Attachment #59898 for bug #90067

View | Details | Raw Unified | Return to bug 90067
Collapse All | Expand All

Lines 7-13 Link Here

(-)Makefile (-1 / +1 lines)
7		7
8	PORTNAME= teTeX-base	8	PORTNAME= teTeX-base
9	PORTVERSION= 3.0	9	PORTVERSION= 3.0
10	PORTREVISION= 5	10	PORTREVISION= 6
11	CATEGORIES= print	11	CATEGORIES= print
12	MASTER_SITES= ${MASTER_SITE_TEX_CTAN} \	12	MASTER_SITES= ${MASTER_SITE_TEX_CTAN} \
13	ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/dvips/:1	13	ftp://ftp.ascii.co.jp/pub/TeX/ascii-ptex/dvips/:1

Lines 1-2 Link Here

(-)distinfo (+1 lines)
1	MD5 (teTeX/tetex-src-3.0.tar.gz) = 944a4641e79e61043fdaf8f38ecbb4b3	1	MD5 (teTeX/tetex-src-3.0.tar.gz) = 944a4641e79e61043fdaf8f38ecbb4b3
		2	SHA256 (teTeX/tetex-src-3.0.tar.gz) = 9c0f7eaeb5ba6dc6f66433404d264941bf95cded2fa798b1f7a9dd580c21649b
2	SIZE (teTeX/tetex-src-3.0.tar.gz) = 12749314	3	SIZE (teTeX/tetex-src-3.0.tar.gz) = 12749314




--- libs/xpdf/xpdf/JPXStream.cc.orig	Mon May 17 15:11:49 2004
+++ libs/xpdf/xpdf/JPXStream.cc	Tue Dec  6 18:07:18 2005
@@ -666,7 +666,7 @@
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
-  Guint segLen, capabilities, comp, i, j, r;
+  Guint segLen, capabilities, nTiles, comp, i, j, r;
 
   //----- main header
   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +701,13 @@
 	            / img.xTileSize;
       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
 	            / img.yTileSize;
-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-				     sizeof(JPXTile));
+      nTiles = img.nXTiles * img.nYTiles;
+      // check for overflow before allocating memory
+      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+        error(getPos(), "Bad tile count in JPX SIZ marker segment");
+        return gFalse;
+      }
+      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
 							sizeof(JPXTileComp));
--- libs/xpdf/xpdf/Stream.cc.orig	Mon May 17 16:37:57 2004
+++ libs/xpdf/xpdf/Stream.cc	Tue Dec  6 18:05:14 2005
@@ -407,18 +407,33 @@
 
 StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
 				 int widthA, int nCompsA, int nBitsA) {
+  int totalBits;
+
   str = strA;
   predictor = predictorA;
   width = widthA;
   nComps = nCompsA;
   nBits = nBitsA;
+  predLine = NULL;
+  ok = gFalse;
 
   nVals = width * nComps;
+  totalBits = nVals * nBits;
+  if (totalBits == 0 ||
+      (totalBits / nBits) / nComps != width ||
+      totalBits + 7 < 0) {
+    return;
+  }
   pixBytes = (nComps * nBits + 7) >> 3;
-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+  if (rowBytes < 0) {
+    return;
+  }
   predLine = (Guchar *)gmalloc(rowBytes);
   memset(predLine, 0, rowBytes);
   predIdx = rowBytes;
+
+  ok = gTrue;
 }
 
 StreamPredictor::~StreamPredictor() {
@@ -1012,6 +1027,10 @@
     FilterStream(strA) {
   if (predictor != 1) {
     pred = new StreamPredictor(this, predictor, columns, colors, bits);
+    if (!pred->isOk()) {
+      delete pred;
+      pred = NULL;
+    }
   } else {
     pred = NULL;
   }
@@ -2897,6 +2916,14 @@
   height = read16();
   width = read16();
   numComps = str->getChar();
+  if (numComps <= 0 || numComps > 4) {
+    error(getPos(), "Bad number of components in DCT stream", prec);
+    return gFalse;
+  }
+  if (numComps <= 0 || numComps > 4) {
+    error(getPos(), "Bad number of components in DCT stream", prec);
+    return gFalse;
+  }
   if (prec != 8) {
     error(getPos(), "Bad DCT precision %d", prec);
     return gFalse;
@@ -3255,6 +3282,10 @@
     FilterStream(strA) {
   if (predictor != 1) {
     pred = new StreamPredictor(this, predictor, columns, colors, bits);
+    if (!pred->isOk()) {
+      delete pred;
+      pred = NULL;
+    }
   } else {
     pred = NULL;
   }
--- libs/xpdf/xpdf/Stream.h.orig	Mon May 17 16:37:57 2004
+++ libs/xpdf/xpdf/Stream.h	Tue Dec  6 18:05:14 2005
@@ -233,6 +233,8 @@
 
   ~StreamPredictor();
 
+  GBool isOk() { return ok; }
+
   int lookChar();
   int getChar();
 
@@ -250,6 +252,7 @@
   int rowBytes;			// bytes per line
   Guchar *predLine;		// line buffer
   int predIdx;			// current index in predLine
+  GBool ok;
 };
 
 //------------------------------------------------------------------------

Return to bug 90067

Added Link Here

(-)files/patch-SA17897 (+120 lines)
1	--- libs/xpdf/xpdf/JPXStream.cc.orig Mon May 17 15:11:49 2004
2	+++ libs/xpdf/xpdf/JPXStream.cc Tue Dec 6 18:07:18 2005
3	@@ -666,7 +666,7 @@
4	int segType;
5	GBool haveSIZ, haveCOD, haveQCD, haveSOT;
6	Guint precinctSize, style;
7	- Guint segLen, capabilities, comp, i, j, r;
8	+ Guint segLen, capabilities, nTiles, comp, i, j, r;
9
10	//----- main header
11	haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
12	@@ -701,8 +701,13 @@
13	/ img.xTileSize;
14	img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
15	/ img.yTileSize;
16	- img.tiles = (JPXTile )gmalloc(img.nXTiles img.nYTiles *
17	- sizeof(JPXTile));
18	+ nTiles = img.nXTiles * img.nYTiles;
19	+ // check for overflow before allocating memory
20	+ if (nTiles == 0 \|\| nTiles / img.nXTiles != img.nYTiles) {
21	+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
22	+ return gFalse;
23	+ }
24	+ img.tiles = (JPXTile )gmalloc(nTiles sizeof(JPXTile));
25	for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
26	img.tiles[i].tileComps = (JPXTileComp )gmalloc(img.nComps
27	sizeof(JPXTileComp));
28	--- libs/xpdf/xpdf/Stream.cc.orig Mon May 17 16:37:57 2004
29	+++ libs/xpdf/xpdf/Stream.cc Tue Dec 6 18:05:14 2005
30	@@ -407,18 +407,33 @@
31
32	StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
33	int widthA, int nCompsA, int nBitsA) {
34	+ int totalBits;
35	+
36	str = strA;
37	predictor = predictorA;
38	width = widthA;
39	nComps = nCompsA;
40	nBits = nBitsA;
41	+ predLine = NULL;
42	+ ok = gFalse;
43
44	nVals = width * nComps;
45	+ totalBits = nVals * nBits;
46	+ if (totalBits == 0 \|\|
47	+ (totalBits / nBits) / nComps != width \|\|
48	+ totalBits + 7 < 0) {
49	+ return;
50	+ }
51	pixBytes = (nComps * nBits + 7) >> 3;
52	- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
53	+ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
54	+ if (rowBytes < 0) {
55	+ return;
56	+ }
57	predLine = (Guchar *)gmalloc(rowBytes);
58	memset(predLine, 0, rowBytes);
59	predIdx = rowBytes;
60	+
61	+ ok = gTrue;
62	}
63
64	StreamPredictor::~StreamPredictor() {
65	@@ -1012,6 +1027,10 @@
66	FilterStream(strA) {
67	if (predictor != 1) {
68	pred = new StreamPredictor(this, predictor, columns, colors, bits);
69	+ if (!pred->isOk()) {
70	+ delete pred;
71	+ pred = NULL;
72	+ }
73	} else {
74	pred = NULL;
75	}
76	@@ -2897,6 +2916,14 @@
77	height = read16();
78	width = read16();
79	numComps = str->getChar();
80	+ if (numComps <= 0 \|\| numComps > 4) {
81	+ error(getPos(), "Bad number of components in DCT stream", prec);
82	+ return gFalse;
83	+ }
84	+ if (numComps <= 0 \|\| numComps > 4) {
85	+ error(getPos(), "Bad number of components in DCT stream", prec);
86	+ return gFalse;
87	+ }
88	if (prec != 8) {
89	error(getPos(), "Bad DCT precision %d", prec);
90	return gFalse;
91	@@ -3255,6 +3282,10 @@
92	FilterStream(strA) {
93	if (predictor != 1) {
94	pred = new StreamPredictor(this, predictor, columns, colors, bits);
95	+ if (!pred->isOk()) {
96	+ delete pred;
97	+ pred = NULL;
98	+ }
99	} else {
100	pred = NULL;
101	}
102	--- libs/xpdf/xpdf/Stream.h.orig Mon May 17 16:37:57 2004
103	+++ libs/xpdf/xpdf/Stream.h Tue Dec 6 18:05:14 2005
104	@@ -233,6 +233,8 @@
105
106	~StreamPredictor();
107
108	+ GBool isOk() { return ok; }
109	+
110	int lookChar();
111	int getChar();
112
113	@@ -250,6 +252,7 @@
114	int rowBytes; // bytes per line
115	Guchar *predLine; // line buffer
116	int predIdx; // current index in predLine
117	+ GBool ok;
118	};
119
120	//------------------------------------------------------------------------