[Frugalware-darcs] frugalware-0.6: tetex-3.0-11terminus1-i686

voroskoi voroskoi at frugalware.org
Fri Sep 7 09:39:05 CEST 2007


Darcsweb-Url: http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.6;a=darcs_commitdiff;h=20070907073719-dd049-d06bc819f4c2baf1e0ab04aec21c73b41106d56b.gz;

[tetex-3.0-11terminus1-i686
voroskoi <voroskoi at frugalware.org>**20070907073719
 secfix relbump, closes #2310
] {
hunk ./source/xapps-extra/tetex/FrugalBuild 7
-pkgrel=10
+pkgrel=11terminus1
hunk ./source/xapps-extra/tetex/FrugalBuild 15
-source=(ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-texmf-$pkgver.tar.gz ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-$pkgver.tar.gz)
-sha1sums=('10f7d2fa007c95ca066d899fca0e9a8446108824' \
-	  '7637789f7f4929694aed1b89820f5bad4753e8fc')
+source=(ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-texmf-$pkgver.tar.gz \
+	ftp://dante.ctan.org/tex-archive/systems/unix/teTeX/current/distrib/tetex-src-$pkgver.tar.gz \
+	tetex-3.0-CVE-2005-3193.patch tetex-3.0-CVE-2007-0650.patch tetex-3.0-CVE-2007-3387.patch)
+sha1sums=('1be97f57a26a6e9b72ebfd932e45914a959aff16' \
+          '7637789f7f4929694aed1b89820f5bad4753e8fc' \
+          '4a275b1d9a211e94bc13286d05ef619cdf873770' \
+          '28208eb13f493c1c9c6538f254f04fc0c2aaff1e' \
+          '3ad00a8f16dd16acc765953e10dc68f181e0a156')
hunk ./source/xapps-extra/tetex/FrugalBuild 54
+	Fpatchall
hunk ./source/xapps-extra/tetex/FrugalBuild 87
-# optimalization OK
-
-# vim: ft=sh
+# optimization OK
addfile ./source/xapps-extra/tetex/tetex-3.0-CVE-2005-3193.patch
hunk ./source/xapps-extra/tetex/tetex-3.0-CVE-2005-3193.patch 1
+--- tetex-src-3.0/libs/xpdf/goo/gmem.c.CVE-2005-3193	2004-01-22 02:26:44.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/goo/gmem.c	2006-01-16 15:41:04.000000000 +0100
+@@ -135,6 +135,28 @@ void *grealloc(void *p, int size) {
+ #endif
+ }
+ 
++void *gmallocn(int nObjs, int objSize) {
++  int n;
++
++  n = nObjs * objSize;
++  if (objSize == 0 || n / objSize != nObjs) {
++    fprintf(stderr, "Bogus memory allocation size\n");
++    exit(1);
++  }
++  return gmalloc(n);
++}
++
++void *greallocn(void *p, int nObjs, int objSize) {
++  int n;
++
++  n = nObjs * objSize;
++  if (objSize == 0 || n / objSize != nObjs) {
++    fprintf(stderr, "Bogus memory allocation size\n");
++    exit(1);
++  }
++  return grealloc(p, n);
++}
++
+ void gfree(void *p) {
+ #ifdef DEBUG_MEM
+   int size;
+--- tetex-src-3.0/libs/xpdf/goo/gmem.h.CVE-2005-3193	2004-01-22 02:26:44.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/goo/gmem.h	2006-01-16 15:41:04.000000000 +0100
+@@ -28,6 +28,15 @@ extern void *gmalloc(int size);
+ extern void *grealloc(void *p, int size);
+ 
+ /*
++ * These are similar to gmalloc and grealloc, but take an object count
++ * and size.  The result is similar to allocating nObjs * objSize
++ * bytes, but there is an additional error check that the total size
++ * doesn't overflow an int.
++ */
++extern void *gmallocn(int nObjs, int objSize);
++extern void *greallocn(void *p, int nObjs, int objSize);
++
++/*
+  * Same as free, but checks for and ignores NULL pointers.
+  */
+ extern void gfree(void *p);
+--- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc	2006-01-16 15:41:04.000000000 +0100
+@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
+   int segType;
+   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+   Guint precinctSize, style;
+-  Guint segLen, capabilities, comp, i, j, r;
++  Guint segLen, capabilities, nTiles, comp, i, j, r;
+ 
+   //----- main header
+   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
+@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
+ 	            / img.xTileSize;
+       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ 	            / img.yTileSize;
+-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+-				     sizeof(JPXTile));
++      nTiles = img.nXTiles * img.nYTiles;
++      // check for overflow before allocating memory
++      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
++	error(getPos(), "Bad tile count in JPX SIZ marker segment");
++	return gFalse;
++      }
++      img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
+       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
+ 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
+ 							sizeof(JPXTileComp));
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h	2006-01-16 15:41:04.000000000 +0100
+@@ -233,6 +233,8 @@ public:
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -250,6 +252,7 @@ private:
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193	2004-01-22 02:26:45.000000000 +0100
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc	2006-01-16 15:41:04.000000000 +0100
+@@ -407,18 +407,33 @@ void ImageStream::skipLine() {
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() {
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
addfile ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-0650.patch
hunk ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-0650.patch 1
+--- tetex-src-3.0/texk/makeindexk/mkind.c.CVE-2007-0650	2002-10-02 14:26:37.000000000 +0200
++++ tetex-src-3.0/texk/makeindexk/mkind.c	2007-02-02 12:29:31.000000000 +0100
+@@ -179,7 +179,9 @@
+ 		    argc--;
+ 		    if (argc <= 0)
+ 			FATAL("Expected -p <num>\n","");
+-		    strcpy(pageno, *++argv);
++		    if (strlen(*++argv) >= sizeof(pageno))
++			FATAL("Page number too high\n","");
++		    strcpy(pageno, *argv);
+ 		    init_page = TRUE;
+ 		    if (STREQ(pageno, EVEN)) {
+ 			log_given = TRUE;
+@@ -230,7 +232,7 @@
+ 		char tmp[STRING_MAX + 5];
+ 		
+ 		/* base set by last call to check_idx */
+-		sprintf (tmp, "%s%s", base, INDEX_STY);
++		snprintf (tmp, sizeof(tmp), "%s%s", base, INDEX_STY);
+ 		if (0 == access(tmp, R_OK)) {
+ 			open_sty (tmp);
+ 			sty_given = TRUE;
+@@ -405,9 +407,9 @@
+ 		    STRING_MAX,totmem);
+ #endif /* DEBUG */
+ 
+-	    if ((idx_fn = (char *) malloc(STRING_MAX)) == NULL)
++	    if ((idx_fn = (char *) malloc(STRING_MAX+5)) == NULL)
+ 		FATAL("Not enough core...abort.\n", "");
+-	    sprintf(idx_fn, "%s%s", base, INDEX_IDX);
++	    snprintf(idx_fn, STRING_MAX+5, "%s%s", base, INDEX_IDX);
+ 	    if ((open_fn && 
+ 	 ((idx_fp = OPEN_IN(idx_fn)) == NULL)
+ 	) ||
+@@ -434,7 +436,7 @@
+ 
+     /* index output file */
+     if (!ind_given) {
+-	sprintf(ind, "%s%s", base, INDEX_IND);
++	snprintf(ind, sizeof(ind), "%s%s", base, INDEX_IND);
+ 	ind_fn = ind;
+     }
+     if ((ind_fp = OPEN_OUT(ind_fn)) == NULL)
+@@ -442,14 +444,14 @@
+ 
+     /* index transcript file */
+     if (!ilg_given) {
+-	sprintf(ilg, "%s%s", base, INDEX_ILG);
++	snprintf(ilg, sizeof(ilg), "%s%s", base, INDEX_ILG);
+ 	ilg_fn = ilg;
+     }
+     if ((ilg_fp = OPEN_OUT(ilg_fn)) == NULL)
+ 	FATAL("Can't create transcript file %s.\n", ilg_fn);
+ 
+     if (log_given) {
+-	sprintf(log_fn, "%s%s", base, INDEX_LOG);
++	snprintf(log_fn, sizeof(log_fn), "%s%s", base, INDEX_LOG);
+ 	if ((log_fp = OPEN_IN(log_fn)) == NULL) {
+ 	    FATAL("Source log file %s not found.\n", log_fn);
+ 	} else {
+@@ -505,6 +507,9 @@
+   if ((found = kpse_find_file (fn, kpse_ist_format, 1)) == NULL) {
+      FATAL("Index style file %s not found.\n", fn);
+   } else {
++    if (strlen(found) >= sizeof(sty_fn)) {
++      FATAL("Style file %s too long.\n", found);
++    }
+     strcpy(sty_fn,found);
+     if ((sty_fp = OPEN_IN(sty_fn)) == NULL) {
+       FATAL("Could not open style file %s.\n", sty_fn);
+@@ -512,6 +517,9 @@
+   }
+ #else
+     if ((path = getenv(STYLE_PATH)) == NULL) {
++        if (strlen(fn) >= sizeof(sty_fn)) {
++          FATAL("Style file %s too long.\n", fn);
++        }
+ 	/* style input path not defined */
+ 	strcpy(sty_fn, fn);
+ 	sty_fp = OPEN_IN(sty_fn);
addfile ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-3387.patch
hunk ./source/xapps-extra/tetex/tetex-3.0-CVE-2007-3387.patch 1
+--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2007-3387	2007-07-26 17:13:02.000000000 +0200
++++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc	2007-07-26 17:21:58.000000000 +0200
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -32,6 +33,7 @@
+ #include "JBIG2Stream.h"
+ #include "JPXStream.h"
+ #include "Stream-CCITT.h"
++#include "GfxState.h"
+ 
+ #ifdef __DJGPP__
+ static GBool setDJSYSFLAGS = gFalse;
+@@ -429,6 +431,13 @@ StreamPredictor::StreamPredictor(Stream 
+   if (rowBytes < 0) {
+     return;
+   }
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps > gfxColorMaxComps ||
++      nBits > 16 ||
++      width >= INT_MAX / nComps ||      // check for overflow in nVals 
++      nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
}


More information about the Frugalware-darcs mailing list