aboutsummaryrefslogtreecommitdiffstats
path: root/main/evince/evince-2.32.0-dvi-CVEs.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/evince/evince-2.32.0-dvi-CVEs.patch')
-rw-r--r--main/evince/evince-2.32.0-dvi-CVEs.patch97
1 files changed, 0 insertions, 97 deletions
diff --git a/main/evince/evince-2.32.0-dvi-CVEs.patch b/main/evince/evince-2.32.0-dvi-CVEs.patch
deleted file mode 100644
index 691ee4190a..0000000000
--- a/main/evince/evince-2.32.0-dvi-CVEs.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 8e473c9796b9a61b811213e7892fd36fd570303a Mon Sep 17 00:00:00 2001
-From: José Aliste <jaliste@src.gnome.org>
-Date: Tue, 07 Dec 2010 18:56:47 +0000
-Subject: backends: Fix several security issues in the dvi-backend.
-
-See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and CVE-2010-2643.
----
-diff --git a/backend/dvi/mdvi-lib/afmparse.c b/backend/dvi/mdvi-lib/afmparse.c
-index 164366b..361e23d 100644
---- a/backend/dvi/mdvi-lib/afmparse.c
-+++ b/backend/dvi/mdvi-lib/afmparse.c
-@@ -160,7 +160,7 @@ static char *token(FILE *stream)
-
- idx = 0;
- while (ch != EOF && ch != ' ' && ch != lineterm
-- && ch != '\t' && ch != ':' && ch != ';')
-+ && ch != '\t' && ch != ':' && ch != ';' && idx < MAX_NAME)
- {
- ident[idx++] = ch;
- ch = fgetc(stream);
-diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
-index 97b7b84..ac98068 100644
---- a/backend/dvi/mdvi-lib/dviread.c
-+++ b/backend/dvi/mdvi-lib/dviread.c
-@@ -1537,6 +1537,10 @@ int special(DviContext *dvi, int opcode)
- Int32 arg;
-
- arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
-+ if (arg <= 0) {
-+ dvierr(dvi, _("malformed special length\n"));
-+ return -1;
-+ }
- s = mdvi_malloc(arg + 1);
- dread(dvi, s, arg);
- s[arg] = 0;
-diff --git a/backend/dvi/mdvi-lib/pk.c b/backend/dvi/mdvi-lib/pk.c
-index a579186..08377e6 100644
---- a/backend/dvi/mdvi-lib/pk.c
-+++ b/backend/dvi/mdvi-lib/pk.c
-@@ -469,6 +469,15 @@ static int pk_load_font(DviParams *unused, DviFont *font)
- }
- if(feof(p))
- break;
-+
-+ /* Although the PK format support bigger char codes,
-+ * XeTeX and other extended TeX engines support charcodes up to
-+ * 65536, while normal TeX engine supports only charcode up to 255.*/
-+ if (cc < 0 || cc > 65536) {
-+ mdvi_error (_("%s: unexpected charcode (%d)\n"),
-+ font->fontname,cc);
-+ goto error;
-+ }
- if(cc < loc)
- loc = cc;
- if(cc > hic)
-@@ -512,7 +521,7 @@ static int pk_load_font(DviParams *unused, DviFont *font)
- }
-
- /* resize font char data */
-- if(loc > 0 || hic < maxch-1) {
-+ if(loc > 0 && hic < maxch-1) {
- memmove(font->chars, font->chars + loc,
- (hic - loc + 1) * sizeof(DviFontChar));
- font->chars = xresize(font->chars,
-diff --git a/backend/dvi/mdvi-lib/tfmfile.c b/backend/dvi/mdvi-lib/tfmfile.c
-index 73ebf26..8c2a30b 100644
---- a/backend/dvi/mdvi-lib/tfmfile.c
-+++ b/backend/dvi/mdvi-lib/tfmfile.c
-@@ -172,7 +172,8 @@ int tfm_load_file(const char *filename, TFMInfo *info)
- /* We read the entire TFM file into core */
- if(fstat(fileno(in), &st) < 0)
- return -1;
-- if(st.st_size == 0)
-+ /* according to the spec, TFM files are smaller than 16K */
-+ if(st.st_size == 0 || st.st_size >= 16384)
- goto bad_tfm;
-
- /* allocate a word-aligned buffer to hold the file */
-diff --git a/backend/dvi/mdvi-lib/vf.c b/backend/dvi/mdvi-lib/vf.c
-index fb49847..a5ae3bb 100644
---- a/backend/dvi/mdvi-lib/vf.c
-+++ b/backend/dvi/mdvi-lib/vf.c
-@@ -165,6 +165,12 @@ static int vf_load_font(DviParams *params, DviFont *font)
- cc = fuget1(p);
- tfm = fuget3(p);
- }
-+ if (cc < 0 || cc > 65536) {
-+ /* TeX engines do not support char codes bigger than 65535 */
-+ mdvi_error(_("(vf) %s: unexpected character %d\n"),
-+ font->fontname, cc);
-+ goto error;
-+ }
- if(loc < 0 || cc < loc)
- loc = cc;
- if(hic < 0 || cc > hic)
---
-cgit v0.8.3.1