]> git.pld-linux.org Git - packages/evince.git/blob - evince-secfix.patch
projects / packages / evince.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- added -secfix.patch (fixes CVE-2010-2640, CVE-2010-2641, CVE-2010-2642
[packages/evince.git] / evince-secfix.patch
1 From d4139205b010ed06310d14284e63114e88ec6de2 Mon Sep 17 00:00:00 2001
2 From: José Aliste <jaliste@src.gnome.org>
3 Date: Tue, 07 Dec 2010 18:56:47 +0000
4 Subject: backends: Fix several security issues in the dvi-backend.
5
6 See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and  CVE-2010-2643.
7 ---
8 diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
9 index 164366b..361e23d 100644
10 --- a/backend/dvi/mdvi-lib/afmparse.c
11 +++ b/backend/dvi/mdvi-lib/afmparse.c
12 @@ -160,7 +160,7 @@ static char *token(FILE *stream)
13      
14      idx = 0;
15      while (ch != EOF && ch != ' ' && ch != lineterm 
16 -           && ch != '\t' && ch != ':' && ch != ';') 
17 +           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
18      {
19          ident[idx++] = ch;
20          ch = fgetc(stream);
21 diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
22 index cd8cfa9..d014320 100644
23 --- a/backend/dvi/mdvi-lib/dviread.c
24 +++ b/backend/dvi/mdvi-lib/dviread.c
25 @@ -1507,6 +1507,10 @@ int      special(DviContext *dvi, int opcode)
26         Int32   arg;
27         
28         arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
29 +       if (arg <= 0) {
30 +               dvierr(dvi, _("malformed special length\n"));
31 +               return -1;
32 +       }
33         s = mdvi_malloc(arg + 1);
34         dread(dvi, s, arg);
35         s[arg] = 0;
36 diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
37 index a579186..08377e6 100644
38 --- a/backend/dvi/mdvi-lib/pk.c
39 +++ b/backend/dvi/mdvi-lib/pk.c
40 @@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
41                         }
42                         if(feof(p))
43                                 break;
44 +
45 +                       /* Although the PK format support bigger char codes,
46 +                         * XeTeX and other extended TeX engines support charcodes up to
47 +                         * 65536, while normal TeX engine supports only charcode up to 255.*/
48 +                       if (cc < 0 || cc > 65536) {
49 +                               mdvi_error (_("%s: unexpected charcode (%d)\n"),
50 +                                           font->fontname,cc);
51 +                               goto error;
52 +                       } 
53                         if(cc < loc)
54                                 loc = cc;
55                         if(cc > hic)
56 @@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
57         }
58  
59         /* resize font char data */
60 -       if(loc > 0 || hic < maxch-1) {
61 +       if(loc > 0 && hic < maxch-1) {
62                 memmove(font->chars, font->chars + loc, 
63                         (hic - loc + 1) * sizeof(DviFontChar));
64                 font->chars = xresize(font->chars,
65 diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
66 index 73ebf26..8c2a30b 100644
67 --- a/backend/dvi/mdvi-lib/tfmfile.c
68 +++ b/backend/dvi/mdvi-lib/tfmfile.c
69 @@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info)
70         /* We read the entire TFM file into core */
71         if(fstat(fileno(in), &st) < 0)
72                 return -1;
73 -       if(st.st_size == 0)
74 +       /* according to the spec, TFM files are smaller than 16K */
75 +       if(st.st_size == 0 || st.st_size >= 16384)
76                 goto bad_tfm;
77  
78         /* allocate a word-aligned buffer to hold the file */
79 diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
80 index fb49847..a5ae3bb 100644
81 --- a/backend/dvi/mdvi-lib/vf.c
82 +++ b/backend/dvi/mdvi-lib/vf.c
83 @@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
84                         cc = fuget1(p);
85                         tfm = fuget3(p);
86                 }
87 +               if (cc < 0 || cc > 65536) {
88 +                       /* TeX engines do not support char codes bigger than 65535 */
89 +                       mdvi_error(_("(vf) %s: unexpected character %d\n"),
90 +                                  font->fontname, cc);
91 +                       goto error;
92 +               }
93                 if(loc < 0 || cc < loc)
94                         loc = cc;
95                 if(hic < 0 || cc > hic)
96 --
97 cgit v0.8.3.1
Document viewer for multiple document formats
This page took 0.036268 seconds and 3 git commands to generate.