rpms/tetex/devel tetex-3.0-dviljktemp.patch, NONE, 1.1 tetex-3.0-dvipsoverflow.patch, NONE, 1.1 tetex.spec, 1.116, 1.117
Jindrich Novy (jnovy)
fedora-extras-commits at redhat.com
Tue Nov 13 14:22:29 UTC 2007
- Previous message (by thread): rpms/catdoc/EL-4 catdoc.spec, NONE, 1.1 makefilefix.patch, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/which/devel .cvsignore, 1.6, 1.7 sources, 1.6, 1.7 which.spec, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jnovy
Update of /cvs/extras/rpms/tetex/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9580
Modified Files:
tetex.spec
Added Files:
tetex-3.0-dviljktemp.patch tetex-3.0-dvipsoverflow.patch
Log Message:
- fix dvips -z buffer overflow with long href (#368591)
- fix insecure usage of temporary file in dviljk (#368611, #368641)
tetex-3.0-dviljktemp.patch:
--- NEW FILE tetex-3.0-dviljktemp.patch ---
diff -up tetex-src-3.0/texk/dviljk/dvi2xx.c.dviljktemp tetex-src-3.0/texk/dviljk/dvi2xx.c
--- tetex-src-3.0/texk/dviljk/dvi2xx.c.dviljktemp 1999-02-06 22:46:34.000000000 +0100
+++ tetex-src-3.0/texk/dviljk/dvi2xx.c 2007-11-13 14:53:45.000000000 +0100
@@ -1,5 +1,5 @@
/* $Id: dvi2xx.c,v 2.5 1997/12/08 20:52:20 neumann Exp $ */
-#define VERSION "2.6p2 (dviljk)"
+#define VERSION "dviljk (version 2.6p3)"
/*
#define DEBUGGS 1
*/
@@ -173,7 +173,7 @@ char *argv[];
y_origin = YDEFAULTOFF; /* y-origin in dots */
setbuf(ERR_STREAM, NULL);
- (void) strcpy(G_progname, argv[0]);
+ G_progname = argv[0];
#ifdef KPATHSEA
kpse_set_progname(argv[0]);
kpse_set_program_enabled (kpse_pk_format, MAKE_TEX_PK_BY_DEFAULT, kpse_src_compile);
@@ -2968,8 +2968,8 @@ char *argv[];
#endif
{
int argind; /* argument index for flags */
- char curarea[STRSIZE]; /* current file area */
- char curname[STRSIZE]; /* current file name */
+ char *curarea; /* current file area */
+ char *curname; /* current file name */
char *tcp, *tcp1; /* temporary character pointers */
char *this_arg;
double x_offset = 0.0, y_offset = 0.0;
@@ -2988,9 +2988,9 @@ char *argv[];
#endif
#endif
- if (argc == 2 && (strcmp (argv[1], "--version") == 0)) {
+ if (argc == 2 && EQ(argv[1], "--version")) {
extern KPSEDLL char *kpathsea_version_string;
- puts ("dvilj(k) 2.6");
+ puts (VERSION);
puts (kpathsea_version_string);
puts ("Copyright (C) 1997 Gustaf Neumann.\n\
There is NO warranty. You may redistribute this software\n\
@@ -3328,8 +3328,8 @@ Primary author of Dvi2xx: Gustaf Neumann
}
} else {
- (void) strcpy(filename, tcp);
- if (!strcmp(filename, "-")) {
+ filename = tcp;
+ if (EQ(filename, "-")) {
EmitFileName = "-";
#ifdef RISC_USE_OSL
dvifp = BINOPEN("Kbd:");
@@ -3339,57 +3339,68 @@ Primary author of Dvi2xx: Gustaf Neumann
AssureBinary(fileno(dvifp));
#endif
} else {
+ /* Since this code is used only once during startup, we don't care
+ about free()ing the allocated strings that represent filenames.
+ It will be more work to realize proper deallocation handling than
+ it's worth in terms of saving a few bytes. We consider these
+ bytes actually static memory where we don't know the size in
+ advance and don't add them to the allocated_storage count.
+ [27 Jun 07 -js] */
#ifdef KPATHSEA
/* split into directory + file name */
int tcplen, argvlen;
tcp = (char *)xbasename(argv[argind]);/* this knows about any kind of slashes */
tcplen = strlen(tcp);
+ if ( tcplen == 0 ) {
+ /* This happens when the DVI file name has a trailing slash; this
+ is not a valid name. Then we terminate the argument parsing
+ loop, a usage message will be output below. */
+ break;
+ }
argvlen = strlen(argv[argind]);
if (tcplen == argvlen)
- curarea[0] = '\0';
+ curarea = "";
else {
- (void) strcpy(curarea, argv[argind]);
+ curarea = xstrdup(argv[argind]);
curarea[argvlen-tcplen] = '\0';
}
#else
tcp = strrchr(argv[argind], '/');
/* split into directory + file name */
if (tcp == NULL) {
- curarea[0] = '\0';
+ curarea[0] = "";
tcp = argv[argind];
} else {
- (void) strcpy(curarea, argv[argind]);
+ curarea = xstrdup(argv[argind]);
curarea[tcp-argv[argind]+1] = '\0';
tcp += 1;
}
#endif
+ curname = (char *) xmalloc(strlen(tcp)+5); /* + space for ".dvi" */
(void) strcpy(curname, tcp);
/* split into file name + extension */
- tcp1 = strrchr(tcp, '.');
+ tcp1 = strrchr(curname, '.');
if (tcp1 == NULL) {
- (void) strcpy(rootname, curname);
+ rootname = xstrdup(curname);
strcat(curname, ".dvi");
} else {
*tcp1 = '\0';
- (void) strcpy(rootname, curname);
+ rootname = xstrdup(curname);
*tcp1 = '.';
}
+ filename = (char *) xmalloc(strlen(curarea)+strlen(curname)+1);
(void) strcpy(filename, curarea);
(void) strcat(filename, curname);
if ((dvifp = BINOPEN(filename)) == FPNULL) {
/* do not insist on .dvi */
if (tcp1 == NULL) {
- int l = strlen(curname);
- if (l > 4)
- curname[l - 4] = '\0';
- l = strlen(filename);
- if (l > 4)
- filename[l - 4] = '\0';
+ filename[strlen(filename) - 4] = '\0';
+ dvifp = BINOPEN(filename);
}
- if (tcp1 != NULL || (dvifp = BINOPEN(filename)) == FPNULL) {
+ if (dvifp == FPNULL) {
#ifdef MSC5
Fatal("%s: can't find DVI file \"%s\"\n\n",
G_progname, filename);
@@ -3411,7 +3422,7 @@ Primary author of Dvi2xx: Gustaf Neumann
y_goffset = (short) MM_TO_PXL(y_offset) + y_origin;
if (dvifp == FPNULL) {
- fprintf(ERR_STREAM,"\nThis is the DVI to %s converter version %s",
+ fprintf(ERR_STREAM,"\nThis is the DVI to %s converter %s",
PRINTER, VERSION);
#ifdef SEVENBIT
fprintf(ERR_STREAM,", 7bit");
@@ -3507,13 +3518,8 @@ Primary author of Dvi2xx: Gustaf Neumann
exit(1);
}
if (EQ(EmitFileName, "")) {
- if ((EmitFileName = (char *)malloc( STRSIZE )) != NULL)
- allocated_storage += STRSIZE;
- else
- Fatal("Can't allocate storage of %d bytes\n",STRSIZE);
- (void) strcpy(EmitFileName, curname);
- if ((tcp1 = strrchr(EmitFileName, '.')))
- *tcp1 = '\0';
+ EmitFileName = (char *) xmalloc(strlen(rootname)+sizeof(EMITFILE_EXTENSION));
+ (void) strcpy(EmitFileName, rootname);
strcat(EmitFileName, EMITFILE_EXTENSION);
}
if (G_quiet)
@@ -3698,6 +3704,8 @@ bool PFlag;
#endif
}
CloseFiles();
+ if ( tmp_dir[0] != '\0' )
+ rmdir (tmp_dir); /* ignore errors */
exit(G_errenc);
}
@@ -3895,22 +3903,21 @@ char *str;
int n;
#endif
{
- char spbuf[STRSIZE], xs[STRSIZE], ys[STRSIZE];
- char *sf = NULL, *psfile = NULL;
+ char xs[STRSIZE], ys[STRSIZE];
+ char *include_file = NULL;
+ enum { VerbFile, HPFile, PSFile } file_type;
float x,y;
long4 x_pos, y_pos;
KeyWord k;
int i, j, j1;
static int GrayScale = 10, Pattern = 1;
static bool GrayFill = _TRUE;
- static long4 p_x[80], p_y[80];
- int llx=0, lly=0, urx=0, ury=0, rwi=0, rhi=0;
-#ifdef WIN32
- char *gs_path;
-#endif
+ static long4 p_x[MAX_SPECIAL_DEFPOINTS], p_y[MAX_SPECIAL_DEFPOINTS];
+ int llx=0, lly=0, urx=0, ury=0, rwi=0;
str[n] = '\0';
- spbuf[0] = '\0';
+ for ( i=0 ; i<MAX_SPECIAL_DEFPOINTS ; i++ )
+ p_x[i] = p_y[i] = -1;
SetPosn(h, v);
#ifdef __riscos
@@ -3924,41 +3931,30 @@ int n;
/* get all keyword-value pairs */
/* for compatibility, single words are taken as file names */
if ( k.vt == None && access(k.Key, 0) == 0) {
- if ( sf
-#ifdef KPATHSEA
- && !kpse_tex_hush ("special")
-#endif
- )
- Warning("More than one \\special file name given. %s ignored", sf);
- (void) strcpy(spbuf, k.Key);
- sf = spbuf;
- /*
- for (j = 1; ((sf[j]=='/' ? sf[j]='\\':sf[j]) != '\0'); j++);
- */
- } else if ( GetKeyVal( &k, KeyTab, NKEYS, &i ) && i != -1 )
+ if ( include_file && !kpse_tex_hush ("special") ) {
+ Warning("More than one \\special file name given. %s ignored", include_file);
+ free (include_file);
+ }
+ include_file = xstrdup(k.Key);
+ file_type = VerbFile;
+ } else if ( GetKeyVal( &k, KeyTab, NKEYS, &i ) && i != -1 ) {
switch (i) {
case PSFILE:
- if (sf
-#ifdef KPATHSEA
- && !kpse_tex_hush ("special")
-#endif
- )
- Warning("More than one \\special file name given. %s ignored", sf);
- (void) strcpy(spbuf, k.Val);
- psfile = spbuf;
- /*
- for (j=1; ((sf[j]=='/' ? sf[j]='\\':sf[j]) != '\0'); j++);
- */
+ if ( include_file ) {
+ Warning("More than one \\special file name given. %s ignored", include_file);
+ free(include_file);
+ }
+ include_file = xstrdup(k.Val);
+ file_type = PSFile;
break;
case HPFILE:
- if (sf)
- Warning("More than one \\special file name given. %s ignored", sf);
- (void) strcpy(spbuf, k.Val);
- sf = spbuf;
- /*
- for (j=1; ((sf[j]=='/' ? sf[j]='\\':sf[j]) != '\0'); j++);
- */
+ if ( include_file && !kpse_tex_hush ("special") ) {
+ Warning("More than one \\special file name given. %s ignored", include_file);
+ free(include_file);
+ }
+ include_file = xstrdup(k.Val);
+ file_type = HPFile;
break;
case ORIENTATION:
@@ -3978,23 +3974,24 @@ int n;
}
#endif
else
-#ifdef KPATHSEA
- if (!kpse_tex_hush ("special"))
-#endif
Warning( "Invalid orientation (%d)given; ignored.", k.v.i);
break;
case RESETPOINTS:
- (void) strcpy(spbuf, k.Val);
-
- sf = NULL;
+ for ( i=0 ; i<MAX_SPECIAL_DEFPOINTS ; i++ )
+ p_x[i] = p_y[i] = -1;
break;
case DEFPOINT:
- (void) strcpy(spbuf, k.Val);
- i = sscanf(spbuf,"%d(%[^,],%s)",&j,xs,ys);
+ /* 254 is STRSIZE-1. cpp should be used to construct that number. */
+ i = sscanf(k.Val,"%d(%254[^,],%254s)",&j,xs,ys);
if (i>0) {
- x_pos = h;
+ if ( j < 0 || j >= MAX_SPECIAL_DEFPOINTS ) {
+ Warning ("defpoint %d ignored, must be between 0 and %d",
+ j, MAX_SPECIAL_DEFPOINTS);
+ break;
+ }
+ x_pos = h;
y_pos = v;
if (i>1) {
if (sscanf(xs,"%fpt",&x)>0) {
@@ -4011,19 +4008,32 @@ int n;
p_x[j]=x_pos;
p_y[j]=y_pos;
} else
-#ifdef KPATHSEA
- if (!kpse_tex_hush ("special"))
-#endif
Warning("invalid point definition\n");
-
- sf = NULL;
break;
case FILL:
- (void) strcpy(spbuf, k.Val);
- i = sscanf(spbuf,"%d/%d %s",&j,&j1,xs);
+ /* 254 is STRSIZE-1. cpp should be used to construct that number. */
+ i = sscanf(k.Val,"%d/%d %254s",&j,&j1,xs);
if (i>1) {
#ifdef LJ
+ if ( j < 0 || j >= MAX_SPECIAL_DEFPOINTS ) {
+ Warning ("fill ignored, point %d must be between 0 and %d",
+ j, MAX_SPECIAL_DEFPOINTS);
+ break;
+ }
+ if ( p_x[j] == -1 ) {
+ Warning ("fill ignored, point %d is undefined\n", j);
+ break;
+ }
+ if ( j1 < 0 || j1 >= MAX_SPECIAL_DEFPOINTS ) {
+ Warning ("fill ignored, point %d must be between 0 and %d",
+ j1, MAX_SPECIAL_DEFPOINTS);
+ break;
+ }
+ if ( p_x[j1] == -1 ) {
+ Warning ("fill ignored, point %d is undefined\n", j1);
+ break;
+ }
SetPosn(p_x[j], p_y[j]);
x_pos = (long4)PIXROUND(p_x[j1]-p_x[j], hconv);
y_pos = (long4)PIXROUND(p_y[j1]-p_y[j], vconv);
@@ -4044,9 +4054,6 @@ int n;
GrayScale = k.v.i;
GrayFill = _TRUE;
} else
-#ifdef KPATHSEA
- if (!kpse_tex_hush ("special"))
-#endif
Warning( "Invalid gray scale (%d) given; ignored.", k.v.i);
break;
@@ -4055,9 +4062,6 @@ int n;
Pattern = k.v.i;
GrayFill = _FALSE;
} else
-#ifdef KPATHSEA
- if (!kpse_tex_hush ("special"))
-#endif
Warning( "Invalid pattern (%d) given; ignored.", k.v.i);
break;
@@ -4066,75 +4070,123 @@ int n;
case URX: urx = k.v.i; break;
case URY: ury = k.v.i; break;
case RWI: rwi = k.v.i; break;
- case RHI: rhi = k.v.i; break;
+ case RHI:
+ if (!kpse_tex_hush ("special"))
+ Warning("Whatever rhi was good for once, it is ignored now.");
+ break;
default:
-#ifdef KPATHSEA
- if (!kpse_tex_hush ("special"))
-#endif
+ if ( !kpse_tex_hush ("special") )
Warning("Can't handle %s=%s command; ignored.", k.Key, k.Val);
break;
}
-
- else
-#ifdef KPATHSEA
- if (!kpse_tex_hush ("special"))
-#endif
+
+ } else if (!kpse_tex_hush ("special")) {
Warning("Invalid keyword or value in \\special - <%s> ignored", k.Key);
+ }
+
+ free (k.Key);
+ if ( k.Val != NULL ) free(k.Val);
}
- if ( sf || psfile ) {
+ if ( include_file ) {
last_rx = last_ry = UNKNOWN;
#ifdef IBM3812
PMPflush;
#endif
- if (sf) {
- if (i == HPFILE)
- CopyHPFile( sf );
- else
- CopyFile( sf );
- }
- else
+
#ifdef LJ
- if (psfile) {
+ if ( file_type == PSFile) {
/* int height = rwi * (urx - llx) / (ury - lly);*/
int width = urx - llx;
int height = ury - lly;
char cmd[255];
- int scale_factor = 3000 * width / rwi;
- int adjusted_height = height * 300/scale_factor;
- int adjusted_llx = llx * 300/scale_factor;
+ char *cmd_format = "%s -q -dSIMPLE -dSAFER -dNOPAUSE -sDEVICE=%s -sOutputFile=%s %s %s showpage.ps -c quit";
+ char *gs_cmd;
+ int scale_factor, adjusted_height, adjusted_llx;
char *printer = "ljetplus"; /* use the most stupid one */
-
- char scale_file_name[255];
- char *scale_file = tmpnam(scale_file_name);
- char *pcl_file = tmpnam(NULL);
+ char pcl_file[STRSIZE];
+ char scale_file[STRSIZE];
FILEPTR scalef;
- if ( (scalef = BOUTOPEN(scale_file)) == FPNULL ) {
- Warning("Unable to open file %s for writing", scale_file );
- return;
- }
- fprintf(scalef, "%.2f %.2f scale\n%d %d translate\n",
- 300.0/scale_factor, 300.0/scale_factor,
- 0, adjusted_height == height ? 0 : ury);
- BCLOSE( scalef );
+ if ( urx == 0 || ury == 0 || rwi == 0 ) {
+ /* Since dvips' psfile special has a different syntax, this might
+ well be one of those specials, i.e., a non-dviljk special. Then
+ the Warning should be suppressable. */
+ if ( !kpse_tex_hush ("special") )
+ Warning ("Ignoring psfile special without urx, ury and rwi attributes");
+ free (include_file);
+ return;
+ }
+ scale_factor = 3000 * width / rwi;
+ adjusted_height = height * 300/scale_factor;
+ adjusted_llx = llx * 300/scale_factor;
+
+ /* We cannot use mkstemp, as we cannot pass two open file descriptors
+ portably to Ghostscript. We don't want to use tmpnam() or tempnam()
+ either, as they have tempfile creation race conditions. Instead we
+ create a temporary directory with mkdtemp() -- if that's available.
+ If not, we are thrown back to tempnam(), to get our functionality
+ at all. We need to create the temporary directory only once per
+ run; it will be deleted in AllDone(). */
+ if ( tmp_dir[0] == '\0' ) {
+ char * base_dir;
+ if ( (base_dir = getenv("TMPDIR")) == NULL ) {
+ base_dir = "/tmp";
+ } else if ( strlen(base_dir) > STRSIZE - sizeof("/dviljkXXXXXX/include.pcl") ) {
+ Warning ("TMPDIR %s is too long, using /tmp instead", base_dir);
+ base_dir = "/tmp";
+ }
+ if ( base_dir[0] == '/' && base_dir[1] == '\0' ) {
+ Warning ("Feeling naughty, do we? / is no temporary directory, dude");
+ base_dir = "/tmp";
+ }
+ strcpy (tmp_dir, base_dir);
+ strcat (tmp_dir, "/dviljkXXXXXX");
+ if ( mkdtemp(tmp_dir) == NULL ) {
+ Warning ("Could not create temporary directory %s, errno = %d; ignoring include file special",
+ tmp_dir, errno);
+ return;
+ }
+ }
+ strcpy(pcl_file, tmp_dir);
+ strcat(pcl_file, "/include.pcl");
+ strcpy(scale_file, tmp_dir);
+ strcat(scale_file, "/scale.ps");
+
+ if ( (scalef = BOUTOPEN(scale_file)) == FPNULL ) {
+ Warning("Unable to open file %s for writing", scale_file );
+ free (include_file);
+ unlink(scale_file); /* ignore error */
+ return;
+ }
+ fprintf(scalef, "%.2f %.2f scale\n%d %d translate\n",
+ 300.0/scale_factor, 300.0/scale_factor,
+ 0, adjusted_height == height ? 0 : ury);
+ BCLOSE( scalef );
#ifdef WIN32
- gs_path = getenv("GS_PATH");
- if (!gs_path)
- gs_path = "gswin32c.exe";
- sprintf(cmd,"%s -q -dSIMPLE -dSAFER -dNOPAUSE -sDEVICE=%s -sOutputFile=%s %s %s showpage.ps -c quit",
- gs_path, printer, pcl_file, scale_file, psfile);
+ if ( (gs_cmd = getenv("GS_PATH")) == NULL )
+ gs_cmd = "gswin32c.exe";
#else
- sprintf(cmd,"gs -q -dSIMPLE -dSAFER -dNOPAUSE -sDEVICE=%s -sOutputFile=%s %s %s showpage.ps -c quit",
- printer, pcl_file, scale_file, psfile);
+ gs_cmd = "gs";
#endif
+ if ( strlen(cmd_format)-10 + strlen(gs_cmd) + strlen(printer) +
+ strlen(pcl_file) + strlen(scale_file) + strlen(include_file) +1 >
+ sizeof(cmd) ) {
+ Warning ("Ghostscript command for %s would be too long, skipping special", include_file);
+ free (include_file);
+ unlink(scale_file); /* ignore errors */
+ unlink(pcl_file);
+ return;
+ }
+ sprintf(cmd, cmd_format,
+ gs_cmd, printer, pcl_file, scale_file, include_file);
#ifdef DEBUGGS
fprintf(stderr,
"PS-file '%s' w=%d, h=%d, urx=%d, ury=%d, llx=%d, lly=%d, rwi=%d\n",
- psfile, urx - llx, height, urx,ury,llx,lly, rwi);
+ include_file, urx - llx, height, urx,ury,llx,lly, rwi);
fprintf(stderr,"%s\n",cmd);
#endif
if (system(cmd)) {
@@ -4158,11 +4210,21 @@ int n;
#endif
CopyHPFile( pcl_file );
- /* unlink(pcl_file); */
- /* unlink(scale_file); */
- }
}
+ unlink(scale_file); /* ignore errors */
+ unlink(pcl_file);
+ }
+ else
#endif /* LJ */
+
+ if ( file_type == HPFile )
+ CopyHPFile( include_file );
+ else if ( file_type == VerbFile )
+ CopyFile( include_file );
+ else
+ Warning ("This can't happen: unknown file_type value %d", file_type);
+
+ if ( include_file != NULL ) free(include_file);
}
}
@@ -4173,12 +4235,11 @@ int n;
/**********************************************************************/
/***************************** GetKeyStr ****************************/
/**********************************************************************/
-/* extract first keyword-value pair from string (value part may be null)
- * return pointer to remainder of string
- * return NULL if none found
+/* Extract first keyword-value pair from string (value part may be null),
+ * keyword and value are allocated and must be free by caller.
+ * Return pointer to remainder of string,
+ * return NULL if none found.
*/
-char KeyStr[STRSIZE];
-char ValStr[STRSIZE];
#if NeedFunctionPrototypes
char *GetKeyStr(char *str, KeyWord *kw )
#else
@@ -4187,39 +4248,46 @@ char *str;
KeyWord *kw;
#endif
{
- char *s, *k, *v, t;
+ char *s, *start;
+ char save_char, quote_char;
if ( !str )
return( NULL );
for (s = str; *s == ' '; s++)
; /* skip over blanks */
if (*s == '\0')
return( NULL );
- for (k = KeyStr; /* extract keyword portion */
- *s != ' ' && *s != '\0' && *s != '=';
- *k++ = *s++)
- ;
- *k = '\0';
- kw->Key = KeyStr;
- kw->Val = v = NULL;
+ start = s++; /* start of keyword */
+ while ( *s != ' ' && *s != '\0' && *s != '=' ) /* locate end */
+ s++;
+ save_char = *s;
+ *s = '\0';
+ kw->Key = xstrdup(start);
+ kw->Val = NULL;
kw->vt = None;
- for ( ; *s == ' '; s++)
- ; /* skip over blanks */
- if ( *s != '=' ) /* look for "=" */
+ if ( save_char == '\0' ) /* shortcut when we're at the end */
+ return (s);
+ *s = save_char; /* restore keyword end char */
+ while ( *s == ' ' ) s++ ; /* skip over blanks */
+ if ( *s != '=' ) /* no "=" means no value */
return( s );
- for (s++; *s == ' '; s++); /* skip over blanks */
- if ( *s == '\'' || *s == '\"' ) /* get string delimiter */
- t = *s++;
+ for (s++; *s == ' '; s++)
+ ; /* skip over blanks */
+ if ( *s == '\'' || *s == '\"' ) /* get string delimiter */
+ quote_char = *s++;
else
- t = ' ';
- for (v = ValStr; /* copy value portion up to delim */
- *s != t && *s != '\0';
- *v++ = *s++)
- ;
- if ( t != ' ' && *s == t )
- s++;
- *v = '\0';
- kw->Val = ValStr;
+ quote_char = ' ';
+ start = s; /* no increment, might be "" as value */
+ while ( *s != quote_char && *s != '\0' )
+ s++; /* locate end of value portion */
+ save_char = *s;
+ *s = '\0';
+ kw->Val = xstrdup(start);
kw->vt = String;
+ if ( save_char != '\0' ) { /* save_char is now quote_char */
+ *s = save_char;
+ if ( quote_char != ' ' ) /* we had real quote chars */
+ s++;
+ }
return( s );
}
@@ -4819,13 +4887,14 @@ struct font_entry *fontptr;
the resident fonts. */
if (tfm_read_info(fontptr->n, &tfm_info)
&& tfm_info.family[0]
- && strcmp((char *)tfm_info.family, "HPAUTOTFM") == 0) {
+ && EQ((char *)tfm_info.family, "HPAUTOTFM")) {
unsigned i;
double factor = fontptr->s / (double)0x100000;
resident_count++;
fontptr->resident_p = _TRUE;
- strcpy(fontptr->symbol_set, (char *)tfm_info.coding_scheme);
+ strncpy(fontptr->symbol_set, (char *)tfm_info.coding_scheme, 39);
+ fontptr->symbol_set[39] = '\0';
fontptr->resid = tfm_info.typeface_id;
fontptr->spacing = tfm_info.spacing;
fontptr->style = tfm_info.style;
@@ -4878,7 +4947,7 @@ struct font_entry *fontptr;
fontptr->resident_p = _FALSE;
if (tfm_info.family[0]
- && strcmp((char *)tfm_info.family, "UNSPECIFIED") == 0) {
+ && EQ((char *)tfm_info.family, "UNSPECIFIED")) {
Warning("font family for %s is UNSPECIFIED; need to run dvicopy?",
fontptr->n);
fontptr->font_file_id = NO_FILE;
@@ -5031,10 +5100,9 @@ printf("[%ld]=%lf * %lf * %lf + 0.5 = %l
if (tfontptr->resident_p)
return;
- if (!(resident_font_located)) {
+ if (!(resident_font_located))
#endif
-#ifdef KPATHSEA
{
kpse_glyph_file_type font_ret;
char *name;
@@ -5047,9 +5115,9 @@ printf("[%ld]=%lf * %lf * %lf + 0.5 = %l
if (name)
{
font_found = _TRUE;
- strcpy (tfontptr->name, name);
- free (name);
-
+ tfontptr->name = name;
+ allocated_storage += strlen(name)+1;
+
if (!FILESTRCASEEQ (tfontptr->n, font_ret.name)) {
fprintf (stderr,
"dvilj: Font %s not found, using %s at %d instead.\n",
@@ -5071,29 +5139,6 @@ printf("[%ld]=%lf * %lf * %lf + 0.5 = %l
tfontptr->n, dpi);
}
}
-#else /* not KPATHSEA */
- if (!(findfile(PXLpath,
- tfontptr->n,
- tfontptr->font_mag,
- tfontptr->name,
- _FALSE,
- 0))) {
- Warning(tfontptr->name); /* contains error messsage */
- tfontptr->font_file_id = NO_FILE;
-#ifdef __riscos
- MakeMetafontFile(PXLpath, tfontptr->n, tfontptr->font_mag);
-#endif
- }
- else {
- font_found = _TRUE;
- if (G_verbose)
- fprintf(ERR_STREAM,"%d: using font <%s>\n", plusid, tfontptr->name);
- }
-#endif /* not KPATHSEA */
-
-#ifdef LJ_RESIDENT_FONTS
- }
-#endif
tfontptr->plusid = plusid;
plusid++;
diff -U0 tetex-src-3.0/texk/dviljk/ChangeLog.dviljktemp tetex-src-3.0/texk/dviljk/ChangeLog
--- tetex-src-3.0/texk/dviljk/ChangeLog.dviljktemp 1998-03-03 11:17:39.000000000 +0100
+++ tetex-src-3.0/texk/dviljk/ChangeLog 2007-11-13 14:59:19.000000000 +0100
@@ -0,0 +1,39 @@
+2007-07-02 Joachim Schrod <jschrod at acm.org>
+
+ * dvi2xx.c (DoSpecial): Security issue: usage of tmpnam() caused
+ tempfile race condition. I use mkdtemp() if it's available and
+ fall back to tmpnam.
+
+ Special parsing of include files was inconsistent, unify it. The
+ current parsing code still allows lots of non-sensical special
+ commands, but at least it doesn't access unrelated variables any
+ more.
+
+2007-06-28 Joachim Schrod <jschrod at acm.org>
+
+ * dvi2xx.c: Fixed a whole bunch of buffer overflows: The program
+ did not check memory bounds for any string operation. All places
+ where strings are copied with strcpy are replaced by dynamically
+ allocated strings (with xstrdup from kpathsea) or bounded string
+ operations. Fixed also manual string copy operations on special
+ strings. Fixed array buffer overflow in defpoint and fill special
+ operations.
+ (DoSpecial): Call of ghostscript for psfile special had also a
+ potential buffer overflow caused by unchecked usage of sprintf.
+ Fix core dump: Check if all required parameters of psfile special
+ are passed.
+
+ Bumped version number up to 2.6p3.
+
+ * dvi2xx.h: Some fixed sized string arrays are pointers now, they
+ get dynamically allocated.
+ (GetBytes): Another buffer overflow: Check that the buffer size is
+ sufficient to store the read bytes. That relies on the invariant
+ that the GetBytes macro is always called with an array as argument
+ and not with a pointer.
+
+ * config.h: Throw an error if kpathsea is not used. dvi2xx.c
+ had previously already kpathsea dependencies without protecting
+ them with #if KPATHSEA. We go that road further since upstream
+ does not exist any more.
+
diff -up tetex-src-3.0/texk/dviljk/configure.dviljktemp tetex-src-3.0/texk/dviljk/configure
diff -up tetex-src-3.0/texk/dviljk/configure.in.dviljktemp tetex-src-3.0/texk/dviljk/configure.in
--- tetex-src-3.0/texk/dviljk/configure.in.dviljktemp 1999-02-08 22:42:01.000000000 +0100
+++ tetex-src-3.0/texk/dviljk/configure.in 2007-11-13 14:55:04.000000000 +0100
@@ -13,6 +13,7 @@ sinclude(../kpathsea/withenable.ac)
dnl These tests prevent reliable cross-compilation. Sigh.
AC_C_CHAR_UNSIGNED
AC_CHECK_SIZEOF(long)
+AC_CHECK_FUNCS(rmdir unlink mkdtemp)
AC_OUTPUT(Makefile)
dnl Update stamp-auto, since we just remade `c-auto.h'.
diff -up tetex-src-3.0/texk/dviljk/dvi2xx.h.dviljktemp tetex-src-3.0/texk/dviljk/dvi2xx.h
--- tetex-src-3.0/texk/dviljk/dvi2xx.h.dviljktemp 1999-03-16 08:03:33.000000000 +0100
+++ tetex-src-3.0/texk/dviljk/dvi2xx.h 2007-11-13 14:53:45.000000000 +0100
@@ -10,8 +10,8 @@
#ifdef KPATHSEA
#include <kpathsea/config.h>
+#include <kpathsea/c-std.h>
#include <kpathsea/c-limits.h>
-#include <kpathsea/c-memstr.h>
#include <kpathsea/magstep.h>
#include <kpathsea/proginit.h>
#include <kpathsea/progname.h>
@@ -24,6 +24,7 @@
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
+#include <unistd.h>
#ifdef unix
#include <limits.h>
#endif
@@ -41,9 +42,6 @@
#ifdef MSC5
#include <dos.h> /* only for binaryopen on device */
#endif
-#if defined (unix) && !defined (KPATHSEA)
-#include <limits.h>
-#endif
#include "config.h"
@@ -116,6 +114,7 @@
#define HUGE_SIZE (unsigned char) 2
#define HUGE_CHAR_PATTERN 32767l
#define BYTES_PER_PIXEL_LINE 500 /* max number of bytes per pixel line */
+#define MAX_SPECIAL_DEFPOINTS 80 /* max number of defpoint specials */
#define PK_POST 245
@@ -281,7 +280,14 @@ char *MFMODE = MFMODE600;
#define VisChar(c) (unsigned char)(c)
#endif
-#define GetBytes(fp,buf,n) read_multi(buf,1,n,fp) /* used to be a function */
+/* Used to be a function. buf is always an array, never a pointer.
+ Without that invariant, we would have to introduce full dynamic
+ memory management in this driver -- probably it would be easier to
+ write a new one. [27 Jun 07 -js] */
+#define GetBytes(fp,buf,n) \
+ ( sizeof(buf) != sizeof(void *) && sizeof(buf) > n ? \
+ read_multi(buf, 1, n, fp) \
+ : Fatal("Try to read %d bytes in an array of size %d", n, sizeof(buf)) )
/**********************************************************************/
@@ -307,6 +313,7 @@ int printf();
int sscanf();
int strcmp();
char *strcpy();
+char *strncpy();
# ifdef MSC5
unsigned int strlen();
# endif
@@ -393,7 +400,7 @@ struct font_entry { /* font entry */
char n[STRSIZE]; /* FNT_DEF command parameters */
long4 font_mag; /* computed from FNT_DEF s and d parameters */
/*char psname[STRSIZE];*/ /* PostScript name of the font */
- char name[STRSIZE]; /* full name of PXL file */
+ char *name; /* full name of PXL file */
FILEPTR font_file_id; /* file identifier (NO_FILE if none) */
#ifdef USEPXL
long4 magnification; /* magnification read from PXL file */
@@ -487,8 +494,8 @@ void LoadAChar DVIPROTO((long4, regis
long4 NoSignExtend DVIPROTO((FILEPTR, int));
void OpenFontFile DVIPROTO((void));
long4 PixRound DVIPROTO((long4, long4));
-void PkRaster DVIPROTO((struct char_entry *, int));
-void RasterLine DVIPROTO((struct char_entry *, unsigned int,
+void PkRaster DVIPROTO((struct char_entry *, int));
+void RasterLine DVIPROTO((struct char_entry *, unsigned int,
unsigned int, unsigned char *));
void RasterChar DVIPROTO((struct char_entry *));
void ReadFontDef DVIPROTO((long4));
@@ -534,11 +541,12 @@ bool LastPageSpecified = _FALSE;
#ifndef KPATHSEA
char *PXLpath = FONTAREA;
#endif
-char G_progname[STRSIZE]; /* program name */
-char filename[STRSIZE]; /* DVI file name */
-char rootname[STRSIZE]; /* DVI filename without extension */
+char *G_progname; /* program name */
+char *filename; /* DVI file name */
+char *rootname; /* DVI filename without extension */
char *HeaderFileName = ""; /* file name & path of Headerfile */
char *EmitFileName = ""; /* file name & path for output */
+char tmp_dir[STRSIZE] = ""; /* temporary directory for auxilliary files */
#ifdef IBM3812
bool FirstAlternate = _FALSE; /* first page from alternate casette ? */
#endif
diff -up tetex-src-3.0/texk/dviljk/c-auto.in.dviljktemp tetex-src-3.0/texk/dviljk/c-auto.in
--- tetex-src-3.0/texk/dviljk/c-auto.in.dviljktemp 1999-03-23 23:40:08.000000000 +0100
+++ tetex-src-3.0/texk/dviljk/c-auto.in 2007-11-13 14:53:45.000000000 +0100
@@ -1,9 +1,23 @@
-/* c-auto.in. Generated automatically from configure.in by autoheader. */
+/* c-auto.in. Generated from configure.in by autoheader. */
+/* acconfig.h -- used by autoheader when generating c-auto.in.
-/* Define if type char is unsigned and you are not using gcc. */
-#ifndef __CHAR_UNSIGNED__
-#undef __CHAR_UNSIGNED__
-#endif
+ If you're thinking of editing acconfig.h to fix a configuration
+ problem, don't. Edit the c-auto.h file created by configure,
+ instead. Even better, fix configure to give the right answer. */
+
+/* Define to 1 if you have the `mkdtemp' function. */
+#undef HAVE_MKDTEMP
+
+/* Define to 1 if you have the `rmdir' function. */
+#undef HAVE_RMDIR
-/* The number of bytes in a long. */
+/* Define to 1 if you have the `unlink' function. */
+#undef HAVE_UNLINK
+
+/* The size of a `long', as computed by sizeof. */
#undef SIZEOF_LONG
+
+/* Define to 1 if type `char' is unsigned and you are not using gcc. */
+#ifndef __CHAR_UNSIGNED__
+# undef __CHAR_UNSIGNED__
+#endif
diff -up tetex-src-3.0/texk/dviljk/config.h.dviljktemp tetex-src-3.0/texk/dviljk/config.h
--- tetex-src-3.0/texk/dviljk/config.h.dviljktemp 2002-01-03 17:40:25.000000000 +0100
+++ tetex-src-3.0/texk/dviljk/config.h 2007-11-13 14:53:45.000000000 +0100
@@ -216,12 +216,7 @@ typedef SCHAR_TYPE signed_char;
#endif
#ifndef KPATHSEA
-extern bool findfile(
-#if NeedFunctionPrototypes
-char path[], char n[], long4 fontmag, char name[],
- bool tfm, int level
-#endif
- );
+#error "Would need changed findfile, dviljk has changed allocation semantic of name member in tfontptr"
#endif
@@ -444,3 +439,24 @@ typedef FILE *FILEPTR;
/* If we have neither, should fall back to fprintf with fixed args. */
#endif
#endif
+
+/* If unlink and rmdir are not there, we don't delete the temporary files. */
+#ifndef HAVE_RMDIR
+#define rmdir(dir)
+#endif
+#ifndef HAVE_UNLINK
+#define unlink(file)
+#endif
+
+/* If mkdtemp() does not exist, we have to use tmpnam(). */
+#ifndef HAVE_MKDTEMP
+#define mkdtemp(dir) (tmpnam(dir) ? \
+ ( mkdir(dir, 0700) == -1 ? NULL : dir ) : \
+ ( errno = EINVAL, NULL ) )
+#endif
+
+#ifndef KPATHSEA
+/* FIXME: Should provide a strdup function. But currently this tree is
+ only used in connection with kpathsea anyhow. */
+#error "Need xstrdup and xmalloc function, e.g. from kpathsea"
+#endif
tetex-3.0-dvipsoverflow.patch:
--- NEW FILE tetex-3.0-dvipsoverflow.patch ---
diff -up tetex-src-3.0/texk/dvipsk/hps.c.dvipsoverflow tetex-src-3.0/texk/dvipsk/hps.c
--- tetex-src-3.0/texk/dvipsk/hps.c.dvipsoverflow 2005-01-16 01:05:00.000000000 +0100
+++ tetex-src-3.0/texk/dvipsk/hps.c 2007-11-13 14:34:48.000000000 +0100
@@ -441,19 +441,32 @@ int href_name_match P2C(char *, h, char
void stamp_hps P1C(Hps_link *, pl)
{
- char tmpbuf[200] ;
+ char * tmpbuf;
if (pl == NULL) {
error("Null pointer, oh no!") ;
return ;
- } else {
- /* print out the proper pdfm with local page info only
- * target info will be in the target dictionary */
- (void)sprintf(tmpbuf,
- " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
- pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
- pl->color[0], pl->color[1], pl->color[2]) ;
- cmdout(tmpbuf) ;
- }
+ }
+ if(pl->title == NULL) {
+ error("Null pointer, oh no!") ;
+ return ;
+ }
+
+ tmpbuf = (char *) malloc(strlen(pl->title)+200);
+ if(tmpbuf == NULL) {
+ error("out of memory, oh no!") ;
+ return ;
+ }
+
+ /* print out the proper pdfm with local page info only
+ * target info will be in the target dictionary */
+ (void)sprintf(tmpbuf,
+ " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ",
+ pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+ pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+ pl->color[0], pl->color[1], pl->color[2]) ;
+ cmdout(tmpbuf) ;
+ free(tmpbuf);
+
}
@@ -462,18 +475,31 @@ void stamp_hps P1C(Hps_link *, pl)
*/
void stamp_external P2C(char *, s, Hps_link *, pl)
{
- char tmpbuf[200];
+ char *tmpbuf;
if (pl == NULL) {
error("Null pointer, oh no!") ;
return ;
- } else {
- /* print out the proper pdfm with local page info only
- * target info will be in the target dictionary */
- (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
- pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
- pl->color[0], pl->color[1], pl->color[2], s) ;
- cmdout(tmpbuf) ;
- }
+ }
+
+ if (s == NULL) {
+ error("Null pointer, oh no!") ;
+ return ;
+ }
+
+ tmpbuf = (char *) malloc(strlen(s) + 200);
+ if(tmpbuf == NULL) {
+ error("out of memory, oh no!") ;
+ return ;
+ }
+
+ /* print out the proper pdfm with local page info only
+ * target info will be in the target dictionary */
+ (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ",
+ pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+ pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+ pl->color[0], pl->color[1], pl->color[2], s) ;
+ cmdout(tmpbuf) ;
+ free(tmpbuf);
}
void finish_hps P1H(void) {
Index: tetex.spec
===================================================================
RCS file: /cvs/extras/rpms/tetex/devel/tetex.spec,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- tetex.spec 12 Nov 2007 15:20:21 -0000 1.116
+++ tetex.spec 13 Nov 2007 14:21:56 -0000 1.117
@@ -11,7 +11,7 @@
Summary: The TeX text formatting system.
Name: tetex
Version: 3.0
-Release: 45%{?dist}
+Release: 46%{?dist}
License: Public Domain and GPLv2 and MIT and LPPL and Utopia and Artistic 2.0
Group: Applications/Publishing
Requires: tmpwatch, dialog, ed
@@ -93,6 +93,8 @@
Patch26: tetex-3.0-xdvi-maxchar.patch
Patch27: tetex-3.0-CVE-2007-4033.patch
Patch28: tetex-3.0-CVE-2007-5393.patch
+Patch29: tetex-3.0-dvipsoverflow.patch
+Patch30: tetex-3.0-dviljktemp.patch
######
# Japanization patches
@@ -322,6 +324,10 @@
%patch27 -p1 -b .CVE-2007-4033
# fix CVE-2007-4352 CVE-2007-5392 CVE-2007-5393, various xpdf flaws (#345121)
%patch28 -p1 -b .CVE-2007-5393
+# fix dvips -z buffer overflow with long href (#368591)
+%patch29 -p1 -b .dvipsoverflow
+# fix insecure usage of temporary file in dviljk (#368611, #368641)
+%patch30 -p1 -b .dviljktemp
%if %{enable_japanese}
mkdir texmf/ptex-texmf
@@ -881,6 +887,10 @@
%defattr(-,root,root)
%changelog
+* Tue Nov 13 2007 Jindrich Novy <jnovy at redhat.com> 3.0-46
+- fix dvips -z buffer overflow with long href (#368591)
+- fix insecure usage of temporary file in dviljk (#368611, #368641)
+
* Thu Nov 8 2007 Jindrich Novy <jnovy at redhat.com> 3.0-45
- fix t1lib flaw CVE-2007-4033 (#352271)
- fix CVE-2007-4352 CVE-2007-5392 CVE-2007-5393, various xpdf flaws (#345121)
- Previous message (by thread): rpms/catdoc/EL-4 catdoc.spec, NONE, 1.1 makefilefix.patch, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/which/devel .cvsignore, 1.6, 1.7 sources, 1.6, 1.7 which.spec, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list