rpms/texlive/F-13 texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch, NONE, 1.1 texlive.spec, 1.60, 1.61

Jindrich Novy jnovy at fedoraproject.org
Fri May 7 12:21:40 UTC 2010 

Author: jnovy

Update of /cvs/pkgs/rpms/texlive/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv28636

Modified Files:
	texlive.spec 
Added Files:
	texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch 
Log Message:
* Fri May 07 2010 Jindrich Novy <jnovy at redhat.com> 2007-50
- fix CVE-2010-0829 (#589607)


texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch:
 draw.c   |   18 +++++++++++++-----
 dvipng.h |    4 ++--
 set.c    |    3 +--
 vf.c     |    3 +--
 4 files changed, 17 insertions(+), 11 deletions(-)

--- NEW FILE texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch ---
diff -up texlive-2007/texk/dvipng/draw.c.CVE-2010-0829 texlive-2007/texk/dvipng/draw.c
--- texlive-2007/texk/dvipng/draw.c.CVE-2010-0829	2006-11-07 21:40:00.000000000 +0100
+++ texlive-2007/texk/dvipng/draw.c	2010-05-07 10:54:31.532938790 +0200
@@ -99,7 +99,15 @@ dviunits SetChar(int32_t c)
 
   if (currentfont==NULL) 
     Fatal("faulty DVI, trying to set character from null font");
-  ptr = currentfont->chr[c];
+  if (c<0 || c>LASTFNTCHAR) {
+    Warning("glyph index out of range (%d), skipping",c);
+    return(0);
+  }
+  ptr=currentfont->chr[c];
+  if (ptr==NULL) {
+    Warning("unable to draw glyph %d, skipping",c);
+    return(0);
+  }
 #ifdef DEBUG
   switch (currentfont->type) {
   case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n  VF CHAR:\t")); break;
@@ -108,13 +116,13 @@ dviunits SetChar(int32_t c)
   case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n  FT CHAR:\t")); break;
   default: DEBUG_PRINT(DEBUG_DVI,("\n  NO CHAR:\t"))
   }
-  if (isprint(c))
+  if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
     DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
   DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr?ptr->tfmw:0));
 #endif
   if (currentfont->type==FONT_TYPE_VF) {
-    return(SetVF(c));
-  } else if (ptr) {
+    return(SetVF(ptr));
+  } else {
     if (ptr->data == NULL) 
       switch(currentfont->type) {
       case FONT_TYPE_PK:	LoadPK(c, ptr); break;
@@ -128,7 +136,7 @@ dviunits SetChar(int32_t c)
 	Fatal("undefined fonttype %d",currentfont->type);
       }
     if (page_imagep != NULL)
-      return(SetGlyph(c, hh, vv));
+      return(SetGlyph(ptr, hh, vv));
     else {
       /* Expand bounding box if necessary */
       min(x_min,hh - ptr->xOffset/shrinkfactor);
diff -up texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829 texlive-2007/texk/dvipng/dvipng.h
--- texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829	2006-12-24 01:02:30.000000000 +0100
+++ texlive-2007/texk/dvipng/dvipng.h	2010-05-07 08:11:10.249916801 +0200
@@ -387,9 +387,9 @@ void      DrawPages(void);
 void      WriteImage(char*, int);
 void      LoadPK(int32_t, register struct char_entry *);
 int32_t   SetChar(int32_t);
-dviunits  SetGlyph(int32_t c, int32_t hh,int32_t vv);
+dviunits  SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
 void      Gamma(double gamma);
-int32_t   SetVF(int32_t);
+int32_t   SetVF(struct char_entry *ptr);
 int32_t   SetRule(int32_t, int32_t, int32_t, int32_t);
 void      SetSpecial(char *, int32_t, int32_t, int32_t);
 void      BeginVFMacro(struct font_entry*);
diff -up texlive-2007/texk/dvipng/set.c.CVE-2010-0829 texlive-2007/texk/dvipng/set.c
--- texlive-2007/texk/dvipng/set.c.CVE-2010-0829	2006-11-07 21:40:00.000000000 +0100
+++ texlive-2007/texk/dvipng/set.c	2010-05-07 10:55:57.807931411 +0200
@@ -202,10 +202,9 @@ void Gamma(double gamma)
   }
 }
 
-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
+dviunits SetGlyph(struct char_entry *ptr, int32_t hh, int32_t vv)
 /* gdImageChar can only do monochrome glyphs */
 {
-  register struct char_entry *ptr = currentfont->chr[c];
   int dst_alpha,dst_weight,tot_weight,alpha;
   int x,y,pos=0;
   int bgColor,pixelgrey,pixelcolor;
diff -up texlive-2007/texk/dvipng/vf.c.CVE-2010-0829 texlive-2007/texk/dvipng/vf.c
--- texlive-2007/texk/dvipng/vf.c.CVE-2010-0829	2006-11-07 21:40:00.000000000 +0100
+++ texlive-2007/texk/dvipng/vf.c	2010-05-07 08:11:10.252917007 +0200
@@ -28,11 +28,10 @@
 #define VF_ID 202
 #define LONG_CHAR 242
 
-int32_t SetVF(int32_t c) 
+int32_t SetVF(struct char_entry* ptr) 
 {
   struct font_entry* currentvf;
   unsigned char *command,*end;
-  struct char_entry* ptr=currentfont->chr[c];
 
   currentvf=currentfont;
   BeginVFMacro(currentvf);


Index: texlive.spec
===================================================================
RCS file: /cvs/pkgs/rpms/texlive/F-13/texlive.spec,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -p -r1.60 -r1.61
--- texlive.spec	29 Jan 2010 13:42:14 -0000	1.60
+++ texlive.spec	7 May 2010 12:21:39 -0000	1.61
@@ -21,7 +21,7 @@
 
 Name:		texlive
 Version:	%{texlive_ver}
-Release:	49%{?dist}
+Release:	50%{?dist}
 Summary:	Binaries for the TeX formatting system
 
 Group:		Applications/Publishing
@@ -78,6 +78,7 @@ Patch31:	texlive-elif.patch
 Patch32:	texlive-getline.patch
 Patch33:	texlive-poolfix.patch
 Patch34:	texlive-dvipsconfig.patch
+Patch35:	texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
 
 ######
 # mpeters contributed patches
@@ -411,6 +412,7 @@ chmod -x texk/dvipdfm/encodings.c
 %patch32 -p1 -b .getline
 %patch33 -p1 -b .poolfix
 %patch34 -p1 -b .dvipsconfig
+%patch35 -p1 -b .CVE-2010-0829
 
 # fix non utf man pages
 %patch42 -p1 -b .notutf8-2
@@ -1251,6 +1253,9 @@ fi
 %{_mandir}/man1/texutil.1*
 
 %changelog
+* Fri May 07 2010 Jindrich Novy <jnovy at redhat.com> 2007-50
+- fix CVE-2010-0829 (#589607)
+
 * Fri Jan 29 2010 Jindrich Novy <jnovy at redhat.com> 2007-49
 - create a separate package for static kpathsea library (#556097)

More information about the scm-commits mailing list