diff options
| author |   Carsten Lohrke <carlo@gentoo.org> | 2006-02-03 00:58:09 +0000 |
|---|---|---|
| committer | Carsten Lohrke <carlo@gentoo.org> | 2006-02-03 00:58:09 +0000 |
| commit | f94ed026d8aeb184ab19b69c87cbe9e177c76657 (patch) | |
| tree | f51280e57224d165ccbfce5bae0848635b2fce71 /kde-base/kpdf/files | |
| parent | Remove stale version; port over to modular X. (diff) | |
| download | gentoo-2-f94ed026d8aeb184ab19b69c87cbe9e177c76657.tar.gz gentoo-2-f94ed026d8aeb184ab19b69c87cbe9e177c76657.tar.bz2 gentoo-2-f94ed026d8aeb184ab19b69c87cbe9e177c76657.zip | |
xpdf heap based buffer overflow, #121375
(Portage version: 2.0.54)
Diffstat (limited to 'kde-base/kpdf/files')
4 files changed, 104 insertions, 0 deletions
diff --git a/kde-base/kpdf/files/digest-kpdf-3.4.3-r4 b/kde-base/kpdf/files/digest-kpdf-3.4.3-r4 new file mode 100644 index 000000000000..2cb888ba9f29 --- /dev/null +++ b/kde-base/kpdf/files/digest-kpdf-3.4.3-r4 @@ -0,0 +1 @@ +MD5 e2b2926301204a0f587d9e6e163c06d9 kdegraphics-3.4.3.tar.bz2 6554272 diff --git a/kde-base/kpdf/files/digest-kpdf-3.5.1-r1 b/kde-base/kpdf/files/digest-kpdf-3.5.1-r1 new file mode 100644 index 000000000000..9166f01a0810 --- /dev/null +++ b/kde-base/kpdf/files/digest-kpdf-3.5.1-r1 @@ -0,0 +1 @@ +MD5 2cd1c5348b7df46cf7f9d91e1dbfebd2 kdegraphics-3.5.1.tar.bz2 7315482 diff --git a/kde-base/kpdf/files/post-3.4.3-kdegraphics-CVE-2006-0301.diff b/kde-base/kpdf/files/post-3.4.3-kdegraphics-CVE-2006-0301.diff new file mode 100644 index 000000000000..7c6b1fe28d80 --- /dev/null +++ b/kde-base/kpdf/files/post-3.4.3-kdegraphics-CVE-2006-0301.diff @@ -0,0 +1,52 @@ +Index: kpdf/xpdf/splash/SplashXPathScanner.cc +=================================================================== +--- kpdf/xpdf/splash/SplashXPathScanner.cc (Revision 504400) ++++ kpdf/xpdf/splash/SplashXPathScanner.cc (Revision 505063) +@@ -182,7 +182,7 @@ GBool SplashXPathScanner::getNextSpan(in + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -232,19 +232,27 @@ void SplashXPathScanner::computeIntersec + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; + } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; ++ } ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) { diff --git a/kde-base/kpdf/files/post-3.5.1-kdegraphics-CVE-2006-0301.diff b/kde-base/kpdf/files/post-3.5.1-kdegraphics-CVE-2006-0301.diff new file mode 100644 index 000000000000..e2e19b511dd7 --- /dev/null +++ b/kde-base/kpdf/files/post-3.5.1-kdegraphics-CVE-2006-0301.diff @@ -0,0 +1,50 @@ +--- kpdf/xpdf/splash/SplashXPathScanner.cc (Revision 505052) ++++ kpdf/xpdf/splash/SplashXPathScanner.cc (Arbeitskopie) +@@ -186,7 +186,7 @@ GBool SplashXPathScanner::getNextSpan(in + } + + void SplashXPathScanner::computeIntersections(int y) { +- SplashCoord ySegMin, ySegMax, xx0, xx1; ++ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1; + SplashXPathSeg *seg; + int i, j; + +@@ -236,19 +236,27 @@ void SplashXPathScanner::computeIntersec + } else if (seg->flags & splashXPathVert) { + xx0 = xx1 = seg->x0; + } else { +- if (ySegMin <= y) { +- // intersection with top edge +- xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ if (seg->x0 < seg->x1) { ++ xSegMin = seg->x0; ++ xSegMax = seg->x1; + } else { +- // x coord of segment endpoint with min y coord +- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0; ++ xSegMin = seg->x1; ++ xSegMax = seg->x0; + } +- if (ySegMax >= y + 1) { +- // intersection with bottom edge +- xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; +- } else { +- // x coord of segment endpoint with max y coord +- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1; ++ // intersection with top edge ++ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy; ++ // intersection with bottom edge ++ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy; ++ // the segment may not actually extend to the top and/or bottom edges ++ if (xx0 < xSegMin) { ++ xx0 = xSegMin; ++ } else if (xx0 > xSegMax) { ++ xx0 = xSegMax; ++ } ++ if (xx1 < xSegMin) { ++ xx1 = xSegMin; ++ } else if (xx1 > xSegMax) { ++ xx1 = xSegMax; + } + } + if (xx0 < xx1) { |