diff options
Diffstat (limited to 'office/evince/patches/evince-2.32.0-dvi-CVEs.patch')
| -rw-r--r-- | office/evince/patches/evince-2.32.0-dvi-CVEs.patch | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/office/evince/patches/evince-2.32.0-dvi-CVEs.patch b/office/evince/patches/evince-2.32.0-dvi-CVEs.patch new file mode 100644 index 0000000000..691ee4190a --- /dev/null +++ b/office/evince/patches/evince-2.32.0-dvi-CVEs.patch @@ -0,0 +1,97 @@ +From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001 +From: José Aliste <jaliste@src.gnome.org> +Date: Tue, 07 Dec 2010 18:56:47 +0000 +Subject: backends: Fix several security issues in the dvi-backend. + +See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. +--- +diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c +index 164366b..361e23d 100644 +--- a/backend/dvi/mdvi-lib/afmparse.c ++++ b/backend/dvi/mdvi-lib/afmparse.c +@@ -160,7 +160,7 @@ static char *token(FILE *stream) + + idx = 0; + while (ch != EOF && ch != ' ' && ch != lineterm +- && ch != '\t' && ch != ':' && ch != ';') ++ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME) + { + ident[idx++] = ch; + ch = fgetc(stream); +diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c +index 97b7b84..ac98068 100644 +--- a/backend/dvi/mdvi-lib/dviread.c ++++ b/backend/dvi/mdvi-lib/dviread.c +@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode) + Int32 arg; + + arg = dugetn(dvi, opcode - DVI_XXX1 + 1); ++ if (arg <= 0) { ++ dvierr(dvi, _("malformed special length\n")); ++ return -1; ++ } + s = mdvi_malloc(arg + 1); + dread(dvi, s, arg); + s[arg] = 0; +diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c +index a579186..08377e6 100644 +--- a/backend/dvi/mdvi-lib/pk.c ++++ b/backend/dvi/mdvi-lib/pk.c +@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font) + } + if(feof(p)) + break; ++ ++ /* Although the PK format support bigger char codes, ++ * XeTeX and other extended TeX engines support charcodes up to ++ * 65536, while normal TeX engine supports only charcode up to 255.*/ ++ if (cc < 0 || cc > 65536) { ++ mdvi_error (_("%s: unexpected charcode (%d)\n"), ++ font->fontname,cc); ++ goto error; ++ } + if(cc < loc) + loc = cc; + if(cc > hic) +@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) + } + + /* resize font char data */ +- if(loc > 0 || hic < maxch-1) { ++ if(loc > 0 && hic < maxch-1) { + memmove(font->chars, font->chars + loc, + (hic - loc + 1) * sizeof(DviFontChar)); + font->chars = xresize(font->chars, +diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c +index 73ebf26..8c2a30b 100644 +--- a/backend/dvi/mdvi-lib/tfmfile.c ++++ b/backend/dvi/mdvi-lib/tfmfile.c +@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info) + /* We read the entire TFM file into core */ + if(fstat(fileno(in), &st) < 0) + return -1; +- if(st.st_size == 0) ++ /* according to the spec, TFM files are smaller than 16K */ ++ if(st.st_size == 0 || st.st_size >= 16384) + goto bad_tfm; + + /* allocate a word-aligned buffer to hold the file */ +diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c +index fb49847..a5ae3bb 100644 +--- a/backend/dvi/mdvi-lib/vf.c ++++ b/backend/dvi/mdvi-lib/vf.c +@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font) + cc = fuget1(p); + tfm = fuget3(p); + } ++ if (cc < 0 || cc > 65536) { ++ /* TeX engines do not support char codes bigger than 65535 */ ++ mdvi_error(_("(vf) %s: unexpected character %d\n"), ++ font->fontname, cc); ++ goto error; ++ } + if(loc < 0 || cc < loc) + loc = cc; + if(hic < 0 || cc > hic) +-- +cgit v0.8.3.1 |