rpms/texlive/F-13 texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch, NONE, 1.1 texlive.spec, 1.60, 1.61
Jindrich Novy
jnovy at fedoraproject.org
Fri May 7 12:21:40 UTC 2010
Author: jnovy
Update of /cvs/pkgs/rpms/texlive/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv28636
Modified Files:
texlive.spec
Added Files:
texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
Log Message:
* Fri May 07 2010 Jindrich Novy <jnovy at redhat.com> 2007-50
- fix CVE-2010-0829 (#589607)
texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch:
draw.c | 18 +++++++++++++-----
dvipng.h | 4 ++--
set.c | 3 +--
vf.c | 3 +--
4 files changed, 17 insertions(+), 11 deletions(-)
--- NEW FILE texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch ---
diff -up texlive-2007/texk/dvipng/draw.c.CVE-2010-0829 texlive-2007/texk/dvipng/draw.c
--- texlive-2007/texk/dvipng/draw.c.CVE-2010-0829 2006-11-07 21:40:00.000000000 +0100
+++ texlive-2007/texk/dvipng/draw.c 2010-05-07 10:54:31.532938790 +0200
@@ -99,7 +99,15 @@ dviunits SetChar(int32_t c)
if (currentfont==NULL)
Fatal("faulty DVI, trying to set character from null font");
- ptr = currentfont->chr[c];
+ if (c<0 || c>LASTFNTCHAR) {
+ Warning("glyph index out of range (%d), skipping",c);
+ return(0);
+ }
+ ptr=currentfont->chr[c];
+ if (ptr==NULL) {
+ Warning("unable to draw glyph %d, skipping",c);
+ return(0);
+ }
#ifdef DEBUG
switch (currentfont->type) {
case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n VF CHAR:\t")); break;
@@ -108,13 +116,13 @@ dviunits SetChar(int32_t c)
case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n FT CHAR:\t")); break;
default: DEBUG_PRINT(DEBUG_DVI,("\n NO CHAR:\t"))
}
- if (isprint(c))
+ if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr?ptr->tfmw:0));
#endif
if (currentfont->type==FONT_TYPE_VF) {
- return(SetVF(c));
- } else if (ptr) {
+ return(SetVF(ptr));
+ } else {
if (ptr->data == NULL)
switch(currentfont->type) {
case FONT_TYPE_PK: LoadPK(c, ptr); break;
@@ -128,7 +136,7 @@ dviunits SetChar(int32_t c)
Fatal("undefined fonttype %d",currentfont->type);
}
if (page_imagep != NULL)
- return(SetGlyph(c, hh, vv));
+ return(SetGlyph(ptr, hh, vv));
else {
/* Expand bounding box if necessary */
min(x_min,hh - ptr->xOffset/shrinkfactor);
diff -up texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829 texlive-2007/texk/dvipng/dvipng.h
--- texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829 2006-12-24 01:02:30.000000000 +0100
+++ texlive-2007/texk/dvipng/dvipng.h 2010-05-07 08:11:10.249916801 +0200
@@ -387,9 +387,9 @@ void DrawPages(void);
void WriteImage(char*, int);
void LoadPK(int32_t, register struct char_entry *);
int32_t SetChar(int32_t);
-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv);
+dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
void Gamma(double gamma);
-int32_t SetVF(int32_t);
+int32_t SetVF(struct char_entry *ptr);
int32_t SetRule(int32_t, int32_t, int32_t, int32_t);
void SetSpecial(char *, int32_t, int32_t, int32_t);
void BeginVFMacro(struct font_entry*);
diff -up texlive-2007/texk/dvipng/set.c.CVE-2010-0829 texlive-2007/texk/dvipng/set.c
--- texlive-2007/texk/dvipng/set.c.CVE-2010-0829 2006-11-07 21:40:00.000000000 +0100
+++ texlive-2007/texk/dvipng/set.c 2010-05-07 10:55:57.807931411 +0200
@@ -202,10 +202,9 @@ void Gamma(double gamma)
}
}
-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
+dviunits SetGlyph(struct char_entry *ptr, int32_t hh, int32_t vv)
/* gdImageChar can only do monochrome glyphs */
{
- register struct char_entry *ptr = currentfont->chr[c];
int dst_alpha,dst_weight,tot_weight,alpha;
int x,y,pos=0;
int bgColor,pixelgrey,pixelcolor;
diff -up texlive-2007/texk/dvipng/vf.c.CVE-2010-0829 texlive-2007/texk/dvipng/vf.c
--- texlive-2007/texk/dvipng/vf.c.CVE-2010-0829 2006-11-07 21:40:00.000000000 +0100
+++ texlive-2007/texk/dvipng/vf.c 2010-05-07 08:11:10.252917007 +0200
@@ -28,11 +28,10 @@
#define VF_ID 202
#define LONG_CHAR 242
-int32_t SetVF(int32_t c)
+int32_t SetVF(struct char_entry* ptr)
{
struct font_entry* currentvf;
unsigned char *command,*end;
- struct char_entry* ptr=currentfont->chr[c];
currentvf=currentfont;
BeginVFMacro(currentvf);
Index: texlive.spec
===================================================================
RCS file: /cvs/pkgs/rpms/texlive/F-13/texlive.spec,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -p -r1.60 -r1.61
--- texlive.spec 29 Jan 2010 13:42:14 -0000 1.60
+++ texlive.spec 7 May 2010 12:21:39 -0000 1.61
@@ -21,7 +21,7 @@
Name: texlive
Version: %{texlive_ver}
-Release: 49%{?dist}
+Release: 50%{?dist}
Summary: Binaries for the TeX formatting system
Group: Applications/Publishing
@@ -78,6 +78,7 @@ Patch31: texlive-elif.patch
Patch32: texlive-getline.patch
Patch33: texlive-poolfix.patch
Patch34: texlive-dvipsconfig.patch
+Patch35: texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
######
# mpeters contributed patches
@@ -411,6 +412,7 @@ chmod -x texk/dvipdfm/encodings.c
%patch32 -p1 -b .getline
%patch33 -p1 -b .poolfix
%patch34 -p1 -b .dvipsconfig
+%patch35 -p1 -b .CVE-2010-0829
# fix non utf man pages
%patch42 -p1 -b .notutf8-2
@@ -1251,6 +1253,9 @@ fi
%{_mandir}/man1/texutil.1*
%changelog
+* Fri May 07 2010 Jindrich Novy <jnovy at redhat.com> 2007-50
+- fix CVE-2010-0829 (#589607)
+
* Fri Jan 29 2010 Jindrich Novy <jnovy at redhat.com> 2007-49
- create a separate package for static kpathsea library (#556097)
More information about the scm-commits
mailing list