diff options
| author |   Matsuu Takuto <matsuu@gentoo.org> | 2005-01-19 23:15:48 +0000 |
|---|---|---|
| committer | Matsuu Takuto <matsuu@gentoo.org> | 2005-01-19 23:15:48 +0000 |
| commit | 9ccfe80e6f251daad0ecfc2d1ad797cd6cf796b7 (patch) | |
| tree | 6d8bc3e0710d211194765f381d2323970e606575 /app-text/ptex/files/xpdf2-underflow.patch | |
| parent | Remove amavisd-new-20041222.ebuild. (diff) | |
| download | historical-9ccfe80e6f251daad0ecfc2d1ad797cd6cf796b7.tar.gz historical-9ccfe80e6f251daad0ecfc2d1ad797cd6cf796b7.tar.bz2 historical-9ccfe80e6f251daad0ecfc2d1ad797cd6cf796b7.zip | |
Security bump; Bug #75801.
Diffstat (limited to 'app-text/ptex/files/xpdf2-underflow.patch')
| -rw-r--r-- | app-text/ptex/files/xpdf2-underflow.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/app-text/ptex/files/xpdf2-underflow.patch b/app-text/ptex/files/xpdf2-underflow.patch new file mode 100644 index 000000000000..9371be84352e --- /dev/null +++ b/app-text/ptex/files/xpdf2-underflow.patch @@ -0,0 +1,81 @@ +diff -ru xpdf-2.02pl1/xpdf/XRef.cc xpdf-2.02pl1/xpdf/XRef.cc +--- xpdf-2.02pl1/xpdf/XRef.cc 2004-10-29 15:16:45.790089001 +0200 ++++ xpdf-2.02pl1/xpdf/XRef.cc 2004-10-29 15:11:54.132168025 +0200 +@@ -66,6 +66,8 @@ + start = str->getStart(); + pos = readTrailer(); + ++ entries = NULL; ++ + // if there was a problem with the trailer, + // try to reconstruct the xref table + if (pos == 0) { +@@ -76,7 +78,7 @@ + + // trailer is ok - read the xref table + } else { +- if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { ++ if ((size < 0) || (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size)) { + error(-1, "Invalid 'size' inside xref table."); + ok = gFalse; + errCode = errDamaged; +@@ -181,7 +183,7 @@ + n = atoi(p); + while ('0' <= *p && *p <= '9') ++p; + while (isspace(*p)) ++p; +- if (p == buf) ++ if ((p == buf) || (n < 0)) /* must make progress */ + return 0; + pos1 += (p - buf) + n * 20; + } +@@ -255,6 +257,10 @@ + } + s[i] = '\0'; + first = atoi(s); ++ if (first < 0) { ++ error(-1, "Invalid 'first'"); ++ goto err2; ++ } + while ((c = str->lookChar()) != EOF && isspace(c)) { + str->getChar(); + } +@@ -266,6 +272,10 @@ + } + s[i] = '\0'; + n = atoi(s); ++ if (n<=0) { ++ error(-1, "Invalid 'n'"); ++ goto err2; ++ } + while ((c = str->lookChar()) != EOF && isspace(c)) { + str->getChar(); + } +@@ -273,7 +283,7 @@ + // table size + if (first + n > size) { + newSize = size + 256; +- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { + error(-1, "Invalid 'newSize'"); + goto err2; + } +@@ -406,6 +416,10 @@ + // look for object + } else if (isdigit(*p)) { + num = atoi(p); ++ if (num < 0) { ++ error(-1, "Invalid 'num' parameters."); ++ return gFalse; ++ } + do { + ++p; + } while (*p && isdigit(*p)); +@@ -425,7 +439,7 @@ + if (!strncmp(p, "obj", 3)) { + if (num >= size) { + newSize = (num + 1 + 255) & ~255; +- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { ++ if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } |