summaryrefslogtreecommitdiff
path: root/source/t/tetex/tetex.CVE-2005-3193.diff
diff options
context:
space:
mode:
Diffstat (limited to 'source/t/tetex/tetex.CVE-2005-3193.diff')
-rw-r--r--source/t/tetex/tetex.CVE-2005-3193.diff169
1 files changed, 0 insertions, 169 deletions
diff --git a/source/t/tetex/tetex.CVE-2005-3193.diff b/source/t/tetex/tetex.CVE-2005-3193.diff
deleted file mode 100644
index b8f2fad5..00000000
--- a/source/t/tetex/tetex.CVE-2005-3193.diff
+++ /dev/null
@@ -1,169 +0,0 @@
---- tetex-src-3.0/libs/xpdf/goo/gmem.c.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/goo/gmem.c 2006-01-16 15:41:04.000000000 +0100
-@@ -135,6 +135,28 @@ void *grealloc(void *p, int size) {
- #endif
- }
-
-+void *gmallocn(int nObjs, int objSize) {
-+ int n;
-+
-+ n = nObjs * objSize;
-+ if (objSize == 0 || n / objSize != nObjs) {
-+ fprintf(stderr, "Bogus memory allocation size\n");
-+ exit(1);
-+ }
-+ return gmalloc(n);
-+}
-+
-+void *greallocn(void *p, int nObjs, int objSize) {
-+ int n;
-+
-+ n = nObjs * objSize;
-+ if (objSize == 0 || n / objSize != nObjs) {
-+ fprintf(stderr, "Bogus memory allocation size\n");
-+ exit(1);
-+ }
-+ return grealloc(p, n);
-+}
-+
- void gfree(void *p) {
- #ifdef DEBUG_MEM
- int size;
---- tetex-src-3.0/libs/xpdf/goo/gmem.h.CVE-2005-3193 2004-01-22 02:26:44.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/goo/gmem.h 2006-01-16 15:41:04.000000000 +0100
-@@ -28,6 +28,15 @@ extern void *gmalloc(int size);
- extern void *grealloc(void *p, int size);
-
- /*
-+ * These are similar to gmalloc and grealloc, but take an object count
-+ * and size. The result is similar to allocating nObjs * objSize
-+ * bytes, but there is an additional error check that the total size
-+ * doesn't overflow an int.
-+ */
-+extern void *gmallocn(int nObjs, int objSize);
-+extern void *greallocn(void *p, int nObjs, int objSize);
-+
-+/*
- * Same as free, but checks for and ignores NULL pointers.
- */
- extern void gfree(void *p);
---- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2006-01-16 15:41:04.000000000 +0100
-@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
- int segType;
- GBool haveSIZ, haveCOD, haveQCD, haveSOT;
- Guint precinctSize, style;
-- Guint segLen, capabilities, comp, i, j, r;
-+ Guint segLen, capabilities, nTiles, comp, i, j, r;
-
- //----- main header
- haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
-@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
- / img.xTileSize;
- img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
- / img.yTileSize;
-- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-- sizeof(JPXTile));
-+ nTiles = img.nXTiles * img.nYTiles;
-+ // check for overflow before allocating memory
-+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
-+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
-+ return gFalse;
-+ }
-+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
- for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
- img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
- sizeof(JPXTileComp));
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2006-01-16 15:41:04.000000000 +0100
-@@ -233,6 +233,8 @@ public:
-
- ~StreamPredictor();
-
-+ GBool isOk() { return ok; }
-+
- int lookChar();
- int getChar();
-
-@@ -250,6 +252,7 @@ private:
- int rowBytes; // bytes per line
- Guchar *predLine; // line buffer
- int predIdx; // current index in predLine
-+ GBool ok;
- };
-
- //------------------------------------------------------------------------
---- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
-+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2006-01-16 15:41:04.000000000 +0100
-@@ -407,18 +407,33 @@ void ImageStream::skipLine() {
-
- StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
- int widthA, int nCompsA, int nBitsA) {
-+ int totalBits;
-+
- str = strA;
- predictor = predictorA;
- width = widthA;
- nComps = nCompsA;
- nBits = nBitsA;
-+ predLine = NULL;
-+ ok = gFalse;
-
- nVals = width * nComps;
-+ totalBits = nVals * nBits;
-+ if (totalBits == 0 ||
-+ (totalBits / nBits) / nComps != width ||
-+ totalBits + 7 < 0) {
-+ return;
-+ }
- pixBytes = (nComps * nBits + 7) >> 3;
-- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
-+ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
-+ if (rowBytes < 0) {
-+ return;
-+ }
- predLine = (Guchar *)gmalloc(rowBytes);
- memset(predLine, 0, rowBytes);
- predIdx = rowBytes;
-+
-+ ok = gTrue;
- }
-
- StreamPredictor::~StreamPredictor() {
-@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p
- FilterStream(strA) {
- if (predictor != 1) {
- pred = new StreamPredictor(this, predictor, columns, colors, bits);
-+ if (!pred->isOk()) {
-+ delete pred;
-+ pred = NULL;
-+ }
- } else {
- pred = NULL;
- }
-@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() {
- height = read16();
- width = read16();
- numComps = str->getChar();
-+ if (numComps <= 0 || numComps > 4) {
-+ error(getPos(), "Bad number of components in DCT stream", prec);
-+ return gFalse;
-+ }
-+ if (numComps <= 0 || numComps > 4) {
-+ error(getPos(), "Bad number of components in DCT stream", prec);
-+ return gFalse;
-+ }
- if (prec != 8) {
- error(getPos(), "Bad DCT precision %d", prec);
- return gFalse;
-@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i
- FilterStream(strA) {
- if (predictor != 1) {
- pred = new StreamPredictor(this, predictor, columns, colors, bits);
-+ if (!pred->isOk()) {
-+ delete pred;
-+ pred = NULL;
-+ }
- } else {
- pred = NULL;
- }