Index: head/graphics/xpdf/Makefile =================================================================== --- head/graphics/xpdf/Makefile (revision 127187) +++ head/graphics/xpdf/Makefile (revision 127188) @@ -1,58 +1,58 @@ # New ports collection makefile for: xpdf # Date created: 02 Feb 1996 # Whom: chuckr@glue.umd.edu # # $FreeBSD$ # PORTNAME= xpdf PORTVERSION= 3.00 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= graphics print MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/ \ ${MASTER_SITE_TEX_CTAN} MASTER_SITE_SUBDIR= support/xpdf MAINTAINER= nork@FreeBSD.org COMMENT= Display PDF files, and convert them to other formats BUILD_DEPENDS= freetype-config:${PORTSDIR}/print/freetype2 LIB_DEPENDS= t1.5:${PORTSDIR}/devel/t1lib \ freetype.9:${PORTSDIR}/print/freetype2 RUN_DEPENDS= ${LOCALBASE}/share/ghostscript/fonts/n021003l.pfb:${PORTSDIR}/print/gsfonts USE_X_PREFIX= yes USE_MOTIF= yes USE_GMAKE= yes USE_AUTOCONF_VER= 259 CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL} CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \ LDFLAGS="-L${LOCALBASE}/lib" CONFIGURE_ARGS= --with-gzip --enable-opi --with-x \ --with-t1-library="${LOCALBASE}/lib" \ --with-t1-includes="${LOCALBASE}/include" \ --with-freetype2-library="${LOCALBASE}/lib" \ --with-freetype2-includes="${LOCALBASE}/include/freetype2" .if defined(A4) CONFIGURE_ARGS+= --enable-a4-paper .endif MAN1= pdffonts.1 \ pdfimages.1 \ pdfinfo.1 \ pdftoppm.1 \ pdftops.1 \ pdftotext.1 \ xpdf.1 MAN5= xpdfrc.5 post-install: .if !defined(NOPORTDOCS) @${MKDIR} ${DOCSDIR} .for file in ANNOUNCE CHANGES INSTALL README misc/hello.pdf ${INSTALL_DATA} ${WRKSRC}/${file} ${DOCSDIR} .endfor .endif .include Property changes on: head/graphics/xpdf/Makefile ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.61 \ No newline at end of property +1.62 \ No newline at end of property Index: head/graphics/xpdf/files/patch-security =================================================================== --- head/graphics/xpdf/files/patch-security (revision 127187) +++ head/graphics/xpdf/files/patch-security (revision 127188) @@ -1,333 +1,342 @@ --- xpdf/Catalog.cc.orig 2004-10-18 16:51:35.824126848 +0200 +++ xpdf/Catalog.cc 2004-10-18 16:53:06.634620045 +0200 @@ -64,6 +64,15 @@ } pagesSize = numPages0 = (int)obj.getNum(); obj.free(); + // The gcc doesnt optimize this away, so this check is ok, + // even if it looks like a pagesSize != pagesSize check + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize'"); + ok = gFalse; + return; + } + pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); for (i = 0; i < pagesSize; ++i) { @@ -191,6 +200,11 @@ } if (start >= pagesSize) { pagesSize += 32; + if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || + pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { + error(-1, "Invalid 'pagesSize' parameter."); + goto err3; + } pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); for (j = pagesSize - 32; j < pagesSize; ++j) { ---- xpdf/XRef.cc.orig 2004-10-11 15:51:14.000000000 +0200 -+++ xpdf/XRef.cc 2004-10-11 15:56:48.000000000 +0200 +--- xpdf/XRef.cc.orig Thu Jan 22 10:26:45 2004 ++++ xpdf/XRef.cc Mon Jan 24 08:49:49 2005 @@ -96,7 +96,7 @@ } nObjects = obj1.getInt(); obj1.free(); - if (nObjects == 0) { + if (nObjects <= 0) { goto err1; } @@ -106,7 +106,15 @@ } first = obj1.getInt(); obj1.free(); + if (first < 0) { + goto err1; + } + if (nObjects*sizeof(int)/sizeof(int) != nObjects) { + error(-1, "Invalid 'nObjects'"); + goto err1; + } + objs = new Object[nObjects]; objNums = (int *)gmalloc(nObjects * sizeof(int)); offsets = (int *)gmalloc(nObjects * sizeof(int)); @@ -130,6 +138,12 @@ offsets[i] = obj2.getInt(); obj1.free(); obj2.free(); + if (objNums[i] < 0 || offsets[i] < 0 || + (i > 0 && offsets[i] < offsets[i-1])) { + delete parser; + gfree(offsets); + goto err1; + } } while (str->getChar() != EOF) ; delete parser; @@ -369,10 +383,21 @@ } n = obj.getInt(); obj.free(); + if (first < 0 || n < 0 || first + n < 0) { + goto err1; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; - first + n > newSize; + first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + goto err1; + } + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'obj' parameters'"); + goto err1; + } + entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -443,7 +468,7 @@ // check for an 'XRefStm' key if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { - pos2 = obj2.getInt(); + pos2 = (Guint)obj2.getInt(); readXRef(&pos2); if (!ok) { goto err1; @@ -474,7 +499,14 @@ } newSize = obj.getInt(); obj.free(); + if (newSize < 0) { + goto err1; + } if (newSize > size) { + if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'size' parameter."); + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -494,6 +526,9 @@ } w[i] = obj2.getInt(); obj2.free(); + if (w[i] < 0 || w[i] > 4) { + goto err1; + } } obj.free(); @@ -513,13 +548,14 @@ } n = obj.getInt(); obj.free(); - if (!readXRefStreamSection(xrefStr, w, first, n)) { + if (first < 0 || n < 0 || + !readXRefStreamSection(xrefStr, w, first, n)) { idx.free(); goto err0; } } } else { - if (!readXRefStreamSection(xrefStr, w, 0, size)) { + if (!readXRefStreamSection(xrefStr, w, 0, newSize)) { idx.free(); goto err0; } @@ -551,10 +587,20 @@ Guint offset; int type, gen, c, newSize, i, j; + if (first + n < 0) { + return gFalse; + } if (first + n > size) { for (newSize = size ? 2 * size : 1024; - first + n > newSize; + first + n > newSize && newSize > 0; newSize <<= 1) ; + if (newSize < 0) { + return gFalse; + } + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'size' inside xref table."); + return gFalse; + } entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); for (i = size; i < newSize; ++i) { entries[i].offset = 0xffffffff; @@ -585,24 +631,26 @@ } gen = (gen << 8) + c; } - switch (type) { - case 0: - entries[i].offset = offset; - entries[i].gen = gen; - entries[i].type = xrefEntryFree; - break; - case 1: - entries[i].offset = offset; - entries[i].gen = gen; - entries[i].type = xrefEntryUncompressed; - break; - case 2: - entries[i].offset = offset; - entries[i].gen = gen; - entries[i].type = xrefEntryCompressed; - break; - default: - return gFalse; + if (entries[i].offset == 0xffffffff) { + switch (type) { + case 0: + entries[i].offset = offset; + entries[i].gen = gen; + entries[i].type = xrefEntryFree; + break; + case 1: + entries[i].offset = offset; + entries[i].gen = gen; + entries[i].type = xrefEntryUncompressed; + break; + case 2: + entries[i].offset = offset; + entries[i].gen = gen; + entries[i].type = xrefEntryCompressed; + break; + default: + return gFalse; + } } } @@ -664,38 +712,48 @@ // look for object } else if (isdigit(*p)) { num = atoi(p); - do { - ++p; - } while (*p && isdigit(*p)); - if (isspace(*p)) { + if (num > 0) { do { ++p; - } while (*p && isspace(*p)); - if (isdigit(*p)) { - gen = atoi(p); + } while (*p && isdigit(*p)); + if (isspace(*p)) { do { ++p; - } while (*p && isdigit(*p)); - if (isspace(*p)) { + } while (*p && isspace(*p)); + if (isdigit(*p)) { + gen = atoi(p); do { ++p; - } while (*p && isspace(*p)); - if (!strncmp(p, "obj", 3)) { - if (num >= size) { - newSize = (num + 1 + 255) & ~255; - entries = (XRefEntry *) - grealloc(entries, newSize * sizeof(XRefEntry)); - for (i = size; i < newSize; ++i) { - entries[i].offset = 0xffffffff; - entries[i].type = xrefEntryFree; + } while (*p && isdigit(*p)); + if (isspace(*p)) { + do { + ++p; + } while (*p && isspace(*p)); + if (!strncmp(p, "obj", 3)) { + if (num >= size) { + newSize = (num + 1 + 255) & ~255; + if (newSize < 0) { + error(-1, "Bad object number"); + return gFalse; + } + if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { + error(-1, "Invalid 'obj' parameters."); + return gFalse; + } + entries = (XRefEntry *) + grealloc(entries, newSize * sizeof(XRefEntry)); + for (i = size; i < newSize; ++i) { + entries[i].offset = 0xffffffff; + entries[i].type = xrefEntryFree; + } + size = newSize; + } + if (entries[num].type == xrefEntryFree || + gen >= entries[num].gen) { + entries[num].offset = pos - start; + entries[num].gen = gen; + entries[num].type = xrefEntryUncompressed; } - size = newSize; - } - if (entries[num].type == xrefEntryFree || - gen >= entries[num].gen) { - entries[num].offset = pos - start; - entries[num].gen = gen; - entries[num].type = xrefEntryUncompressed; } } } @@ -705,6 +763,10 @@ } else if (!strncmp(p, "endstream", 9)) { if (streamEndsLen == streamEndsSize) { streamEndsSize += 64; + if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { + error(-1, "Invalid 'endstream' parameter."); + return gFalse; + } streamEnds = (Guint *)grealloc(streamEnds, streamEndsSize * sizeof(int)); } - +@@ -756,6 +818,9 @@ + keyLength = lengthObj.getInt() / 8; + } else { + keyLength = 5; ++ } ++ if (keyLength > 16) { ++ keyLength = 16; + } + permFlags = permissions.getInt(); + if (encVersion >= 1 && encVersion <= 2 && --- xpdf/Gfx.cc.orig Thu Jan 22 10:26:45 2004 +++ xpdf/Gfx.cc Thu Dec 23 09:48:17 2004 @@ -2654,7 +2654,9 @@ haveMask = gFalse; dict->lookup("Mask", &maskObj); if (maskObj.isArray()) { - for (i = 0; i < maskObj.arrayGetLength(); ++i) { + for (i = 0; + i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps; + ++i) { maskObj.arrayGet(i, &obj1); maskColors[i] = obj1.getInt(); obj1.free(); --- xpdf/GfxState.cc.orig Thu Jan 22 10:26:45 2004 +++ xpdf/GfxState.cc Thu Dec 23 09:48:17 2004 @@ -708,6 +708,11 @@ } nCompsA = obj2.getInt(); obj2.free(); + if (nCompsA > gfxColorMaxComps) { + error(-1, "ICCBased color space with too many (%d > %d) components", + nCompsA, gfxColorMaxComps); + nCompsA = gfxColorMaxComps; + } if (dict->lookup("Alternate", &obj2)->isNull() || !(altA = GfxColorSpace::parse(&obj2))) { switch (nCompsA) { @@ -1054,7 +1059,7 @@ } nCompsA = obj1.arrayGetLength(); if (nCompsA > gfxColorMaxComps) { - error(-1, "DeviceN color space with more than %d > %d components", + error(-1, "DeviceN color space with too many (%d > %d) components", nCompsA, gfxColorMaxComps); nCompsA = gfxColorMaxComps; } Property changes on: head/graphics/xpdf/files/patch-security ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.2 \ No newline at end of property +1.3 \ No newline at end of property