current/SOURCES/backends%3A-Fix-several-security-issues-in-the-dvi-backend.patch

From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001
From: José Aliste <jaliste@src.gnome.org>
Date: Tue, 07 Dec 2010 18:56:47 +0000
Subject: backends: Fix several security issues in the dvi-backend.

See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and  CVE-2010-2643.
---
diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
index 164366b..361e23d 100644
--- a/backend/dvi/mdvi-lib/afmparse.c
+++ b/backend/dvi/mdvi-lib/afmparse.c
@@ -160,7 +160,7 @@ static char *token(FILE *stream)
     
     idx = 0;
     while (ch != EOF && ch != ' ' && ch != lineterm 
-           && ch != '\t' && ch != ':' && ch != ';') 
+           && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
     {
         ident[idx++] = ch;
         ch = fgetc(stream);
diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
index 97b7b84..ac98068 100644
--- a/backend/dvi/mdvi-lib/dviread.c
+++ b/backend/dvi/mdvi-lib/dviread.c
@@ -1537,6 +1537,10 @@ int      special(DviContext *dvi, int opcode)
        Int32   arg;
        
        arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
+       if (arg <= 0) {
+               dvierr(dvi, _("malformed special length\n"));
+               return -1;
+       }
        s = mdvi_malloc(arg + 1);
        dread(dvi, s, arg);
        s[arg] = 0;
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
index a579186..08377e6 100644
--- a/backend/dvi/mdvi-lib/pk.c
+++ b/backend/dvi/mdvi-lib/pk.c
@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
                        }
                        if(feof(p))
                                break;
+
+                       /* Although the PK format support bigger char codes,
+                         * XeTeX and other extended TeX engines support charcodes up to
+                         * 65536, while normal TeX engine supports only charcode up to 255.*/
+                       if (cc < 0 || cc > 65536) {
+                               mdvi_error (_("%s: unexpected charcode (%d)\n"),
+                                           font->fontname,cc);
+                               goto error;
+                       } 
                        if(cc < loc)
                                loc = cc;
                        if(cc > hic)
@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
        }
 
        /* resize font char data */
-       if(loc > 0 || hic < maxch-1) {
+       if(loc > 0 && hic < maxch-1) {
                memmove(font->chars, font->chars + loc, 
                        (hic - loc + 1) * sizeof(DviFontChar));
                font->chars = xresize(font->chars,
diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
index 73ebf26..8c2a30b 100644
--- a/backend/dvi/mdvi-lib/tfmfile.c
+++ b/backend/dvi/mdvi-lib/tfmfile.c
@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info)
        /* We read the entire TFM file into core */
        if(fstat(fileno(in), &st) < 0)
                return -1;
-       if(st.st_size == 0)
+       /* according to the spec, TFM files are smaller than 16K */
+       if(st.st_size == 0 || st.st_size >= 16384)
                goto bad_tfm;
 
        /* allocate a word-aligned buffer to hold the file */
diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
index fb49847..a5ae3bb 100644
--- a/backend/dvi/mdvi-lib/vf.c
+++ b/backend/dvi/mdvi-lib/vf.c
@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
                        cc = fuget1(p);
                        tfm = fuget3(p);
                }
+               if (cc < 0 || cc > 65536) {
+                       /* TeX engines do not support char codes bigger than 65535 */
+                       mdvi_error(_("(vf) %s: unexpected character %d\n"),
+                                  font->fontname, cc);
+                       goto error;
+               }
                if(loc < 0 || cc < loc)
                        loc = cc;
                if(hic < 0 || cc > hic)
--
cgit v0.9
1	From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001
2	From: José Aliste <jaliste@src.gnome.org>
3	Date: Tue, 07 Dec 2010 18:56:47 +0000
4	Subject: backends: Fix several security issues in the dvi-backend.
5
6	See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
7	---
8	diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
9	index 164366b..361e23d 100644
10	--- a/backend/dvi/mdvi-lib/afmparse.c
11	+++ b/backend/dvi/mdvi-lib/afmparse.c
12	@@ -160,7 +160,7 @@ static char token(FILE stream)
13
14	idx = 0;
15	while (ch != EOF && ch != ' ' && ch != lineterm
16	- && ch != '\t' && ch != ':' && ch != ';')
17	+ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
18	{
19	ident[idx++] = ch;
20	ch = fgetc(stream);
21	diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
22	index 97b7b84..ac98068 100644
23	--- a/backend/dvi/mdvi-lib/dviread.c
24	+++ b/backend/dvi/mdvi-lib/dviread.c
25	@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode)
26	Int32 arg;
27
28	arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
29	+ if (arg <= 0) {
30	+ dvierr(dvi, _("malformed special length\n"));
31	+ return -1;
32	+ }
33	s = mdvi_malloc(arg + 1);
34	dread(dvi, s, arg);
35	s[arg] = 0;
36	diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
37	index a579186..08377e6 100644
38	--- a/backend/dvi/mdvi-lib/pk.c
39	+++ b/backend/dvi/mdvi-lib/pk.c
40	@@ -469,6 +469,15 @@ static int pk_load_font(DviParams unused, DviFont font)
41	}
42	if(feof(p))
43	break;
44	+
45	+ /* Although the PK format support bigger char codes,
46	+ * XeTeX and other extended TeX engines support charcodes up to
47	+ * 65536, while normal TeX engine supports only charcode up to 255.*/
48	+ if (cc < 0 \|\| cc > 65536) {
49	+ mdvi_error (_("%s: unexpected charcode (%d)\n"),
50	+ font->fontname,cc);
51	+ goto error;
52	+ }
53	if(cc < loc)
54	loc = cc;
55	if(cc > hic)
56	@@ -512,7 +521,7 @@ static int pk_load_font(DviParams unused, DviFont font)
57	}
58
59	/* resize font char data */
60	- if(loc > 0 \|\| hic < maxch-1) {
61	+ if(loc > 0 && hic < maxch-1) {
62	memmove(font->chars, font->chars + loc,
63	(hic - loc + 1) * sizeof(DviFontChar));
64	font->chars = xresize(font->chars,
65	diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
66	index 73ebf26..8c2a30b 100644
67	--- a/backend/dvi/mdvi-lib/tfmfile.c
68	+++ b/backend/dvi/mdvi-lib/tfmfile.c
69	@@ -172,7 +172,8 @@ int tfm_load_file(const char filename, TFMInfo info)
70	/* We read the entire TFM file into core */
71	if(fstat(fileno(in), &st) < 0)
72	return -1;
73	- if(st.st_size == 0)
74	+ /* according to the spec, TFM files are smaller than 16K */
75	+ if(st.st_size == 0 \|\| st.st_size >= 16384)
76	goto bad_tfm;
77
78	/* allocate a word-aligned buffer to hold the file */
79	diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
80	index fb49847..a5ae3bb 100644
81	--- a/backend/dvi/mdvi-lib/vf.c
82	+++ b/backend/dvi/mdvi-lib/vf.c
83	@@ -165,6 +165,12 @@ static int vf_load_font(DviParams params, DviFont font)
84	cc = fuget1(p);
85	tfm = fuget3(p);
86	}
87	+ if (cc < 0 \|\| cc > 65536) {
88	+ /* TeX engines do not support char codes bigger than 65535 */
89	+ mdvi_error(_("(vf) %s: unexpected character %d\n"),
90	+ font->fontname, cc);
91	+ goto error;
92	+ }
93	if(loc < 0 \|\| cc < loc)
94	loc = cc;
95	if(hic < 0 \|\| cc > hic)
96	--
97	cgit v0.9