File xpdf-3.02pl3-CVE-2009-JBIG2-multiple-vulnerabilities.patch of Package xpdf
diff -r -c xpdf-3.02.orig/goo/gmem.cc xpdf-3.02/goo/gmem.cc
*** xpdf-3.02.orig/goo/gmem.cc Tue Feb 27 14:05:51 2007
--- xpdf-3.02/goo/gmem.cc Thu Mar 19 15:47:25 2009
***************
*** 55,61 ****
void *data;
unsigned long *trl, *p;
! if (size <= 0) {
return NULL;
}
size1 = gMemDataSize(size);
--- 55,69 ----
void *data;
unsigned long *trl, *p;
! if (size < 0) {
! #if USE_EXCEPTIONS
! throw GMemException();
! #else
! fprintf(stderr, "Invalid memory allocation size\n");
! exit(1);
! #endif
! }
! if (size == 0) {
return NULL;
}
size1 = gMemDataSize(size);
***************
*** 91,97 ****
#else
void *p;
! if (size <= 0) {
return NULL;
}
if (!(p = malloc(size))) {
--- 99,113 ----
#else
void *p;
! if (size < 0) {
! #if USE_EXCEPTIONS
! throw GMemException();
! #else
! fprintf(stderr, "Invalid memory allocation size\n");
! exit(1);
! #endif
! }
! if (size == 0) {
return NULL;
}
if (!(p = malloc(size))) {
***************
*** 112,118 ****
void *q;
int oldSize;
! if (size <= 0) {
if (p) {
gfree(p);
}
--- 128,142 ----
void *q;
int oldSize;
! if (size < 0) {
! #if USE_EXCEPTIONS
! throw GMemException();
! #else
! fprintf(stderr, "Invalid memory allocation size\n");
! exit(1);
! #endif
! }
! if (size == 0) {
if (p) {
gfree(p);
}
***************
*** 131,137 ****
#else
void *q;
! if (size <= 0) {
if (p) {
free(p);
}
--- 155,169 ----
#else
void *q;
! if (size < 0) {
! #if USE_EXCEPTIONS
! throw GMemException();
! #else
! fprintf(stderr, "Invalid memory allocation size\n");
! exit(1);
! #endif
! }
! if (size == 0) {
if (p) {
free(p);
}
diff -r -c xpdf-3.02.orig/xpdf/JBIG2Stream.cc xpdf-3.02/xpdf/JBIG2Stream.cc
*** xpdf-3.02.orig/xpdf/JBIG2Stream.cc Tue Feb 27 14:05:52 2007
--- xpdf-3.02/xpdf/JBIG2Stream.cc Fri Mar 27 10:21:21 2009
***************
*** 422,433 ****
table[i] = table[len];
// assign prefixes
! i = 0;
! prefix = 0;
! table[i++].prefix = prefix++;
! for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
! prefix <<= table[i].prefixLen - table[i-1].prefixLen;
! table[i].prefix = prefix++;
}
}
--- 422,435 ----
table[i] = table[len];
// assign prefixes
! if (table[0].rangeLen != jbig2HuffmanEOT) {
! i = 0;
! prefix = 0;
! table[i++].prefix = prefix++;
! for (; table[i].rangeLen != jbig2HuffmanEOT; ++i) {
! prefix <<= table[i].prefixLen - table[i-1].prefixLen;
! table[i].prefix = prefix++;
! }
}
}
***************
*** 507,513 ****
++nBytesRead;
}
while (1) {
! if (bufLen >= 7 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
if (bufLen <= 12) {
code = buf << (12 - bufLen);
} else {
--- 509,515 ----
++nBytesRead;
}
while (1) {
! if (bufLen >= 11 && ((buf >> (bufLen - 7)) & 0x7f) == 0) {
if (bufLen <= 12) {
code = buf << (12 - bufLen);
} else {
***************
*** 550,563 ****
++nBytesRead;
}
while (1) {
! if (bufLen >= 6 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
if (bufLen <= 13) {
code = buf << (13 - bufLen);
} else {
code = buf >> (bufLen - 13);
}
p = &blackTab1[code & 0x7f];
! } else if (bufLen >= 4 && ((buf >> (bufLen - 4)) & 0x0f) == 0) {
if (bufLen <= 12) {
code = buf << (12 - bufLen);
} else {
--- 552,566 ----
++nBytesRead;
}
while (1) {
! if (bufLen >= 10 && ((buf >> (bufLen - 6)) & 0x3f) == 0) {
if (bufLen <= 13) {
code = buf << (13 - bufLen);
} else {
code = buf >> (bufLen - 13);
}
p = &blackTab1[code & 0x7f];
! } else if (bufLen >= 7 && ((buf >> (bufLen - 4)) & 0x0f) == 0 &&
! ((buf >> (bufLen - 6)) & 0x03) != 0) {
if (bufLen <= 12) {
code = buf << (12 - bufLen);
} else {
***************
*** 683,690 ****
h = hA;
line = (wA + 7) >> 3;
if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
! data = NULL;
! return;
}
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
--- 686,694 ----
h = hA;
line = (wA + 7) >> 3;
if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
! // force a call to gmalloc(-1), which will throw an exception
! h = -1;
! line = 2;
}
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
***************
*** 698,705 ****
h = bitmap->h;
line = bitmap->line;
if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
! data = NULL;
! return;
}
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
--- 702,710 ----
h = bitmap->h;
line = bitmap->line;
if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
! // force a call to gmalloc(-1), which will throw an exception
! h = -1;
! line = 2;
}
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
***************
*** 754,759 ****
--- 759,766 ----
inline void JBIG2Bitmap::getPixelPtr(int x, int y, JBIG2BitmapPtr *ptr) {
if (y < 0 || y >= h || x >= w) {
ptr->p = NULL;
+ ptr->shift = 0; // make gcc happy
+ ptr->x = 0; // make gcc happy
} else if (x < 0) {
ptr->p = &data[y * line];
ptr->shift = 7;
***************
*** 798,803 ****
--- 805,814 ----
Guint src0, src1, src, dest, s1, s2, m1, m2, m3;
GBool oneByte;
+ // check for the pathological case where y = -2^31
+ if (y < -0x7fffffff) {
+ return;
+ }
if (y < 0) {
y0 = -y;
} else {
***************
*** 1011,1018 ****
--- 1022,1034 ----
JBIG2SymbolDict::JBIG2SymbolDict(Guint segNumA, Guint sizeA):
JBIG2Segment(segNumA)
{
+ Guint i;
+
size = sizeA;
bitmaps = (JBIG2Bitmap **)gmallocn(size, sizeof(JBIG2Bitmap *));
+ for (i = 0; i < size; ++i) {
+ bitmaps[i] = NULL;
+ }
genericRegionStats = NULL;
refinementRegionStats = NULL;
}
***************
*** 1021,1027 ****
Guint i;
for (i = 0; i < size; ++i) {
! delete bitmaps[i];
}
gfree(bitmaps);
if (genericRegionStats) {
--- 1037,1045 ----
Guint i;
for (i = 0; i < size; ++i) {
! if (bitmaps[i]) {
! delete bitmaps[i];
! }
}
gfree(bitmaps);
if (genericRegionStats) {
***************
*** 1296,1301 ****
--- 1314,1326 ----
goto eofError2;
}
+ // check for missing page information segment
+ if (!pageBitmap && ((segType >= 4 && segType <= 7) ||
+ (segType >= 20 && segType <= 43))) {
+ error(getPos(), "First JBIG2 segment associated with a page must be a page information segment");
+ goto syntaxError;
+ }
+
// read the segment data
switch (segType) {
case 0:
***************
*** 1411,1416 ****
--- 1436,1443 ----
Guint i, j, k;
Guchar *p;
+ symWidths = NULL;
+
// symbol dictionary flags
if (!readUWord(&flags)) {
goto eofError;
***************
*** 1466,1485 ****
codeTables = new GList();
numInputSyms = 0;
for (i = 0; i < nRefSegs; ++i) {
! seg = findSegment(refSegs[i]);
! if (seg->getType() == jbig2SegSymbolDict) {
! numInputSyms += ((JBIG2SymbolDict *)seg)->getSize();
! } else if (seg->getType() == jbig2SegCodeTable) {
! codeTables->append(seg);
}
}
// compute symbol code length
! symCodeLen = 0;
! i = 1;
! while (i < numInputSyms + numNewSyms) {
++symCodeLen;
! i <<= 1;
}
// get the input symbol bitmaps
--- 1493,1524 ----
codeTables = new GList();
numInputSyms = 0;
for (i = 0; i < nRefSegs; ++i) {
! if ((seg = findSegment(refSegs[i]))) {
! if (seg->getType() == jbig2SegSymbolDict) {
! j = ((JBIG2SymbolDict *)seg)->getSize();
! if (numInputSyms > UINT_MAX - j) {
! error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
! delete codeTables;
! goto eofError;
! }
! numInputSyms += j;
! } else if (seg->getType() == jbig2SegCodeTable) {
! codeTables->append(seg);
! }
}
}
+ if (numInputSyms > UINT_MAX - numNewSyms) {
+ error(getPos(), "Too many input symbols in JBIG2 symbol dictionary");
+ delete codeTables;
+ goto eofError;
+ }
// compute symbol code length
! symCodeLen = 1;
! i = (numInputSyms + numNewSyms) >> 1;
! while (i) {
++symCodeLen;
! i >>= 1;
}
// get the input symbol bitmaps
***************
*** 1491,1501 ****
k = 0;
inputSymbolDict = NULL;
for (i = 0; i < nRefSegs; ++i) {
! seg = findSegment(refSegs[i]);
! if (seg->getType() == jbig2SegSymbolDict) {
! inputSymbolDict = (JBIG2SymbolDict *)seg;
! for (j = 0; j < inputSymbolDict->getSize(); ++j) {
! bitmaps[k++] = inputSymbolDict->getBitmap(j);
}
}
}
--- 1530,1541 ----
k = 0;
inputSymbolDict = NULL;
for (i = 0; i < nRefSegs; ++i) {
! if ((seg = findSegment(refSegs[i]))) {
! if (seg->getType() == jbig2SegSymbolDict) {
! inputSymbolDict = (JBIG2SymbolDict *)seg;
! for (j = 0; j < inputSymbolDict->getSize(); ++j) {
! bitmaps[k++] = inputSymbolDict->getBitmap(j);
! }
}
}
}
***************
*** 1510,1515 ****
--- 1550,1558 ----
} else if (huffDH == 1) {
huffDHTable = huffTableE;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDW == 0) {
***************
*** 1517,1533 ****
--- 1560,1585 ----
} else if (huffDW == 1) {
huffDWTable = huffTableC;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffBMSize == 0) {
huffBMSizeTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffBMSizeTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffAggInst == 0) {
huffAggInstTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffAggInstTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
***************
*** 1560,1566 ****
}
// allocate symbol widths storage
- symWidths = NULL;
if (huff && !refAgg) {
symWidths = (Guint *)gmallocn(numNewSyms, sizeof(Guint));
}
--- 1612,1617 ----
***************
*** 1602,1607 ****
--- 1653,1662 ----
goto syntaxError;
}
symWidth += dw;
+ if (i >= numNewSyms) {
+ error(getPos(), "Too many symbols in JBIG2 symbol dictionary");
+ goto syntaxError;
+ }
// using a collective bitmap, so don't read a bitmap here
if (huff && !refAgg) {
***************
*** 1638,1643 ****
--- 1693,1702 ----
arithDecoder->decodeInt(&refDX, iardxStats);
arithDecoder->decodeInt(&refDY, iardyStats);
}
+ if (symID >= numInputSyms + i) {
+ error(getPos(), "Invalid symbol ID in JBIG2 symbol dictionary");
+ goto syntaxError;
+ }
refBitmap = bitmaps[symID];
bitmaps[numInputSyms + i] =
readGenericRefinementRegion(symWidth, symHeight,
***************
*** 1704,1709 ****
--- 1763,1774 ----
} else {
arithDecoder->decodeInt(&run, iaexStats);
}
+ if (i + run > numInputSyms + numNewSyms ||
+ j + run > numExSyms) {
+ error(getPos(), "Too many exported symbols in JBIG2 symbol dictionary");
+ delete symbolDict;
+ goto syntaxError;
+ }
if (ex) {
for (cnt = 0; cnt < run; ++cnt) {
symbolDict->setBitmap(j++, bitmaps[i++]->copy());
***************
*** 1713,1718 ****
--- 1778,1788 ----
}
ex = !ex;
}
+ if (j != numExSyms) {
+ error(getPos(), "Too few symbols in JBIG2 symbol dictionary");
+ delete symbolDict;
+ goto syntaxError;
+ }
for (i = 0; i < numNewSyms; ++i) {
delete bitmaps[numInputSyms + i];
***************
*** 1735,1740 ****
--- 1805,1814 ----
return gTrue;
+ codeTableError:
+ error(getPos(), "Missing code table in JBIG2 symbol dictionary");
+ delete codeTables;
+
syntaxError:
for (i = 0; i < numNewSyms; ++i) {
if (bitmaps[numInputSyms + i]) {
***************
*** 1837,1842 ****
--- 1911,1918 ----
}
} else {
error(getPos(), "Invalid segment reference in JBIG2 text region");
+ delete codeTables;
+ return;
}
}
symCodeLen = 0;
***************
*** 1871,1876 ****
--- 1947,1955 ----
} else if (huffFS == 1) {
huffFSTable = huffTableG;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffFSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDS == 0) {
***************
*** 1880,1885 ****
--- 1959,1967 ----
} else if (huffDS == 2) {
huffDSTable = huffTableJ;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDSTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffDT == 0) {
***************
*** 1889,1894 ****
--- 1971,1979 ----
} else if (huffDT == 2) {
huffDTTable = huffTableM;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffDTTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDW == 0) {
***************
*** 1896,1901 ****
--- 1981,1989 ----
} else if (huffRDW == 1) {
huffRDWTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDWTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDH == 0) {
***************
*** 1903,1908 ****
--- 1991,1999 ----
} else if (huffRDH == 1) {
huffRDHTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDHTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDX == 0) {
***************
*** 1910,1915 ****
--- 2001,2009 ----
} else if (huffRDX == 1) {
huffRDXTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDXTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRDY == 0) {
***************
*** 1917,1927 ****
--- 2011,2027 ----
} else if (huffRDY == 1) {
huffRDYTable = huffTableO;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRDYTable = ((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
if (huffRSize == 0) {
huffRSizeTable = huffTableA;
} else {
+ if (i >= (Guint)codeTables->getLength()) {
+ goto codeTableError;
+ }
huffRSizeTable =
((JBIG2CodeTable *)codeTables->get(i++))->getHuffTable();
}
***************
*** 2016,2023 ****
--- 2116,2130 ----
return;
+ codeTableError:
+ error(getPos(), "Missing code table in JBIG2 text region");
+ gfree(codeTables);
+ delete syms;
+ return;
+
eofError:
error(getPos(), "Unexpected EOF in JBIG2 stream");
+ return;
}
JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine,
***************
*** 2324,2331 ****
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
! seg = findSegment(refSegs[0]);
! if (seg->getType() != jbig2SegPatternDict) {
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
--- 2431,2438 ----
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
! if (!(seg = findSegment(refSegs[0])) ||
! seg->getType() != jbig2SegPatternDict) {
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
***************
*** 2483,2489 ****
// read the bitmap
bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
! NULL, atx, aty, mmr ? 0 : length - 18);
// combine the region bitmap into the page bitmap
if (imm) {
--- 2590,2596 ----
// read the bitmap
bitmap = readGenericBitmap(mmr, w, h, templ, tpgdOn, gFalse,
! NULL, atx, aty, mmr ? length - 18 : 0);
// combine the region bitmap into the page bitmap
if (imm) {
***************
*** 2527,2532 ****
--- 2634,2644 ----
if (mmr) {
mmrDecoder->reset();
+ if (w > INT_MAX - 2) {
+ error(getPos(), "Bad width in JBIG2 generic bitmap");
+ // force a call to gmalloc(-1), which will throw an exception
+ w = -3;
+ }
refLine = (int *)gmallocn(w + 2, sizeof(int));
codingLine = (int *)gmallocn(w + 2, sizeof(int));
codingLine[0] = codingLine[1] = w;
***************
*** 2706,2712 ****
ltp = !ltp;
}
if (ltp) {
! bitmap->duplicateRow(y, y-1);
continue;
}
}
--- 2818,2826 ----
ltp = !ltp;
}
if (ltp) {
! if (y > 0) {
! bitmap->duplicateRow(y, y-1);
! }
continue;
}
}
***************
*** 2909,2916 ****
return;
}
if (nRefSegs == 1) {
! seg = findSegment(refSegs[0]);
! if (seg->getType() != jbig2SegBitmap) {
error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment");
return;
}
--- 3023,3030 ----
return;
}
if (nRefSegs == 1) {
! if (!(seg = findSegment(refSegs[0])) ||
! seg->getType() != jbig2SegBitmap) {
error(getPos(), "Bad bitmap reference in JBIG2 generic refinement segment");
return;
}
***************
*** 3004,3009 ****
--- 3118,3127 ----
tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ } else {
+ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
+ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
+ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
}
for (x = 0; x < w; ++x) {
***************
*** 3075,3080 ****
--- 3193,3202 ----
tpgrCX2 = refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
tpgrCX2 = (tpgrCX2 << 1) | refBitmap->nextPixel(&tpgrCXPtr2);
+ } else {
+ tpgrCXPtr0.p = tpgrCXPtr1.p = tpgrCXPtr2.p = NULL; // make gcc happy
+ tpgrCXPtr0.shift = tpgrCXPtr1.shift = tpgrCXPtr2.shift = 0;
+ tpgrCXPtr0.x = tpgrCXPtr1.x = tpgrCXPtr2.x = 0;
}
for (x = 0; x < w; ++x) {
