Overview

File source-dvips-overflow.patch of Package texlive

| Name: CVE-2007-5935
| Status: Candidate
| URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5935
| Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=447081
| Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=368591
| 
| Stack-based buffer overflow in hpc.c in dvips in teTeX and TeXlive
| 2007 and earlier allows user-assisted attackers to execute arbitrary
| code via a DVI file with a long href tag.
| 
--- texk/dvipsk/hps.c
+++ texk/dvipsk/hps.c	2007-10-19 18:22:47.000000000 +0200
@@ -441,19 +441,32 @@
 
 void stamp_hps P1C(Hps_link *, pl)
 {
-  char tmpbuf[200] ;
+  char * tmpbuf;
   if (pl == NULL) {
     error("Null pointer, oh no!") ;
     return ;
-  } else {
-    /* print out the proper pdfm with local page info only 
-     *  target info will be in the target dictionary */
-    (void)sprintf(tmpbuf, 
-		  " (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
-		  pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
-		  pl->color[0], pl->color[1], pl->color[2]) ;
-    cmdout(tmpbuf) ; 
-  }
+  } 
+  if(pl->title == NULL) {
+    error("Null pointer, oh no!") ;
+    return ;
+  } 
+
+  tmpbuf = (char *) malloc(strlen(pl->title)+200);
+  if(tmpbuf == NULL) {
+    error("out of memory, oh no!") ;
+    return ;
+  } 
+
+  /* print out the proper pdfm with local page info only 
+   *  target info will be in the target dictionary */
+  (void)sprintf(tmpbuf, 
+		" (%s) [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] pdfm ", 
+		pl->title, pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+		pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+		pl->color[0], pl->color[1], pl->color[2]) ;
+  cmdout(tmpbuf) ; 
+  free(tmpbuf);
+  
   
 }
 
@@ -462,18 +475,31 @@
  */
 void stamp_external P2C(char *, s, Hps_link *, pl) 
 {
-  char tmpbuf[200];
+  char *tmpbuf;
   if (pl == NULL) {
     error("Null pointer, oh no!") ;
     return ;
-  } else {
-    /* print out the proper pdfm with local page info only 
-     *  target info will be in the target dictionary */
-    (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ", pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
-		  pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
-		  pl->color[0], pl->color[1], pl->color[2], s) ;
-    cmdout(tmpbuf) ;
-  }
+  } 
+
+  if (s == NULL) {
+    error("Null pointer, oh no!") ;
+    return ;
+  } 
+
+  tmpbuf = (char *) malloc(strlen(s) + 200);
+  if(tmpbuf == NULL) {
+    error("out of memory, oh no!") ;
+    return ;
+  } 
+
+  /* print out the proper pdfm with local page info only 
+   *  target info will be in the target dictionary */
+  (void)sprintf(tmpbuf," [[%.0f %.0f %.0f %.0f] [%i %i %i [%i %i]] [%.0f %.0f %.0f]] (%s) pdfm ",
+		pl->rect.llx, pl->rect.lly, pl->rect.urx, pl->rect.ury,
+		pl->border[0], pl->border[1], pl->border[2], pl->border[3],pl->border[4],
+		pl->color[0], pl->color[1], pl->color[2], s) ;
+  cmdout(tmpbuf) ;
+  free(tmpbuf);
 }
 
 void finish_hps P1H(void) {
openSUSE Build Service is sponsored by
Places