gpdf 2.8.1 is based on xpdf 3.00pl1. I've added the pl2 and pl3
security patches, as well as a fix for the CAN-2005-2097 DoS issue
I pulled out of the Mandrake SRPM.
It is important to realize that the xpdf code base is duplicated
several times in the tree: xpdf itself, gpdf, kpdf, and cups. Any
security issue affecting xpdf is likely to also affect its derivatives.
Index: Makefile
===================================================================
RCS file: /cvs/ports/textproc/gpdf/Makefile,v
retrieving revision 1.9
diff -u -r1.9 Makefile
--- Makefile 21 Feb 2005 16:54:19 -0000 1.9
+++ Makefile 20 Aug 2005 20:49:17 -0000
@@ -3,6 +3,7 @@
COMMENT= "PDF viewer for GNOME"
DISTNAME= gpdf-2.8.1
+PKGNAME= ${DISTNAME}p0
CATEGORIES= textproc x11/gnome
HOMEPAGE= http://www.inf.tu-dresden.de/~mk793652/gpdf/
Index: patches/patch-xpdf_GPOutputDev_cc
===================================================================
RCS file: patches/patch-xpdf_GPOutputDev_cc
diff -N patches/patch-xpdf_GPOutputDev_cc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpdf_GPOutputDev_cc 20 Aug 2005 20:49:17 -0000
@@ -0,0 +1,56 @@
+$OpenBSD$
+--- xpdf/GPOutputDev.cc.orig Sat Aug 20 22:36:27 2005
++++ xpdf/GPOutputDev.cc Sat Aug 20 22:38:32 2005
+@@ -257,26 +257,14 @@ GnomeFontFace *GPOFontMap::getFontFaceEm
+ }
+ case fontTrueType: {
+ FoFiTrueType *ff;
+- gint fd;
+- gchar *temp_name;
+- FILE *f;
+ gushort *code_to_gid;
+
+ ff = FoFiTrueType::make((char *)contents, length); // FIXME error handling
+
+ code_to_gid = ((Gfx8BitFont *)font)->getCodeToGIDMap(ff); // this is
g(oo)malloc'd
+
+- fd = g_file_open_tmp("gpdf-ttf-XXXXXX", &temp_name, NULL);
+- f = fdopen(fd, "wb");
+- ff->writeTTF(&fileWrite, f);
+ delete ff;
+- g_free(contents);
+- fclose(f);
+
+- g_file_get_contents(temp_name, (gchar **)&contents, &length, NULL);
+- unlink(temp_name);
+- g_free(temp_name);
+-
+ gff = gpdf_font_face_download((const guchar *)font_name,
+ (const guchar *)"",
+ GNOME_FONT_REGULAR, FALSE,
+@@ -318,25 +306,8 @@ GnomeFontFace *GPOFontMap::getFontFaceEm
+ break;
+ }
+ case fontCIDType2: {
+- FoFiTrueType *ff;
+- gint fd;
+- gchar *temp_name;
+- FILE *f;
+ gint n_cids;
+ gushort *code_to_gid;
+-
+- ff = FoFiTrueType::make((char *)contents, length); // FIXME error handling
+-
+- fd = g_file_open_tmp("gpdf-ttf-XXXXXX", &temp_name, NULL);
+- f = fdopen(fd, "wb");
+- ff->writeTTF(&fileWrite, f);
+- delete ff;
+- g_free(contents);
+- fclose(f);
+-
+- g_file_get_contents(temp_name, (gchar **)&contents, &length, NULL);
+- unlink(temp_name);
+- g_free(temp_name);
+
+ gff = gpdf_font_face_download((const guchar *)font_name,
+ (const guchar *)"",
Index: patches/patch-xpdf_GfxState_cc
===================================================================
RCS file: patches/patch-xpdf_GfxState_cc
diff -N patches/patch-xpdf_GfxState_cc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpdf_GfxState_cc 20 Aug 2005 20:49:17 -0000
@@ -0,0 +1,24 @@
+$OpenBSD$
+--- xpdf/GfxState.cc.orig Sat Aug 20 22:10:30 2005
++++ xpdf/GfxState.cc Sat Aug 20 22:12:38 2005
+@@ -714,6 +714,11 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
+ }
+ nCompsA = obj2.getInt();
+ obj2.free();
++ if (nCompsA > gfxColorMaxComps) {
++ error(-1, "ICCBased color space with too many (%d > %d) components",
++ nCompsA, gfxColorMaxComps);
++ nCompsA = gfxColorMaxComps;
++ }
+ if (dict->lookup("Alternate", &obj2)->isNull() ||
+ !(altA = GfxColorSpace::parse(&obj2))) {
+ switch (nCompsA) {
+@@ -1060,7 +1065,7 @@ GfxColorSpace *GfxDeviceNColorSpace::par
+ }
+ nCompsA = obj1.arrayGetLength();
+ if (nCompsA > gfxColorMaxComps) {
+- error(-1, "DeviceN color space with more than %d > %d components",
++ error(-1, "DeviceN color space with too many (%d > %d) components",
+ nCompsA, gfxColorMaxComps);
+ nCompsA = gfxColorMaxComps;
+ }
Index: patches/patch-xpdf_Gfx_cc
===================================================================
RCS file: patches/patch-xpdf_Gfx_cc
diff -N patches/patch-xpdf_Gfx_cc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpdf_Gfx_cc 20 Aug 2005 20:49:17 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+--- xpdf/Gfx.cc.orig Sat Aug 20 22:09:21 2005
++++ xpdf/Gfx.cc Sat Aug 20 22:10:22 2005
+@@ -2654,7 +2654,9 @@ void Gfx::doImage(Object *ref, Stream *s
+ haveMask = gFalse;
+ dict->lookup("Mask", &maskObj);
+ if (maskObj.isArray()) {
+- for (i = 0; i < maskObj.arrayGetLength(); ++i) {
++ for (i = 0;
++ i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
++ ++i) {
+ maskObj.arrayGet(i, &obj1);
+ maskColors[i] = obj1.getInt();
+ obj1.free();
Index: patches/patch-xpdf_XRef_cc
===================================================================
RCS file: patches/patch-xpdf_XRef_cc
diff -N patches/patch-xpdf_XRef_cc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-xpdf_XRef_cc 20 Aug 2005 20:49:17 -0000
@@ -0,0 +1,13 @@
+$OpenBSD$
+--- xpdf/XRef.cc.orig Sat Aug 20 22:14:19 2005
++++ xpdf/XRef.cc Sat Aug 20 22:16:10 2005
+@@ -819,6 +819,9 @@ GBool XRef::checkEncrypted(GString *owne
+ } else {
+ keyLength = 5;
+ }
++ if (keyLength > 16) {
++ keyLength = 16;
++ }
+ permFlags = permissions.getInt();
+ if (encVersion >= 1 && encVersion <= 2 &&
+ encRevision >= 2 && encRevision <= 3) {
--
Christian "naddy" Weisgerber [EMAIL PROTECTED]
