Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2024-11-16 07:48:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/patches/source/poppler/poppler-0.10.7.CVE-2009-3603_3604_3605_3606_3608_3609.diff
Patrick J Volkerding d8220d28e5 Fri May 25 23:29:36 UTC 2018 
patches/packages/glibc-zoneinfo-2018e-noarch-2_slack13.0.txz:  Rebuilt.
  Handle removal of US/Pacific-New timezone. If we see that the machine is
  using this, it will be automatically switched to US/Pacific.
2018-05-31 15:04:55 -07:00

213 lines
5.5 KiB
Diff
Raw Permalink Blame History

--- ./splash/SplashErrorCodes.h.orig 2009-05-02 07:14:56.000000000 -0500
+++ ./splash/SplashErrorCodes.h 2009-10-28 16:42:00.000000000 -0500
@@ -41,6 +41,8 @@
#define splashErrSingularMatrix 8 // matrix is singular
+#define splashErrBadArg 9 // bad argument
+
#define splashErrZeroImage 9 // image of 0x0
#endif
--- ./splash/SplashBitmap.cc.orig 2009-05-02 07:14:57.000000000 -0500
+++ ./splash/SplashBitmap.cc 2009-10-28 16:44:24.000000000 -0500
@@ -26,6 +26,7 @@
#endif
#include <stdio.h>
+#include <limits.h>
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashBitmap.h"
@@ -42,33 +43,55 @@
mode = modeA;
switch (mode) {
case splashModeMono1:
- rowSize = (width + 7) >> 3;
+ if (width > 0) {
+ rowSize = (width + 7) >> 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeMono8:
- rowSize = width;
+ if (width > 0) {
+ rowSize = width;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeRGB8:
case splashModeBGR8:
- rowSize = width * 3;
+ if (width > 0 && width <= INT_MAX / 3) {
+ rowSize = width * 3;
+ } else {
+ rowSize = -1;
+ }
break;
case splashModeXBGR8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#if SPLASH_CMYK
case splashModeCMYK8:
- rowSize = width * 4;
+ if (width > 0 && width <= INT_MAX / 4) {
+ rowSize = width * 4;
+ } else {
+ rowSize = -1;
+ }
break;
#endif
}
- rowSize += rowPad - 1;
- rowSize -= rowSize % rowPad;
- data = (SplashColorPtr)gmallocn(rowSize, height);
+ if (rowSize > 0) {
+ rowSize += rowPad - 1;
+ rowSize -= rowSize % rowPad;
+ }
+ data = (SplashColorPtr)gmallocn(height, rowSize);
if (!topDown) {
data += (height - 1) * rowSize;
rowSize = -rowSize;
}
if (alphaA) {
- alpha = (Guchar *)gmalloc(width * height);
+ alpha = (Guchar *)gmallocn(width, height);
} else {
alpha = NULL;
}
--- ./splash/Splash.cc.orig 2009-05-02 07:14:57.000000000 -0500
+++ ./splash/Splash.cc 2009-10-28 16:42:00.000000000 -0500
@@ -27,6 +27,7 @@
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "goo/gmem.h"
#include "SplashErrorCodes.h"
#include "SplashMath.h"
@@ -2001,7 +2002,10 @@
xq = w % scaledWidth;
// allocate pixel buffer
- pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
+ if (yp < 0 || yp > INT_MAX - 1) {
+ return splashErrBadArg;
+ }
+ pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
// initialize the pixel pipe
pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
@@ -2301,9 +2305,12 @@
xq = w % scaledWidth;
// allocate pixel buffers
- colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
+ if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
+ return splashErrBadArg;
+ }
+ colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
if (srcAlpha) {
- alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
+ alphaBuf = (Guchar *)gmallocn(yp + 1, w);
} else {
alphaBuf = NULL;
}
--- ./poppler/XRef.cc.orig 2009-05-02 07:14:57.000000000 -0500
+++ ./poppler/XRef.cc 2009-10-28 16:42:00.000000000 -0500
@@ -76,6 +76,8 @@
// generation 0.
ObjectStream(XRef *xref, int objStrNumA);
+ GBool isOk() { return ok; }
+
~ObjectStream();
// Return the object number of this object stream.
@@ -91,6 +93,7 @@
int nObjects; // number of objects in the stream
Object *objs; // the objects (length = nObjects)
int *objNums; // the object numbers (length = nObjects)
+ GBool ok;
};
ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
@@ -104,6 +107,7 @@
nObjects = 0;
objs = NULL;
objNums = NULL;
+ ok = gFalse;
if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
goto err1;
@@ -134,6 +138,13 @@
goto err1;
}
+ // this is an arbitrary limit to avoid integer overflow problems
+ // in the 'new Object[nObjects]' call (Acrobat apparently limits
+ // object streams to 100-200 objects)
+ if (nObjects > 1000000) {
+ error(-1, "Too many objects in an object stream");
+ goto err1;
+ }
objs = new Object[nObjects];
objNums = (int *)gmallocn(nObjects, sizeof(int));
offsets = (int *)gmallocn(nObjects, sizeof(int));
@@ -190,10 +201,10 @@
}
gfree(offsets);
+ ok = gTrue;
err1:
objStr.free();
- return;
}
ObjectStream::~ObjectStream() {
@@ -970,6 +981,11 @@
delete objStr;
}
objStr = new ObjectStream(this, e->offset);
+ if (!objStr->isOk()) {
+ delete objStr;
+ objStr = NULL;
+ goto err;
+ }
}
objStr->getObject(e->gen, num, obj);
break;
--- ./poppler/PSOutputDev.cc.orig 2009-05-02 07:14:57.000000000 -0500
+++ ./poppler/PSOutputDev.cc 2009-10-28 16:42:00.000000000 -0500
@@ -4502,7 +4502,8 @@
width, -height, height);
// allocate a line buffer
- lineBuf = (Guchar *)gmalloc(4 * width);
+ lineBuf = (Guchar *)gmallocn(width, 4);
+
// set up to process the data stream
imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
--- ./poppler/Stream.cc.orig 2009-05-16 10:27:41.000000000 -0500
+++ ./poppler/Stream.cc 2009-10-28 16:42:00.000000000 -0500
@@ -403,6 +403,10 @@
} else {
imgLineSize = nVals;
}
+ if (width > INT_MAX / nComps) {
+ // force a call to gmallocn(-1,...), which will throw an exception
+ imgLineSize = -1;
+ }
imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
imgIdx = nVals;
}
Reference in a new issue View git blame Copy permalink