diff options
Diffstat (limited to 'app-text/evince-light/files/evince-2.32.0-dvi-CVEs.patch')
| -rw-r--r-- | app-text/evince-light/files/evince-2.32.0-dvi-CVEs.patch | 97 |
1 files changed, 0 insertions, 97 deletions
diff --git a/app-text/evince-light/files/evince-2.32.0-dvi-CVEs.patch b/app-text/evince-light/files/evince-2.32.0-dvi-CVEs.patch deleted file mode 100644 index 691ee419..00000000 --- a/app-text/evince-light/files/evince-2.32.0-dvi-CVEs.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001 -From: José Aliste <jaliste@src.gnome.org> -Date: Tue, 07 Dec 2010 18:56:47 +0000 -Subject: backends: Fix several security issues in the dvi-backend. - -See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. ---- -diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c -index 164366b..361e23d 100644 ---- a/backend/dvi/mdvi-lib/afmparse.c -+++ b/backend/dvi/mdvi-lib/afmparse.c -@@ -160,7 +160,7 @@ static char *token(FILE *stream) - - idx = 0; - while (ch != EOF && ch != ' ' && ch != lineterm -- && ch != '\t' && ch != ':' && ch != ';') -+ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME) - { - ident[idx++] = ch; - ch = fgetc(stream); -diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c -index 97b7b84..ac98068 100644 ---- a/backend/dvi/mdvi-lib/dviread.c -+++ b/backend/dvi/mdvi-lib/dviread.c -@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode) - Int32 arg; - - arg = dugetn(dvi, opcode - DVI_XXX1 + 1); -+ if (arg <= 0) { -+ dvierr(dvi, _("malformed special length\n")); -+ return -1; -+ } - s = mdvi_malloc(arg + 1); - dread(dvi, s, arg); - s[arg] = 0; -diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c -index a579186..08377e6 100644 ---- a/backend/dvi/mdvi-lib/pk.c -+++ b/backend/dvi/mdvi-lib/pk.c -@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font) - } - if(feof(p)) - break; -+ -+ /* Although the PK format support bigger char codes, -+ * XeTeX and other extended TeX engines support charcodes up to -+ * 65536, while normal TeX engine supports only charcode up to 255.*/ -+ if (cc < 0 || cc > 65536) { -+ mdvi_error (_("%s: unexpected charcode (%d)\n"), -+ font->fontname,cc); -+ goto error; -+ } - if(cc < loc) - loc = cc; - if(cc > hic) -@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) - } - - /* resize font char data */ -- if(loc > 0 || hic < maxch-1) { -+ if(loc > 0 && hic < maxch-1) { - memmove(font->chars, font->chars + loc, - (hic - loc + 1) * sizeof(DviFontChar)); - font->chars = xresize(font->chars, -diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c -index 73ebf26..8c2a30b 100644 ---- a/backend/dvi/mdvi-lib/tfmfile.c -+++ b/backend/dvi/mdvi-lib/tfmfile.c -@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info) - /* We read the entire TFM file into core */ - if(fstat(fileno(in), &st) < 0) - return -1; -- if(st.st_size == 0) -+ /* according to the spec, TFM files are smaller than 16K */ -+ if(st.st_size == 0 || st.st_size >= 16384) - goto bad_tfm; - - /* allocate a word-aligned buffer to hold the file */ -diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c -index fb49847..a5ae3bb 100644 ---- a/backend/dvi/mdvi-lib/vf.c -+++ b/backend/dvi/mdvi-lib/vf.c -@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font) - cc = fuget1(p); - tfm = fuget3(p); - } -+ if (cc < 0 || cc > 65536) { -+ /* TeX engines do not support char codes bigger than 65535 */ -+ mdvi_error(_("(vf) %s: unexpected character %d\n"), -+ font->fontname, cc); -+ goto error; -+ } - if(loc < 0 || cc < loc) - loc = cc; - if(hic < 0 || cc > hic) --- -cgit v0.8.3.1 |