vulnerabilities in included xpdf code, #114429

(Portage version: 2.0.53)

3 files changed, 94 insertions, 0 deletions

diff --git a/app-office/koffice/files/digest-koffice-1.4.2-r1 b/app-office/koffice/files/digest-koffice-1.4.2-r2
index a054824ae545..a054824ae545 100644
--- a/app-office/koffice/files/digest-koffice-1.4.2-r1
+++ b/app-office/koffice/files/digest-koffice-1.4.2-r2
diff --git a/app-office/koffice/files/digest-koffice-1.4.2-r3 b/app-office/koffice/files/digest-koffice-1.4.2-r3
new file mode 100644
index 000000000000..a054824ae545
--- /dev/null
+++ b/app-office/koffice/files/digest-koffice-1.4.2-r3
@@ -0,0 +1 @@
+MD5 6b456fb7d54c84b11396b27a96ae0cf8 koffice-1.4.2.tar.bz2 19486852
diff --git a/app-office/koffice/files/kword-1.4.2-CAN-2005-3193.patch b/app-office/koffice/files/kword-1.4.2-CAN-2005-3193.patch
new file mode 100644
index 000000000000..323cdf520b6f
--- /dev/null
+++ b/app-office/koffice/files/kword-1.4.2-CAN-2005-3193.patch
@@ -0,0 +1,93 @@
+--- filters/kword/pdf/xpdf/xpdf/Stream.h.orig	2005-12-04 18:21:42.000000000 +0100
++++ filters/kword/pdf/xpdf/xpdf/Stream.h	2005-12-04 18:25:55.000000000 +0100
+@@ -225,6 +225,8 @@
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -242,6 +244,7 @@
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------
+--- filters/kword/pdf/xpdf/xpdf/Stream.cc.orig	2005-12-04 18:21:29.000000000 +0100
++++ filters/kword/pdf/xpdf/xpdf/Stream.cc	2005-12-04 18:33:51.000000000 +0100
+@@ -404,18 +404,33 @@
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
+   nVals = width * nComps;
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -982,6 +997,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -2887,6 +2906,14 @@
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
++  if (numComps <= 0 || numComps > 4) {
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -3179,6 +3206,10 @@
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }