pkgsrc-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/45813: font/t1lib - Redhat bug #692909 was just updated

>Number:         45813
>Category:       pkg
>Synopsis:       font/t1lib - Redhat bug #692909 was just updated
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Jan 10 18:05:00 +0000 2012
>Originator:     Uwe Klaus
>Release:        5.1_STABLE
>Organization:
>Environment:
NetBSD hgb2 5.1_STABLE NetBSD 5.1_STABLE (GENERIC.hgb2) #20: Fri Jan  6 
09:37:51 CET 2012  root@hgb2:/usr/obj.i386/sys/arch/i386/compile/GENERIC.hgb2 
i386
>Description:
Recent changes to font/t1lib (CVE-2011-0764) makes xdvi unusable.

An updated patch is provided
https://bugzilla.redhat.com/show_bug.cgi?id=692909

>How-To-Repeat:

>Fix:
remove patch-aj, patch-ak

--- lib/type1/lines.c.orig      2007-12-23 15:49:42.000000000 +0000
+++ lib/type1/lines.c
@@ -67,6 +67,10 @@ This module provides the following entry
 None.
 */
  
+#define  BITS         (sizeof(LONG)*8)
+#define  HIGHTEST(p)  (((p)>>(BITS-2)) != 0)  /* includes sign bit */
+#define  TOOBIG(xy)   ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
+
 /*
 :h2.StepLine() - Produces Run Ends for a Line After Checks
  
@@ -84,6 +88,9 @@ void StepLine(R, x1, y1, x2, y2)
        IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
                                             x1, y1, x2, y2);
  
+      if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
+              abort("Lines this big not supported", 49);
+
        dy = y2 - y1;
  
 /*



--- lib/type1/objects.c.orig    2007-12-23 15:49:42.000000000 +0000
+++ lib/type1/objects.c
@@ -1137,12 +1137,13 @@ char *t1_get_abort_message( int number)
     "Context:  out of them", /* 46 */
     "MatrixInvert:  can't", /* 47 */
     "xiStub called", /* 48 */
-    "Illegal access type1 abort() message" /* 49 */
+    "Lines this big not supported", /* 49 */
+    "Illegal access type1 abort() message" /* 50 */
   };
 
-  /* no is valid from 1 to 48 */
-  if ( (number<1)||(number>48))
-    number=49;
+  /* no is valid from 1 to 49 */
+  if ( (number<1)||(number>49))
+    number=50;
   return( err_msgs[number-1]);
     
 }

--- lib/type1/type1.c.orig      2007-12-23 15:49:42.000000000 +0000
+++ lib/type1/type1.c
@@ -1012,6 +1012,7 @@ static void FindStems( double x, double 
   double nextdtana = 0.0;   /* tangent of post-delta against horizontal line 
*/ 
   double nextdtanb = 0.0;   /* tangent of post-delta against vertical line */ 
   
+  if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous 
point!\n");
  
   /* setup default hinted position */
   ppoints[numppoints-1].ax     = ppoints[numppoints-1].x;
@@ -1289,7 +1290,7 @@ unsigned char cipher;
 static int DoRead(CodeP)
   int *CodeP;
 {
-  if (strindex >= CharStringP->len) return(FALSE); /* end of string */
+  if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of 
string */
   /* We handle the non-documented Adobe convention to use lenIV=-1 to
      suppress charstring encryption. */
   if (blues->lenIV==-1) {
@@ -1700,6 +1701,7 @@ static int RLineTo(dx, dy)
   long pindex = 0;
   
   /* compute hinting for previous segment! */
+  if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous 
point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, 
curry-ppoints[numppoints-2].y, dx, dy);
 
   /* Allocate a new path point and pre-setup data */
@@ -1728,6 +1730,7 @@ static int RRCurveTo(dx1, dy1, dx2, dy2,
   long pindex = 0;
   
   /* compute hinting for previous point! */
+  if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous 
point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, 
curry-ppoints[numppoints-2].y, dx1, dy1);
 
   /* Allocate three new path points and pre-setup data */
@@ -1786,7 +1789,9 @@ static int DoClosePath()
   long tmpind;
   double deltax = 0.0;
   double deltay = 0.0;
-  
+ 
+  if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous 
point!");
+ 
   /* If this ClosePath command together with the starting point of this
      path completes to a segment aligned to a stem, we would miss
      hinting for this point. --> Check and explicitly care for this! */
@@ -1801,6 +1806,7 @@ static int DoClosePath()
     deltax = ppoints[i].x - ppoints[numppoints-1].x;
     deltay = ppoints[i].y - ppoints[numppoints-1].y;
 
+    if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No 
previous point!");
     /* save nummppoints and reset to move point */
     tmpind = numppoints;
     numppoints = i + 1;
@@ -1903,6 +1909,7 @@ static int RMoveTo(dx,dy)
     FindStems( currx, curry, 0, 0, dx, dy);
   }
   else {
+    if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous 
point!\n");
     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, 
dx, dy);
   }
   
@@ -2152,6 +2159,7 @@ static void FlxProc(c1x2, c1y2, c3x0, c3
   DOUBLE cx, cy;
   DOUBLE ex, ey;
 
+  if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous 
point!");
 
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
@@ -2321,6 +2329,7 @@ static void FlxProc1()
 /*   Returns currentpoint on stack          */
 static void FlxProc2()
 {
+  if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous 
point!");
   /* Push CurrentPoint on fake PostScript stack */
   PSFakePush( ppoints[numppoints-1].x);
   PSFakePush( ppoints[numppoints-1].y);
Home | Main Index | Thread Index | Old Index