diff options
Diffstat (limited to 'source/t/tetex/tetex.CVE-2005-3193.diff')
| -rw-r--r-- | source/t/tetex/tetex.CVE-2005-3193.diff | 169 |
1 files changed, 0 insertions, 169 deletions
diff --git a/source/t/tetex/tetex.CVE-2005-3193.diff b/source/t/tetex/tetex.CVE-2005-3193.diff deleted file mode 100644 index b8f2fad5..00000000 --- a/source/t/tetex/tetex.CVE-2005-3193.diff +++ /dev/null @@ -1,169 +0,0 @@ ---- tetex-src-3.0/libs/xpdf/goo/gmem.c.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100 -+++ tetex-src-3.0/libs/xpdf/goo/gmem.c 2006-01-16 15:41:04.000000000 +0100 -@@ -135,6 +135,28 @@ void *grealloc(void *p, int size) { - #endif - } - -+void *gmallocn(int nObjs, int objSize) { -+ int n; -+ -+ n = nObjs * objSize; -+ if (objSize == 0 || n / objSize != nObjs) { -+ fprintf(stderr, "Bogus memory allocation size\n"); -+ exit(1); -+ } -+ return gmalloc(n); -+} -+ -+void *greallocn(void *p, int nObjs, int objSize) { -+ int n; -+ -+ n = nObjs * objSize; -+ if (objSize == 0 || n / objSize != nObjs) { -+ fprintf(stderr, "Bogus memory allocation size\n"); -+ exit(1); -+ } -+ return grealloc(p, n); -+} -+ - void gfree(void *p) { - #ifdef DEBUG_MEM - int size; ---- tetex-src-3.0/libs/xpdf/goo/gmem.h.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100 -+++ tetex-src-3.0/libs/xpdf/goo/gmem.h 2006-01-16 15:41:04.000000000 +0100 -@@ -28,6 +28,15 @@ extern void *gmalloc(int size); - extern void *grealloc(void *p, int size); - - /* -+ * These are similar to gmalloc and grealloc, but take an object count -+ * and size. The result is similar to allocating nObjs * objSize -+ * bytes, but there is an additional error check that the total size -+ * doesn't overflow an int. -+ */ -+extern void *gmallocn(int nObjs, int objSize); -+extern void *greallocn(void *p, int nObjs, int objSize); -+ -+/* - * Same as free, but checks for and ignores NULL pointers. - */ - extern void gfree(void *p); ---- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100 -+++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2006-01-16 15:41:04.000000000 +0100 -@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le - int segType; - GBool haveSIZ, haveCOD, haveQCD, haveSOT; - Guint precinctSize, style; -- Guint segLen, capabilities, comp, i, j, r; -+ Guint segLen, capabilities, nTiles, comp, i, j, r; - - //----- main header - haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; -@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le - / img.xTileSize; - img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) - / img.yTileSize; -- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * -- sizeof(JPXTile)); -+ nTiles = img.nXTiles * img.nYTiles; -+ // check for overflow before allocating memory -+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { -+ error(getPos(), "Bad tile count in JPX SIZ marker segment"); -+ return gFalse; -+ } -+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile)); - for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { - img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * - sizeof(JPXTileComp)); ---- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100 -+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2006-01-16 15:41:04.000000000 +0100 -@@ -233,6 +233,8 @@ public: - - ~StreamPredictor(); - -+ GBool isOk() { return ok; } -+ - int lookChar(); - int getChar(); - -@@ -250,6 +252,7 @@ private: - int rowBytes; // bytes per line - Guchar *predLine; // line buffer - int predIdx; // current index in predLine -+ GBool ok; - }; - - //------------------------------------------------------------------------ ---- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100 -+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2006-01-16 15:41:04.000000000 +0100 -@@ -407,18 +407,33 @@ void ImageStream::skipLine() { - - StreamPredictor::StreamPredictor(Stream *strA, int predictorA, - int widthA, int nCompsA, int nBitsA) { -+ int totalBits; -+ - str = strA; - predictor = predictorA; - width = widthA; - nComps = nCompsA; - nBits = nBitsA; -+ predLine = NULL; -+ ok = gFalse; - - nVals = width * nComps; -+ totalBits = nVals * nBits; -+ if (totalBits == 0 || -+ (totalBits / nBits) / nComps != width || -+ totalBits + 7 < 0) { -+ return; -+ } - pixBytes = (nComps * nBits + 7) >> 3; -- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; -+ rowBytes = ((totalBits + 7) >> 3) + pixBytes; -+ if (rowBytes < 0) { -+ return; -+ } - predLine = (Guchar *)gmalloc(rowBytes); - memset(predLine, 0, rowBytes); - predIdx = rowBytes; -+ -+ ok = gTrue; - } - - StreamPredictor::~StreamPredictor() { -@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } -@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() { - height = read16(); - width = read16(); - numComps = str->getChar(); -+ if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream", prec); -+ return gFalse; -+ } -+ if (numComps <= 0 || numComps > 4) { -+ error(getPos(), "Bad number of components in DCT stream", prec); -+ return gFalse; -+ } - if (prec != 8) { - error(getPos(), "Bad DCT precision %d", prec); - return gFalse; -@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i - FilterStream(strA) { - if (predictor != 1) { - pred = new StreamPredictor(this, predictor, columns, colors, bits); -+ if (!pred->isOk()) { -+ delete pred; -+ pred = NULL; -+ } - } else { - pred = NULL; - } |