Group :: Publishing
RPM: tetex
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: teTeX-CVE-2004-0888.patch
Download
Download
--- tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/Catalog.cc.orig Mon Nov 22 12:05:47 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/Catalog.cc Mon Nov 22 12:04:28 2004
@@ -22,6 +22,7 @@
#include "Error.h"
#include "Link.h"
#include "Catalog.h"
+#include <limits.h>
//------------------------------------------------------------------------
// Catalog
@@ -63,6 +64,12 @@
}
pagesSize = numPages0 = obj.getInt();
obj.free();
+ if (pagesSize >= INT_MAX/sizeof(Page *) ||
+ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +197,11 @@
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize >= INT_MAX/sizeof(Page *) ||
+ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j = pagesSize - 32; j < pagesSize; ++j) {
--- tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/XRef.cc.orig Mon Nov 22 12:03:53 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/xpdf/XRef.cc Mon Nov 22 12:01:24 2004
@@ -28,6 +28,7 @@
#include "Error.h"
#include "ErrorCodes.h"
#include "XRef.h"
+#include <limits.h>
//------------------------------------------------------------------------
@@ -66,6 +67,8 @@
start = str->getStart();
pos = readTrailer();
+ entries = NULL;
+
// if there was a problem with the trailer,
// try to reconstruct the xref table
if (pos == 0) {
@@ -76,6 +79,12 @@
// trailer is ok - read the xref table
} else {
+ if (size < 0 || size >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'size' inside xref table.");
+ ok = gFalse;
+ errCode = errDamaged;
+ return;
+ }
entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
for (i = 0; i < size; ++i) {
entries[i].offset = 0xffffffff;
@@ -175,7 +184,7 @@
n = atoi(p);
while ('0' <= *p && *p <= '9') ++p;
while (isspace(*p)) ++p;
- if (p == buf)
+ if ((p == buf) || (n < 0)) /* must make progress */
return 0;
pos1 += (p - buf) + n * 20;
}
@@ -249,6 +258,10 @@
}
s[i] = '\0';
first = atoi(s);
+ if (first < 0) {
+ error(-1, "Invalid 'first'");
+ goto err2;
+ }
while ((c = str->lookChar()) != EOF && isspace(c)) {
str->getChar();
}
@@ -260,6 +273,10 @@
}
s[i] = '\0';
n = atoi(s);
+ if (n<=0) {
+ error(-1, "Invalid 'n'");
+ goto err2;
+ }
while ((c = str->lookChar()) != EOF && isspace(c)) {
str->getChar();
}
@@ -267,6 +284,10 @@
// table size
if (first + n > size) {
newSize = size + 256;
+ if (newSize < 0 || newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'newSize'");
+ goto err2;
+ }
entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
entries[i].offset = 0xffffffff;
@@ -391,6 +412,10 @@
// look for object
} else if (isdigit(*p)) {
num = atoi(p);
+ if (num < 0) {
+ error(-1, "Invalid 'num' parameters.");
+ return gFalse;
+ }
do {
++p;
} while (*p && isdigit(*p));
@@ -410,6 +435,10 @@
if (!strncmp(p, "obj", 3)) {
if (num >= size) {
newSize = (num + 1 + 255) & ~255;
+ if (newSize < 0 || newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries = (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -431,6 +460,11 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize >= INT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
+
streamEnds = (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
}
--- tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.c.orig Mon Nov 22 12:04:04 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.c Mon Nov 22 12:01:24 2004
@@ -53,9 +53,9 @@
#endif /* DEBUG_MEM */
-void *gmalloc(int size) {
+void *gmalloc(size_t size) {
#ifdef DEBUG_MEM
- int size1;
+ size_t size1;
char *mem;
GMemHdr *hdr;
void *data;
@@ -94,11 +94,11 @@
#endif
}
-void *grealloc(void *p, int size) {
+void *grealloc(void *p, size_t size) {
#ifdef DEBUG_MEM
GMemHdr *hdr;
void *q;
- int oldSize;
+ size_t oldSize;
if (size == 0) {
if (p)
@@ -137,7 +137,7 @@
void gfree(void *p) {
#ifdef DEBUG_MEM
- int size;
+ size_t size;
GMemHdr *hdr;
GMemHdr *prevHdr, *q;
int lst;
--- tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.h.orig Mon Nov 22 12:04:06 2004
+++ tetex-bin-2.0.2-CVS/libs/xpdf/goo/gmem.h Mon Nov 22 12:01:24 2004
@@ -19,13 +19,13 @@
* Same as malloc, but prints error message and exits if malloc()
* returns NULL.
*/
-extern void *gmalloc(int size);
+extern void *gmalloc(size_t size);
/*
* Same as realloc, but prints error message and exits if realloc()
* returns NULL. If <p> is NULL, calls malloc instead of realloc().
*/
-extern void *grealloc(void *p, int size);
+extern void *grealloc(void *p, size_t size);
/*
* Same as free, but checks for and ignores NULL pointers.