpdf-3.01_new/xpdf/Stream.cc 2006-01-10 13:22:48.000000000 +0100
@@ -1276,8 +1276,10 @@
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
- if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
- columns = 1;
+ if (columns < 1 || columns + 2 < 0 || columns + 3 < 0 ||
+ (columns + 2) >= INT_MAX / sizeof(short) || (columns + 3) >= INT_MAX / sizeof(short)) {
+ error(-1, "invalid number of columns");
+ exit(1);
}
rows = rowsA;
endOfBlock = endOfBlockA;
@@ -2920,6 +2922,7 @@
width = read16();
numComps = str->getChar();
if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
error(getPos(), "Bad number of components in DCT stream", prec);
return gFalse;
}
@@ -2950,6 +2953,7 @@
width = read16();
numComps = str->getChar();
if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
error(getPos(), "Bad number of components in DCT stream", prec);
return gFalse;
}
@@ -2976,6 +2980,7 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ scanInfo.numComps = 0;
error(getPos(), "Bad number of components in DCT stream");
return gFalse;
}
@@ -3186,9 +3191,11 @@
do {
do {
c = str->getChar();
- } while (c != 0xff && c != EOF);
+ if(c == EOF) return EOF;
+ } while (c != 0xff);
do {
c = str->getChar();
+ if(c == EOF) return EOF;
} while (c == 0xff);
} while (c == 0x00);
return c;
Index: xpdf.spec
===================================================================
RCS file: /cvs/dist/rpms/xpdf/FC-4/xpdf.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- xpdf.spec 14 Dec 2005 21:22:02 -0000 1.56
+++ xpdf.spec 10 Jan 2006 13:00:43 -0000 1.57
@@ -5,7 +5,7 @@
Summary: A PDF file viewer for the X Window System.
Name: xpdf
Version: 3.01
-Release: 0.FC4.5
+Release: 0.FC4.6
License: GPL
Epoch: 1
Url: http://www.foolabs.com/xpdf/
@@ -31,6 +31,7 @@
Patch12: xpdf-3.00-64bit.patch
Patch13: xpdf-3.01-resize.patch
Patch15: xpdf-3.01-CVE-2005-3191.patch
+Patch16: xpdf-3.01-CAN-2005-3193.patch
Requires: urw-fonts
Requires: htmlview
@@ -116,6 +117,7 @@
%patch12 -p1 -b .alloc
%patch13 -p1 -b .resize
%patch15 -p1 -b .CVE-2005-3191
+%patch16 -p1 -b .CVE-2005-3193
%build
find -name "*orig" | xargs rm -f
@@ -203,6 +205,9 @@
%lang(ko) %{_datadir}/xpdf/korean
%changelog
+* Tue Jan 10 2006 Karsten Hopp <karsten at redhat.de> 3.01-0.FC4.6
+- fix CAN-2005-3193
+
* Wed Dec 14 2005 Kristian Høgsberg <krh at redhat.com> 1:3.01-0.FC4.5
- Bump release.
- Update sources file and drop t1lib support entirely.
More information about the fedora-cvs-commits
mailing list