Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
DISCONTINUED:openSUSE:11.1:Update
xpdf
xpdf-3.02pl3-CVE-2009-JBIG2-multiple-vulnerabil...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xpdf-3.02pl3-CVE-2009-JBIG2-multiple-vulnerabilities.patch of Package xpdf
diff -r -c xpdf-3.02.orig/goo/gmem.cc xpdf-3.02/goo/gmem.cc *** xpdf-3.02.orig/goo/gmem.cc Tue Feb 27 14:05:51 2007 --- xpdf-3.02/goo/gmem.cc Thu Mar 19 15:47:25 2009 *************** *** 55,61 **** void *data; unsigned long *trl, *p; ! if (size <= 0) { return NULL; } size1 = gMemDataSize(size); --- 55,69 ---- void *data; unsigned long *trl, *p; ! if (size < 0) { ! #if USE_EXCEPTIONS ! throw GMemException(); ! #else ! fprintf(stderr, "Invalid memory allocation size\n"); ! exit(1); ! #endif ! } ! if (size == 0) { return NULL; } size1 = gMemDataSize(size); *************** *** 91,97 **** #else void *p; ! if (size <= 0) { return NULL; } if (!(p = malloc(size))) { --- 99,113 ---- #else void *p; ! if (size < 0) { ! #if USE_EXCEPTIONS ! throw GMemException(); ! #else ! fprintf(stderr, "Invalid memory allocation size\n"); ! exit(1); ! #endif ! } ! if (size == 0) { return NULL; } if (!(p = malloc(size))) { *************** *** 112,118 **** void *q; int oldSize; ! if (size <= 0) { if (p) { gfree(p); } --- 128,142 ---- void *q; int oldSize; ! if (size < 0) { ! #if USE_EXCEPTIONS ! throw GMemException(); ! #else ! fprintf(stderr, "Invalid memory allocation size\n"); ! exit(1); ! #endif ! } ! if (size == 0) { if (p) { gfree(p); } *************** *** 131,137 **** #else void *q; ! if (size <= 0) { if (p) { free(p); } --- 155,169 ---- #else void *q; ! if (size < 0) { ! #if USE_EXCEPTIONS ! throw GMemException(); ! #else ! fprintf(stderr, "Invalid memory allocation size\n"); ! exit(1); ! #endif ! } ! if (size == 0) { if (p) { free(p); } diff -r -c xpdf-3.02.orig/xpdf/JBIG2Stream.cc xpdf-3.02/xpdf/JBIG2Stream.cc *** xpdf-3.02.orig/xpdf/JBIG2Stream.cc Tue Feb 27 14:05:52 2007 --- xpdf-3.02/xpdf/JBIG2Stream.cc Fri Mar 27 10:21:21 2009 *************** *** 422,433 **** table[i] = table[len]; // assign prefixes ! i = 0; ! prefix = 0; ! table[i++].prefix = prefix++; ! for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { ! prefix <<= table[i].prefixLen - table[i-1].prefixLen; ! table[i].prefix = prefix++; } } --- 422,435 ---- table[i] = table[len]; // assign prefixes ! if (table[0].rangeLen != jbig2HuffmanEOT) { ! i = 0; ! prefix = 0; ! table[i++].prefix = prefix++; ! for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) { ! prefix <<= table[i].prefixLen - table[i-1].prefixLen; ! table[i].prefix = prefix++; ! } } } *************** *** 507,513 **** ++nBytesRead; } while (1) { ! if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) { if (bufLen <= 12) { code = buf << (12 - bufLen); } else { --- 509,515 ---- ++nBytesRead; } while (1) { ! if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) { if (bufLen <= 12) { code = buf << (12 - bufLen); } else { *************** *** 550,563 **** ++nBytesRead; } while (1) { ! if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) { if (bufLen <= 13) { code = buf << (13 - bufLen); } else { code = buf >> (bufLen - 13); } p = &blackTab1[code & 0x7f]; ! } else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) { if (bufLen <= 12) { code = buf << (12 - bufLen); } else { --- 552,566 ---- ++nBytesRead; } while (1) { ! if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) { if (bufLen <= 13) { code = buf << (13 - bufLen); } else { code = buf >> (bufLen - 13); } p = &blackTab1[code & 0x7f]; ! } else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 && ! ((buf >> (bufLen - 6)) & 0x03) != 0) { if (bufLen <= 12) { code = buf << (12 - bufLen); } else { *************** *** 683,690 **** h = hA; line = (wA + 7) >> 3; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ! data = NULL; ! return; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); --- 686,694 ---- h = hA; line = (wA + 7) >> 3; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ! // force a call to gmalloc(-1), which will throw an exception ! h = -1; ! line = 2; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); *************** *** 698,705 **** h = bitmap->h; line = bitmap->line; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ! data = NULL; ! return; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); --- 702,710 ---- h = bitmap->h; line = bitmap->line; if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) { ! // force a call to gmalloc(-1), which will throw an exception ! h = -1; ! line = 2; } // need to allocate one extra guard byte for use in combine() data = (Guchar *)gmalloc(h * line + 1); *************** *** 754,759 **** --- 759,766 ---- inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) { if (y < 0 || y >= h || x >= w) { ptr->p = NULL; + ptr->shift = 0; // make gcc happy + ptr->x = 0; // make gcc happy } else if (x < 0) { ptr->p = &data[y * line]; ptr->shift = 7; *************** *** 798,803 **** --- 805,814 ---- Guint src0, src1, src, dest, s1, s2, m1, m2, m3; GBool oneByte; + // check for the pathological case where y = -2^31 + if (y < -0x7fffffff) { + return; + } if (y < 0) { y0 = -y; } else { *************** *** 1011,1018 **** --- 1022,1034 ---- JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA): JBIG2Segment(segNumA) { + Guint i; + size = sizeA; bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *)); + for (i = 0; i < size; ++i) { + bitmaps[i] = NULL; + } genericRegionStats = NULL; refinementRegionStats = NULL; } *************** *** 1021,1027 **** Guint i; for (i = 0; i < size; ++i) { ! delete bitmaps[i]; } gfree(bitmaps); if (genericRegionStats) { --- 1037,1045 ---- Guint i; for (i = 0; i < size; ++i) { ! if (bitmaps[i]) { ! delete bitmaps[i]; ! } } gfree(bitmaps); if (genericRegionStats) { *************** *** 1296,1301 **** --- 1314,1326 ---- goto eofError2; } + // check for missing page information segment + if (!pageBitmap && ((segType >= 4 && segType <= 7) || + (segType >= 20 && segType <= 43))) { + error(getPos(), "First JBIG2 segment associated with a page must be a page information segment"); + goto syntaxError; + } + // read the segment data switch (segType) { case 0: *************** *** 1411,1416 **** --- 1436,1443 ---- Guint i, j, k; Guchar *p; + symWidths = NULL; + // symbol dictionary flags if (!readUWord(&flags)) { goto eofError; *************** *** 1466,1485 **** codeTables = new GList(); numInputSyms = 0; for (i = 0; i < nRefSegs; ++i) { ! seg = findSegment(refSegs[i]); ! if (seg->getType() == jbig2SegSymbolDict) { ! numInputSyms += ((JBIG2SymbolDict *)seg)->getSize(); ! } else if (seg->getType() == jbig2SegCodeTable) { ! codeTables->append(seg); } } // compute symbol code length ! symCodeLen = 0; ! i = 1; ! while (i < numInputSyms + numNewSyms) { ++symCodeLen; ! i <<= 1; } // get the input symbol bitmaps --- 1493,1524 ---- codeTables = new GList(); numInputSyms = 0; for (i = 0; i < nRefSegs; ++i) { ! if ((seg = findSegment(refSegs[i]))) { ! if (seg->getType() == jbig2SegSymbolDict) { ! j = ((JBIG2SymbolDict *)seg)->getSize(); ! if (numInputSyms > UINT_MAX - j) { ! error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); ! delete codeTables; ! goto eofError; ! } ! numInputSyms += j; ! } else if (seg->getType() == jbig2SegCodeTable) { ! codeTables->append(seg); ! } } } + if (numInputSyms > UINT_MAX - numNewSyms) { + error(getPos(), "Too many input symbols in JBIG2 symbol dictionary"); + delete codeTables; + goto eofError; + } // compute symbol code length ! symCodeLen = 1; ! i = (numInputSyms + numNewSyms) >> 1; ! while (i) { ++symCodeLen; ! i >>= 1; } // get the input symbol bitmaps *************** *** 1491,1501 **** k = 0; inputSymbolDict = NULL; for (i = 0; i < nRefSegs; ++i) { ! seg = findSegment(refSegs[i]); ! if (seg->getType() == jbig2SegSymbolDict) { ! inputSymbolDict = (JBIG2SymbolDict *)seg; ! for (j = 0; j < inputSymbolDict->getSize(); ++j) { ! bitmaps[k++] = inputSymbolDict->getBitmap(j); } } } --- 1530,1541 ---- k = 0; inputSymbolDict = NULL; for (i = 0; i < nRefSegs; ++i) { ! if ((seg = findSegment(refSegs[i]))) { ! if (seg->getType() == jbig2SegSymbolDict) { ! inputSymbolDict = (JBIG2SymbolDict *)seg; ! for (j = 0; j < inputSymbolDict->getSize(); ++j) { ! bitmaps[k++] = inputSymbolDict->getBitmap(j); ! } } } } *************** *** 1510,1515 **** --- 1550,1558 ---- } else if (huffDH == 1) { huffDHTable = huffTableE; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDW == 0) { *************** *** 1517,1533 **** --- 1560,1585 ---- } else if (huffDW == 1) { huffDWTable = huffTableC; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffBMSize == 0) { huffBMSizeTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffBMSizeTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffAggInst == 0) { huffAggInstTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffAggInstTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } *************** *** 1560,1566 **** } // allocate symbol widths storage - symWidths = NULL; if (huff && !refAgg) { symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint)); } --- 1612,1617 ---- *************** *** 1602,1607 **** --- 1653,1662 ---- goto syntaxError; } symWidth += dw; + if (i >= numNewSyms) { + error(getPos(), "Too many symbols in JBIG2 symbol dictionary"); + goto syntaxError; + } // using a collective bitmap, so don't read a bitmap here if (huff && !refAgg) { *************** *** 1638,1643 **** --- 1693,1702 ---- arithDecoder->decodeInt(&refDX, iardxStats); arithDecoder->decodeInt(&refDY, iardyStats); } + if (symID >= numInputSyms + i) { + error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary"); + goto syntaxError; + } refBitmap = bitmaps[symID]; bitmaps[numInputSyms + i] = readGenericRefinementRegion(symWidth, symHeight, *************** *** 1704,1709 **** --- 1763,1774 ---- } else { arithDecoder->decodeInt(&run, iaexStats); } + if (i + run > numInputSyms + numNewSyms || + j + run > numExSyms) { + error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary"); + delete symbolDict; + goto syntaxError; + } if (ex) { for (cnt = 0; cnt < run; ++cnt) { symbolDict->setBitmap(j++, bitmaps[i++]->copy()); *************** *** 1713,1718 **** --- 1778,1788 ---- } ex = !ex; } + if (j != numExSyms) { + error(getPos(), "Too few symbols in JBIG2 symbol dictionary"); + delete symbolDict; + goto syntaxError; + } for (i = 0; i < numNewSyms; ++i) { delete bitmaps[numInputSyms + i]; *************** *** 1735,1740 **** --- 1805,1814 ---- return gTrue; + codeTableError: + error(getPos(), "Missing code table in JBIG2 symbol dictionary"); + delete codeTables; + syntaxError: for (i = 0; i < numNewSyms; ++i) { if (bitmaps[numInputSyms + i]) { *************** *** 1837,1842 **** --- 1911,1918 ---- } } else { error(getPos(), "Invalid segment reference in JBIG2 text region"); + delete codeTables; + return; } } symCodeLen = 0; *************** *** 1871,1876 **** --- 1947,1955 ---- } else if (huffFS == 1) { huffFSTable = huffTableG; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDS == 0) { *************** *** 1880,1885 **** --- 1959,1967 ---- } else if (huffDS == 2) { huffDSTable = huffTableJ; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffDT == 0) { *************** *** 1889,1894 **** --- 1971,1979 ---- } else if (huffDT == 2) { huffDTTable = huffTableM; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDW == 0) { *************** *** 1896,1901 **** --- 1981,1989 ---- } else if (huffRDW == 1) { huffRDWTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDH == 0) { *************** *** 1903,1908 **** --- 1991,1999 ---- } else if (huffRDH == 1) { huffRDHTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDX == 0) { *************** *** 1910,1915 **** --- 2001,2009 ---- } else if (huffRDX == 1) { huffRDXTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRDY == 0) { *************** *** 1917,1927 **** --- 2011,2027 ---- } else if (huffRDY == 1) { huffRDYTable = huffTableO; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } if (huffRSize == 0) { huffRSizeTable = huffTableA; } else { + if (i >= (Guint)codeTables->getLength()) { + goto codeTableError; + } huffRSizeTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable(); } *************** *** 2016,2023 **** --- 2116,2130 ---- return; + codeTableError: + error(getPos(), "Missing code table in JBIG2 text region"); + gfree(codeTables); + delete syms; + return; + eofError: error(getPos(), "Unexpected EOF in JBIG2 stream"); + return; } JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, *************** *** 2324,2331 **** error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } ! seg = findSegment(refSegs[0]); ! if (seg->getType() != jbig2SegPatternDict) { error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } --- 2431,2438 ---- error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } ! if (!(seg = findSegment(refSegs[0])) || ! seg->getType() != jbig2SegPatternDict) { error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } *************** *** 2483,2489 **** // read the bitmap bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, ! NULL, atx, aty, mmr ? 0 : length - 18); // combine the region bitmap into the page bitmap if (imm) { --- 2590,2596 ---- // read the bitmap bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse, ! NULL, atx, aty, mmr ? length - 18 : 0); // combine the region bitmap into the page bitmap if (imm) { *************** *** 2527,2532 **** --- 2634,2644 ---- if (mmr) { mmrDecoder->reset(); + if (w > INT_MAX - 2) { + error(getPos(), "Bad width in JBIG2 generic bitmap"); + // force a call to gmalloc(-1), which will throw an exception + w = -3; + } refLine = (int *)gmallocn(w + 2, sizeof(int)); codingLine = (int *)gmallocn(w + 2, sizeof(int)); codingLine[0] = codingLine[1] = w; *************** *** 2706,2712 **** ltp = !ltp; } if (ltp) { ! bitmap->duplicateRow(y, y-1); continue; } } --- 2818,2826 ---- ltp = !ltp; } if (ltp) { ! if (y > 0) { ! bitmap->duplicateRow(y, y-1); ! } continue; } } *************** *** 2909,2916 **** return; } if (nRefSegs == 1) { ! seg = findSegment(refSegs[0]); ! if (seg->getType() != jbig2SegBitmap) { error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); return; } --- 3023,3030 ---- return; } if (nRefSegs == 1) { ! if (!(seg = findSegment(refSegs[0])) || ! seg->getType() != jbig2SegBitmap) { error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment"); return; } *************** *** 3004,3009 **** --- 3118,3127 ---- tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + } else { + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; } for (x = 0; x < w; ++x) { *************** *** 3075,3080 **** --- 3193,3202 ---- tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2); + } else { + tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy + tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0; + tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0; } for (x = 0; x < w; ++x) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor