![[BACK]](/icons/back.gif){kind=icon}
Return to patch-ao CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / pkgsrc / print / xpdf / patches|
Return to patch-ao CVS log | Up to [cvs.NetBSD.org] / pkgsrc / print / xpdf / patches |
| File: [cvs.NetBSD.org] / pkgsrc / print / xpdf / patches / Attic / patch-ao (download)
Revision 1.4, Wed Mar 29 17:20:09 2006 UTC (18 years ago) by joerg
Update xpdf to 3.01 patch level 2. The patch level addresses a number of vulnerabilities reported and adds at least some constraint checks not done before. |
$NetBSD: patch-ao,v 1.4 2006/03/29 17:20:09 joerg Exp $
--- xpdf/JBIG2Stream.cc.orig 2005-08-17 06:34:31.000000000 +0100
+++ xpdf/JBIG2Stream.cc 2006-01-22 22:48:31.000000000 +0000
@@ -2305,6 +2318,15 @@
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad size in JBIG2 halftone segment");
+ return;
+ }
+ if (w == 0 || h >= INT_MAX / w) {
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
+ return;
+ }
+
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
@@ -2936,6 +2958,9 @@
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
int x, y, pix;
+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ return NULL;
+
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();