From 85e477d32d3461465487a9b68a98526b7c3d5d9e Mon Sep 17 00:00:00 2001 From: Rene Wagner Date: Sun, 13 Aug 2006 02:16:17 +0200 Subject: [PATCH 1/1] gpdf: add 2.10.0-4 from Debian. Signed-off-by: Rene Wagner --- .../packages/gpdf/files/000-checks.patch | 108 +++++++ .../packages/gpdf/files/005-gcc4.patch | 17 ++ .../gpdf/files/006_CAN-2005-3191.patch | 284 ++++++++++++++++++ .../gpdf/files/007_CVE-2006-0301.patch | 38 +++ .../gpdf/files/008_security_upstream.patch | 138 +++++++++ .../packages/gpdf/files/010-forward.patch | 29 ++ .../gpdf/files/015-CAN-2005-0064.patch | 44 +++ .../016_CAN-2005-2097-loca-table-sanity.patch | 29 ++ .../packages/gpdf/gpdf_2.10.0-4.bb | 23 ++ 9 files changed, 710 insertions(+) create mode 100644 org.handhelds.familiar/packages/gpdf/files/000-checks.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/005-gcc4.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/006_CAN-2005-3191.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/007_CVE-2006-0301.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/008_security_upstream.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/010-forward.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/015-CAN-2005-0064.patch create mode 100644 org.handhelds.familiar/packages/gpdf/files/016_CAN-2005-2097-loca-table-sanity.patch create mode 100644 org.handhelds.familiar/packages/gpdf/gpdf_2.10.0-4.bb diff --git a/org.handhelds.familiar/packages/gpdf/files/000-checks.patch b/org.handhelds.familiar/packages/gpdf/files/000-checks.patch new file mode 100644 index 0000000..9a23aa3 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/000-checks.patch @@ -0,0 +1,108 @@ +--- xpdf/Catalog.cc.orig ++++ xpdf/Catalog.cc +@@ -13,6 +13,7 @@ + #endif + + #include ++#include + #include "gmem.h" + #include "Object.h" + #include "XRef.h" +@@ -64,10 +65,8 @@ + } + pagesSize = numPages0 = (int)obj.getNum(); + obj.free(); +- // The gcc doesnt optimize this away, so this check is ok, +- // even if it looks like a pagesSize != pagesSize check +- if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || +- pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { ++ if (pagesSize >= INT_MAX/sizeof(Page *) || ++ pagesSize >= INT_MAX/sizeof(Ref)) { + error(-1, "Invalid 'pagesSize'"); + ok = gFalse; + return; +@@ -200,8 +199,8 @@ + } + if (start >= pagesSize) { + pagesSize += 32; +- if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize || +- pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) { ++ if (pagesSize >= INT_MAX/sizeof(Page *) || ++ pagesSize >= INT_MAX/sizeof(Ref)) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } +--- xpdf/XRef.cc.orig ++++ xpdf/XRef.cc +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include "gmem.h" + #include "Object.h" + #include "Stream.h" +@@ -110,7 +111,7 @@ + goto err1; + } + +- if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) { ++ if (nObjects >= INT_MAX/sizeof(int)) { + error(-1, "Invalid 'nObjects'"); + goto err1; + } +@@ -138,8 +139,7 @@ + offsets[i] = obj2.getInt(); + obj1.free(); + obj2.free(); +- if (objNums[i] < 0 || offsets[i] < 0 || +- (i > 0 && offsets[i] < offsets[i-1])) { ++ if (objNums[i]<0 || offsets[i]<0 || (i>0 && offsets[i]= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'obj' parameters'"); + goto err1; + } +@@ -503,7 +503,7 @@ + goto err1; + } + if (newSize > size) { +- if (newSize * (int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ if (newSize >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'size' parameter."); + return gFalse; + } +@@ -597,7 +597,7 @@ + if (newSize < 0) { + return gFalse; + } +- if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ if (newSize >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'size' inside xref table."); + return gFalse; + } +@@ -736,7 +736,7 @@ + error(-1, "Bad object number"); + return gFalse; + } +- if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ if (newSize >= INT_MAX/sizeof(XRefEntry)) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } +@@ -763,7 +763,7 @@ + } else if (!strncmp(p, "endstream", 9)) { + if (streamEndsLen == streamEndsSize) { + streamEndsSize += 64; +- if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) { ++ if (streamEndsSize >= INT_MAX/sizeof(int)) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } diff --git a/org.handhelds.familiar/packages/gpdf/files/005-gcc4.patch b/org.handhelds.familiar/packages/gpdf/files/005-gcc4.patch new file mode 100644 index 0000000..467d27b --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/005-gcc4.patch @@ -0,0 +1,17 @@ +--- xpdf/gpdf-control.cc.orig ++++ xpdf/gpdf-control.cc +@@ -209,12 +209,12 @@ + const gchar * status) + { + GPdfControlPrivate *priv; +- guint to_id; ++ gulong to_id; + + g_return_if_fail (GPDF_IS_NON_NULL_CONTROL (control)); + priv = control->priv; + +- if ((to_id = (unsigned int) ++ if ((to_id = (gulong) + g_object_get_data (G_OBJECT (control), + "status-timeout-id")) != 0) { + g_object_set_data (G_OBJECT (control), diff --git a/org.handhelds.familiar/packages/gpdf/files/006_CAN-2005-3191.patch b/org.handhelds.familiar/packages/gpdf/files/006_CAN-2005-3191.patch new file mode 100644 index 0000000..7573022 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/006_CAN-2005-3191.patch @@ -0,0 +1,284 @@ +diff -u -p -Nr --exclude CVS xpdf/JBIG2Stream.cc xpdf/JBIG2Stream.cc +--- xpdf/JBIG2Stream.cc 2004-05-17 20:11:43.000000000 +0200 ++++ xpdf/JBIG2Stream.cc 2005-12-15 13:38:04.000000000 +0100 +@@ -7,6 +7,7 @@ + //======================================================================== + + #include ++#include + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -681,7 +682,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = wA; + h = hA; + line = (wA + 7) >> 3; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) ++ data = NULL; ++ else { ++ // need to allocate one extra guard byte for use in combine() ++ data = (Guchar *)gmalloc(h * line + 1); ++ data[h * line] = 0; ++ } + } + + JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): +@@ -690,8 +698,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + w = bitmap->w; + h = bitmap->h; + line = bitmap->line; +- data = (Guchar *)gmalloc(h * line); ++ ++ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) { ++ data = NULL; ++ return; ++ } ++ ++ data = (Guchar *)gmalloc(h * line + 1); ++ + memcpy(data, bitmap->data, h * line); ++ data[h * line] = 0; + } + + JBIG2Bitmap::~JBIG2Bitmap() { +@@ -716,10 +732,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint + } + + void JBIG2Bitmap::expand(int newH, Guint pixel) { +- if (newH <= h) { ++ if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) { + return; + } +- data = (Guchar *)grealloc(data, newH * line); ++ data = (Guchar *)grealloc(data, newH * line + 1); + if (pixel) { + memset(data + h * line, 0xff, (newH - h) * line); + } else { +@@ -2256,6 +2272,16 @@ void JBIG2Stream::readHalftoneRegionSeg( + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); + return; + } ++ ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad size in JBIG2 halftone segment"); ++ return; ++ } ++ if (w == 0 || h >= INT_MAX / w) { ++ error(getPos(), "Bad size in JBIG2 bitmap segment"); ++ return; ++ } ++ + patternDict = (JBIG2PatternDict *)seg; + bpp = 0; + i = 1; +@@ -2887,6 +2913,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef + JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; + int x, y, pix; + ++ if (w < 0 || h <= 0 || w >= INT_MAX / h) ++ return NULL; ++ + bitmap = new JBIG2Bitmap(0, w, h); + bitmap->clearToZero(); + +diff -u -p -Nr --exclude CVS xpdf/JPXStream.cc xpdf/JPXStream.cc +--- xpdf/JPXStream.cc 2004-05-17 20:11:49.000000000 +0200 ++++ xpdf/JPXStream.cc 2005-12-15 13:23:59.000000000 +0100 +@@ -7,6 +7,7 @@ + //======================================================================== + + #include ++#include + + #ifdef USE_GCC_PRAGMAS + #pragma implementation +@@ -666,7 +667,7 @@ GBool JPXStream::readCodestream(Guint le + int segType; + GBool haveSIZ, haveCOD, haveQCD, haveSOT; + Guint precinctSize, style; +- Guint segLen, capabilities, comp, i, j, r; ++ Guint segLen, capabilities, nTiles, comp, i, j, r; + + //----- main header + haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; +@@ -701,7 +702,19 @@ GBool JPXStream::readCodestream(Guint le + / img.xTileSize; + img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) + / img.yTileSize; +- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * ++ // check for overflow before allocating memory ++ if (img.nXTiles <= 0 || img.nYTiles <= 0 || ++ img.nXTiles >= INT_MAX/img.nYTiles) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ nTiles = img.nXTiles * img.nYTiles; ++ // check for overflow before allocating memory ++ if (nTiles == 0 || nTiles >= INT_MAX/sizeof(JPXTile)) { ++ error(getPos(), "Bad tile count in JPX SIZ marker segment"); ++ return gFalse; ++ } ++ img.tiles = (JPXTile *)gmalloc(nTiles * + sizeof(JPXTile)); + for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { + img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * +diff -u -p -Nr --exclude CVS xpdf/Stream.cc xpdf/Stream.cc +--- xpdf/Stream.cc 2004-05-17 21:37:57.000000000 +0200 ++++ xpdf/Stream.cc 2005-12-15 13:40:45.000000000 +0100 +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #ifndef WIN32 + #include + #endif +@@ -407,18 +408,41 @@ void ImageStream::skipLine() { + + StreamPredictor::StreamPredictor(Stream *strA, int predictorA, + int widthA, int nCompsA, int nBitsA) { ++ int totalBits; ++ + str = strA; + predictor = predictorA; + width = widthA; + nComps = nCompsA; + nBits = nBitsA; ++ predLine = NULL; ++ ok = gFalse; + ++ if (width <= 0 || nComps <= 0 || nBits <= 0 || ++ nComps >= INT_MAX/nBits || ++ width >= INT_MAX/nComps/nBits) { ++ return; ++ } + nVals = width * nComps; ++ if (nVals + 7 <= 0) { ++ return; ++ } ++ totalBits = nVals * nBits; ++ if (totalBits == 0 || ++ (totalBits / nBits) / nComps != width || ++ totalBits + 7 < 0) { ++ return; ++ } + pixBytes = (nComps * nBits + 7) >> 3; +- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ++ rowBytes = ((totalBits + 7) >> 3) + pixBytes; ++ if (rowBytes < 0) { ++ return; ++ } + predLine = (Guchar *)gmalloc(rowBytes); + memset(predLine, 0, rowBytes); + predIdx = rowBytes; ++ ++ ok = gTrue; + } + + StreamPredictor::~StreamPredictor() { +@@ -1012,6 +1036,10 @@ LZWStream::LZWStream(Stream *strA, int p + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +@@ -1260,6 +1288,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s + endOfLine = endOfLineA; + byteAlign = byteAlignA; + columns = columnsA; ++ if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) { ++ error(getPos(), "Bad number of columns in CCITTFaxStream"); ++ exit(1); ++ } + rows = rowsA; + endOfBlock = endOfBlockA; + black = blackA; +@@ -2897,6 +2929,11 @@ GBool DCTStream::readBaselineSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream", prec); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2923,6 +2960,11 @@ GBool DCTStream::readProgressiveSOF() { + height = read16(); + width = read16(); + numComps = str->getChar(); ++ if (numComps <= 0 || numComps > 4) { ++ numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + if (prec != 8) { + error(getPos(), "Bad DCT precision %d", prec); + return gFalse; +@@ -2945,6 +2987,11 @@ GBool DCTStream::readScanInfo() { + + length = read16() - 2; + scanInfo.numComps = str->getChar(); ++ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { ++ scanInfo.numComps = 0; ++ error(getPos(), "Bad number of components in DCT stream"); ++ return gFalse; ++ } + --length; + if (length != 2 * scanInfo.numComps + 3) { + error(getPos(), "Bad DCT scan info block"); +@@ -3019,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() { + while (length > 0) { + index = str->getChar(); + --length; +- if ((index & 0x0f) >= 4) { ++ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { + error(getPos(), "Bad DCT Huffman table"); + return gFalse; + } + if (index & 0x10) { +- index &= 0x0f; ++ index &= 0x03; + if (index >= numACHuffTables) + numACHuffTables = index+1; + tbl = &acHuffTables[index]; +@@ -3255,6 +3302,10 @@ FlateStream::FlateStream(Stream *strA, i + FilterStream(strA) { + if (predictor != 1) { + pred = new StreamPredictor(this, predictor, columns, colors, bits); ++ if (!pred->isOk()) { ++ delete pred; ++ pred = NULL; ++ } + } else { + pred = NULL; + } +diff -u -p -Nr --exclude CVS xpdf/Stream.h xpdf/Stream.h +--- xpdf/Stream.h 2004-05-17 21:37:57.000000000 +0200 ++++ xpdf/Stream.h 2005-12-15 13:23:59.000000000 +0100 +@@ -233,6 +233,8 @@ public: + + ~StreamPredictor(); + ++ GBool isOk() { return ok; } ++ + int lookChar(); + int getChar(); + +@@ -250,6 +252,7 @@ private: + int rowBytes; // bytes per line + Guchar *predLine; // line buffer + int predIdx; // current index in predLine ++ GBool ok; + }; + + //------------------------------------------------------------------------ diff --git a/org.handhelds.familiar/packages/gpdf/files/007_CVE-2006-0301.patch b/org.handhelds.familiar/packages/gpdf/files/007_CVE-2006-0301.patch new file mode 100644 index 0000000..ad1be76 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/007_CVE-2006-0301.patch @@ -0,0 +1,38 @@ +diff -u -p -Nr --exclude CVS splash/Splash.cc splash/Splash.cc +--- splash/Splash.cc 2004-05-17 20:10:49.000000000 +0200 ++++ splash/Splash.cc 2006-02-04 17:54:51.000000000 +0100 +@@ -734,6 +734,10 @@ void Splash::drawPixel(int x, int y, Spl + SplashMono1P *mono1; + SplashBGR8P *bgr8; + ++ if ( (unsigned) x >= (unsigned) bitmap->getWidth() || ++ (unsigned) y >= (unsigned) bitmap->getHeight()) ++ return; ++ + if (noClip || state->clip->test(x, y)) { + color = pattern->getColor(x, y); + switch (bitmap->mode) { +@@ -771,6 +775,11 @@ void Splash::drawSpan(int x0, int x1, in + SplashMono1 mask1; + int i, j, n; + ++ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() || ++ (unsigned) x1 >= (unsigned) bitmap->getWidth() || ++ (unsigned) y >= (unsigned) bitmap->getHeight()) ++ return; ++ + n = x1 - x0 + 1; + + switch (bitmap->mode) { +@@ -858,6 +867,11 @@ void Splash::xorSpan(int x0, int x1, int + + n = x1 - x0 + 1; + ++ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() || ++ (unsigned) x1 >= (unsigned) bitmap->getWidth() || ++ (unsigned) y >= (unsigned) bitmap->getHeight()) ++ return; ++ + switch (bitmap->mode) { + case splashModeMono1: + mono1 = &bitmap->data.mono8[y * bitmap->rowSize + (x0 >> 3)]; diff --git a/org.handhelds.familiar/packages/gpdf/files/008_security_upstream.patch b/org.handhelds.familiar/packages/gpdf/files/008_security_upstream.patch new file mode 100644 index 0000000..4ca67d4 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/008_security_upstream.patch @@ -0,0 +1,138 @@ +diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/goo/gmem.c gpdf-2.8.2/goo/gmem.c +--- goo/gmem.c 2003-04-01 21:47:07.000000000 +0200 ++++ goo/gmem.c 2006-02-14 09:07:50.000000000 +0100 +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include "gmem.h" + + #ifdef DEBUG_MEM +@@ -62,7 +63,7 @@ void *gmalloc(int size) { + int lst; + unsigned long *trl, *p; + +- if (size == 0) ++ if (size <= 0) + return NULL; + size1 = gMemDataSize(size); + if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) { +@@ -84,7 +85,7 @@ void *gmalloc(int size) { + #else + void *p; + +- if (size == 0) ++ if (size <= 0) + return NULL; + if (!(p = malloc(size))) { + fprintf(stderr, "Out of memory\n"); +@@ -100,7 +101,7 @@ void *grealloc(void *p, int size) { + void *q; + int oldSize; + +- if (size == 0) { ++ if (size <= 0) { + if (p) + gfree(p); + return NULL; +@@ -118,7 +119,7 @@ void *grealloc(void *p, int size) { + #else + void *q; + +- if (size == 0) { ++ if (size <= 0) { + if (p) + free(p); + return NULL; +diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/splash/SplashXPathScanner.cc gpdf-2.8.2/splash/SplashXPathScanner.cc +--- splash/SplashXPathScanner.cc 2004-05-17 20:10:56.000000000 +0200 ++++ splash/SplashXPathScanner.cc 2006-02-14 08:58:47.000000000 +0100 +@@ -182,7 +182,7 @@ GBool SplashXPathScanner::getNextSpan(in + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -232,19 +232,27 @@ void SplashXPathScanner::computeIntersec + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; + } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; ++ } ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) { +diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/xpdf/JBIG2Stream.cc gpdf-2.8.2/xpdf/JBIG2Stream.cc +--- xpdf/JBIG2Stream.cc 2006-02-14 08:53:37.000000000 +0100 ++++ xpdf/JBIG2Stream.cc 2006-02-14 09:16:42.000000000 +0100 +@@ -683,7 +683,7 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, + h = hA; + line = (wA + 7) >> 3; + +- if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) ++ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) + data = NULL; + else { + // need to allocate one extra guard byte for use in combine() +@@ -2262,6 +2262,15 @@ void JBIG2Stream::readHalftoneRegionSeg( + goto eofError; + } + ++ if (w == 0 || h == 0 || w >= INT_MAX / h) { ++ error(getPos(), "Bad bitmap size in JBIG2 halftone segment"); ++ return; ++ } ++ if (gridH == 0 || gridW >= INT_MAX / gridH) { ++ error(getPos(), "Bad grid size in JBIG2 halftone segment"); ++ return; ++ } ++ + // get pattern dictionary + if (nRefSegs != 1) { + error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); +diff -u -p -Nr --exclude CVS gpdf-2.8.2.orig/xpdf/Stream.h gpdf-2.8.2/xpdf/Stream.h +--- xpdf/Stream.h 2006-02-14 08:53:37.000000000 +0100 ++++ xpdf/Stream.h 2006-02-14 09:26:48.000000000 +0100 +@@ -534,7 +534,7 @@ private: + short getWhiteCode(); + short getBlackCode(); + short lookBits(int n); +- void eatBits(int n) { inputBits -= n; } ++ void eatBits(int n) { if ((inputBits -= n) < 0) inputBits = 0; } + }; + + //------------------------------------------------------------------------ diff --git a/org.handhelds.familiar/packages/gpdf/files/010-forward.patch b/org.handhelds.familiar/packages/gpdf/files/010-forward.patch new file mode 100644 index 0000000..797e972 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/010-forward.patch @@ -0,0 +1,29 @@ +--- gpdf-2.8.2.orig/xpdf/TextOutputDev.h ++++ gpdf-2.8.2/xpdf/TextOutputDev.h +@@ -166,6 +166,8 @@ + // TextLine + //------------------------------------------------------------------------ + ++class TextBlock; ++ + class TextLine { + public: + +@@ -223,6 +225,8 @@ + // TextBlock + //------------------------------------------------------------------------ + ++class TextPage; ++ + class TextBlock { + public: + +@@ -342,6 +346,8 @@ + // TextPage + //------------------------------------------------------------------------ + ++class TextLineFrag; ++ + class TextPage { + public: + diff --git a/org.handhelds.familiar/packages/gpdf/files/015-CAN-2005-0064.patch b/org.handhelds.familiar/packages/gpdf/files/015-CAN-2005-0064.patch new file mode 100644 index 0000000..3fc35f9 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/015-CAN-2005-0064.patch @@ -0,0 +1,44 @@ +--- gpdf-2.8.2.orig/xpdf/Decrypt.cc ++++ gpdf-2.8.2/xpdf/Decrypt.cc +@@ -73,6 +73,11 @@ + Guchar fx, fy; + int len, i, j; + ++ // check whether we have non-zero keyLength ++ if ( !keyLength ) { ++ return gFalse; ++ } ++ + // try using the supplied owner password to generate the user password + *ownerPasswordOk = gFalse; + if (ownerPassword) { +@@ -98,7 +103,7 @@ + } else { + memcpy(test2, ownerKey->getCString(), 32); + for (i = 19; i >= 0; --i) { +- for (j = 0; j < keyLength; ++j) { ++ for (j = 0; j < keyLength && j < 16; ++j) { + tmpKey[j] = test[j] ^ i; + } + rc4InitKey(tmpKey, keyLength, fState); +@@ -135,6 +140,11 @@ + int len, i, j; + GBool ok; + ++ // check whether we have non-zero keyLength ++ if ( !keyLength ) { ++ return gFalse; ++ } ++ + // generate file key + buf = (Guchar *)gmalloc(68 + fileID->getLength()); + if (userPassword) { +@@ -172,7 +182,7 @@ + } else if (encRevision == 3) { + memcpy(test, userKey->getCString(), 32); + for (i = 19; i >= 0; --i) { +- for (j = 0; j < keyLength; ++j) { ++ for (j = 0; j < keyLength && j < 16; ++j) { + tmpKey[j] = fileKey[j] ^ i; + } + rc4InitKey(tmpKey, keyLength, fState); diff --git a/org.handhelds.familiar/packages/gpdf/files/016_CAN-2005-2097-loca-table-sanity.patch b/org.handhelds.familiar/packages/gpdf/files/016_CAN-2005-2097-loca-table-sanity.patch new file mode 100644 index 0000000..d1d1e81 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/files/016_CAN-2005-2097-loca-table-sanity.patch @@ -0,0 +1,29 @@ +--- gpdf-2.8.2.orig/fofi/FoFiTrueType.cc ++++ gpdf-2.8.2/fofi/FoFiTrueType.cc +@@ -1343,6 +1343,26 @@ + return; + } + ++ // make sure the loca table is sane (correct length and entries are ++ // in bounds) ++ i = seekTable("loca"); ++ if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) { ++ parsedOk = gFalse; ++ return; ++ } ++ for (j = 0; j <= nGlyphs; ++j) { ++ if (locaFmt) { ++ pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk); ++ } else { ++ pos = getU16BE(tables[i].offset + j*2, &parsedOk); ++ } ++ if (pos < 0 || pos > len) { ++ parsedOk = gFalse; ++ } ++ } ++ if (!parsedOk) { ++ return; ++ } + // read the post table + readPostTable(); + if (!parsedOk) { diff --git a/org.handhelds.familiar/packages/gpdf/gpdf_2.10.0-4.bb b/org.handhelds.familiar/packages/gpdf/gpdf_2.10.0-4.bb new file mode 100644 index 0000000..c25eec7 --- /dev/null +++ b/org.handhelds.familiar/packages/gpdf/gpdf_2.10.0-4.bb @@ -0,0 +1,23 @@ +DESCRIPTION = "Portable Document Format (PDF) viewer" +LICENSE = "GPL" +SECTION = "x11/utils" + +inherit gnome debian-vampyre + +DEPENDS += "gtk+ libgnomeui libbonoboui gnome-vfs gconf gettext libglade \ + libgnomeprint libgnomeprintui gnome-common" + +DSRC_URI += "file://000-checks.patch;patch=1;pnum=0 \ + file://005-gcc4.patch;patch=1;pnum=0 \ + file://006_CAN-2005-3191.patch;patch=1;pnum=0 \ + file://007_CVE-2006-0301.patch;patch=1;pnum=0 \ + file://008_security_upstream.patch;patch=1;pnum=0 \ + file://010-forward.patch;patch=1 \ + file://015-CAN-2005-0064.patch;patch=1 \ + file://016_CAN-2005-2097-loca-table-sanity.patch;patch=1" + +EXTRA_OECONF = "--disable-schemas-install" + +do_configure_prepend () { + cp ${STAGING_DIR}/${HOST_SYS}/share/gnome-common/data/omf.make ${S}/help +} -- 2.41.0