Miroirs/slackbuilds_ponce
1
0
Fork 0
mirror of https://github.com/Ponce/slackbuilds synced 2024-11-26 22:06:35 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackbuilds_ponce/office/evince/patches/evince-2.32.0-dvi-CVEs.patch
Erik Hanson 9ac6401366 office/evince: Added various patches to fix things. 
No idea which patch(es) fixes the segfault,
  don't really care to find out.

Signed-off-by: Erik Hanson <erik@slackbuilds.org>
2011-05-17 09:54:03 -05:00

97 lines
3.3 KiB
Diff
Raw Blame History

From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001
From: José Aliste <jaliste@src.gnome.org>
Date: Tue, 07 Dec 2010 18:56:47 +0000
Subject: backends: Fix several security issues in the dvi-backend.
See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
---
diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
index 164366b..361e23d 100644
--- a/backend/dvi/mdvi-lib/afmparse.c
+++ b/backend/dvi/mdvi-lib/afmparse.c
@@ -160,7 +160,7 @@ static char *token(FILE *stream)
idx = 0;
while (ch != EOF && ch != ' ' && ch != lineterm
- && ch != '\t' && ch != ':' && ch != ';')
+ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
{
ident[idx++] = ch;
ch = fgetc(stream);
diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
index 97b7b84..ac98068 100644
--- a/backend/dvi/mdvi-lib/dviread.c
+++ b/backend/dvi/mdvi-lib/dviread.c
@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode)
Int32 arg;
arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
+ if (arg <= 0) {
+ dvierr(dvi, _("malformed special length\n"));
+ return -1;
+ }
s = mdvi_malloc(arg + 1);
dread(dvi, s, arg);
s[arg] = 0;
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
index a579186..08377e6 100644
--- a/backend/dvi/mdvi-lib/pk.c
+++ b/backend/dvi/mdvi-lib/pk.c
@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
}
if(feof(p))
break;
+
+ /* Although the PK format support bigger char codes,
+ * XeTeX and other extended TeX engines support charcodes up to
+ * 65536, while normal TeX engine supports only charcode up to 255.*/
+ if (cc < 0 || cc > 65536) {
+ mdvi_error (_("%s: unexpected charcode (%d)\n"),
+ font->fontname,cc);
+ goto error;
+ }
if(cc < loc)
loc = cc;
if(cc > hic)
@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
}
/* resize font char data */
- if(loc > 0 || hic < maxch-1) {
+ if(loc > 0 && hic < maxch-1) {
memmove(font->chars, font->chars + loc,
(hic - loc + 1) * sizeof(DviFontChar));
font->chars = xresize(font->chars,
diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
index 73ebf26..8c2a30b 100644
--- a/backend/dvi/mdvi-lib/tfmfile.c
+++ b/backend/dvi/mdvi-lib/tfmfile.c
@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info)
/* We read the entire TFM file into core */
if(fstat(fileno(in), &st) < 0)
return -1;
- if(st.st_size == 0)
+ /* according to the spec, TFM files are smaller than 16K */
+ if(st.st_size == 0 || st.st_size >= 16384)
goto bad_tfm;
/* allocate a word-aligned buffer to hold the file */
diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
index fb49847..a5ae3bb 100644
--- a/backend/dvi/mdvi-lib/vf.c
+++ b/backend/dvi/mdvi-lib/vf.c
@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
cc = fuget1(p);
tfm = fuget3(p);
}
+ if (cc < 0 || cc > 65536) {
+ /* TeX engines do not support char codes bigger than 65535 */
+ mdvi_error(_("(vf) %s: unexpected character %d\n"),
+ font->fontname, cc);
+ goto error;
+ }
if(loc < 0 || cc < loc)
loc = cc;
if(hic < 0 || cc > hic)
--
cgit v0.8.3.1
Reference in a new issue View git blame Copy permalink