1 |
From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001 |
2 |
From: José Aliste <jaliste@src.gnome.org> |
3 |
Date: Tue, 07 Dec 2010 18:56:47 +0000 |
4 |
Subject: backends: Fix several security issues in the dvi-backend. |
5 |
|
6 |
See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643. |
7 |
--- |
8 |
diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c |
9 |
index 164366b..361e23d 100644 |
10 |
--- a/backend/dvi/mdvi-lib/afmparse.c |
11 |
+++ b/backend/dvi/mdvi-lib/afmparse.c |
12 |
@@ -160,7 +160,7 @@ static char *token(FILE *stream) |
13 |
|
14 |
idx = 0; |
15 |
while (ch != EOF && ch != ' ' && ch != lineterm |
16 |
- && ch != '\t' && ch != ':' && ch != ';') |
17 |
+ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME) |
18 |
{ |
19 |
ident[idx++] = ch; |
20 |
ch = fgetc(stream); |
21 |
diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c |
22 |
index 97b7b84..ac98068 100644 |
23 |
--- a/backend/dvi/mdvi-lib/dviread.c |
24 |
+++ b/backend/dvi/mdvi-lib/dviread.c |
25 |
@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode) |
26 |
Int32 arg; |
27 |
|
28 |
arg = dugetn(dvi, opcode - DVI_XXX1 + 1); |
29 |
+ if (arg <= 0) { |
30 |
+ dvierr(dvi, _("malformed special length\n")); |
31 |
+ return -1; |
32 |
+ } |
33 |
s = mdvi_malloc(arg + 1); |
34 |
dread(dvi, s, arg); |
35 |
s[arg] = 0; |
36 |
diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c |
37 |
index a579186..08377e6 100644 |
38 |
--- a/backend/dvi/mdvi-lib/pk.c |
39 |
+++ b/backend/dvi/mdvi-lib/pk.c |
40 |
@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font) |
41 |
} |
42 |
if(feof(p)) |
43 |
break; |
44 |
+ |
45 |
+ /* Although the PK format support bigger char codes, |
46 |
+ * XeTeX and other extended TeX engines support charcodes up to |
47 |
+ * 65536, while normal TeX engine supports only charcode up to 255.*/ |
48 |
+ if (cc < 0 || cc > 65536) { |
49 |
+ mdvi_error (_("%s: unexpected charcode (%d)\n"), |
50 |
+ font->fontname,cc); |
51 |
+ goto error; |
52 |
+ } |
53 |
if(cc < loc) |
54 |
loc = cc; |
55 |
if(cc > hic) |
56 |
@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font) |
57 |
} |
58 |
|
59 |
/* resize font char data */ |
60 |
- if(loc > 0 || hic < maxch-1) { |
61 |
+ if(loc > 0 && hic < maxch-1) { |
62 |
memmove(font->chars, font->chars + loc, |
63 |
(hic - loc + 1) * sizeof(DviFontChar)); |
64 |
font->chars = xresize(font->chars, |
65 |
diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c |
66 |
index 73ebf26..8c2a30b 100644 |
67 |
--- a/backend/dvi/mdvi-lib/tfmfile.c |
68 |
+++ b/backend/dvi/mdvi-lib/tfmfile.c |
69 |
@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info) |
70 |
/* We read the entire TFM file into core */ |
71 |
if(fstat(fileno(in), &st) < 0) |
72 |
return -1; |
73 |
- if(st.st_size == 0) |
74 |
+ /* according to the spec, TFM files are smaller than 16K */ |
75 |
+ if(st.st_size == 0 || st.st_size >= 16384) |
76 |
goto bad_tfm; |
77 |
|
78 |
/* allocate a word-aligned buffer to hold the file */ |
79 |
diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c |
80 |
index fb49847..a5ae3bb 100644 |
81 |
--- a/backend/dvi/mdvi-lib/vf.c |
82 |
+++ b/backend/dvi/mdvi-lib/vf.c |
83 |
@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font) |
84 |
cc = fuget1(p); |
85 |
tfm = fuget3(p); |
86 |
} |
87 |
+ if (cc < 0 || cc > 65536) { |
88 |
+ /* TeX engines do not support char codes bigger than 65535 */ |
89 |
+ mdvi_error(_("(vf) %s: unexpected character %d\n"), |
90 |
+ font->fontname, cc); |
91 |
+ goto error; |
92 |
+ } |
93 |
if(loc < 0 || cc < loc) |
94 |
loc = cc; |
95 |
if(hic < 0 || cc > hic) |
96 |
-- |
97 |
cgit v0.9 |