Fix integer overflow vulnerabilities.

Patch made by:	Chris Evans, Dirk Muller, Sebastian Krahmer,
		Derek Noonburg and Marcus Meissner
Submitted by:	nectar

graphics/xpdf/Makefile

@@ -7,7 +7,7 @@
 
 PORTNAME=	xpdf
 PORTVERSION=	3.00
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	graphics print
 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/ \
 		${MASTER_SITE_TEX_CTAN}

graphics/xpdf/files/patch-security

@@ -0,0 +1,297 @@
+--- xpdf/Catalog.cc.orig	2004-10-18 16:51:35.824126848 +0200
++++ xpdf/Catalog.cc	2004-10-18 16:53:06.634620045 +0200
+@@ -64,6 +64,15 @@
+   }
+   pagesSize = numPages0 = (int)obj.getNum();
+   obj.free();
++  // The gcc doesnt optimize this away, so this check is ok,
++  // even if it looks like a pagesSize != pagesSize check
++  if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
++      pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
++    error(-1, "Invalid 'pagesSize'");
++    ok = gFalse;
++    return;
++  }
++
+   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+   for (i = 0; i < pagesSize; ++i) {
+@@ -191,6 +200,11 @@
+       }
+       if (start >= pagesSize) {
+ 	pagesSize += 32;
++        if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
++            pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
++          error(-1, "Invalid 'pagesSize' parameter.");
++          goto err3;
++        }
+ 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ 	for (j = pagesSize - 32; j < pagesSize; ++j) {
+--- xpdf/XRef.cc.orig	2004-10-11 15:51:14.000000000 +0200
++++ xpdf/XRef.cc	2004-10-11 15:56:48.000000000 +0200
+@@ -96,7 +96,7 @@
+   }
+   nObjects = obj1.getInt();
+   obj1.free();
+-  if (nObjects == 0) {
++  if (nObjects <= 0) {
+     goto err1;
+   }
+ 
+@@ -106,7 +106,15 @@
+   }
+   first = obj1.getInt();
+   obj1.free();
++  if (first < 0) {
++    goto err1;
++  }
+ 
++  if (nObjects*sizeof(int)/sizeof(int) != nObjects) {
++    error(-1, "Invalid 'nObjects'");
++    goto err1;
++  }
++ 
+   objs = new Object[nObjects];
+   objNums = (int *)gmalloc(nObjects * sizeof(int));
+   offsets = (int *)gmalloc(nObjects * sizeof(int));
+@@ -130,6 +138,12 @@
+     offsets[i] = obj2.getInt();
+     obj1.free();
+     obj2.free();
++    if (objNums[i] < 0 || offsets[i] < 0 ||
++	(i > 0 && offsets[i] < offsets[i-1])) {
++      delete parser;
++      gfree(offsets);
++      goto err1;
++    }
+   }
+   while (str->getChar() != EOF) ;
+   delete parser;
+@@ -369,10 +383,21 @@
+     }
+     n = obj.getInt();
+     obj.free();
++    if (first < 0 || n < 0 || first + n < 0) {
++      goto err1;
++    }
+     if (first + n > size) {
+       for (newSize = size ? 2 * size : 1024;
+-	   first + n > newSize;
++	   first + n > newSize && newSize > 0;
+ 	   newSize <<= 1) ;
++      if (newSize < 0) {
++	goto err1;
++      }
++      if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++        error(-1, "Invalid 'obj' parameters'");
++        goto err1;
++      }
++ 
+       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+       for (i = size; i < newSize; ++i) {
+ 	entries[i].offset = 0xffffffff;
+@@ -443,7 +468,7 @@
+ 
+   // check for an 'XRefStm' key
+   if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) {
+-    pos2 = obj2.getInt();
++    pos2 = (Guint)obj2.getInt();
+     readXRef(&pos2);
+     if (!ok) {
+       goto err1;
+@@ -474,7 +499,14 @@
+   }
+   newSize = obj.getInt();
+   obj.free();
++  if (newSize < 0) {
++    goto err1;
++  }
+   if (newSize > size) {
++    if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++      error(-1, "Invalid 'size' parameter.");
++      return gFalse;
++    }
+     entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+     for (i = size; i < newSize; ++i) {
+       entries[i].offset = 0xffffffff;
+@@ -494,6 +526,9 @@
+     }
+     w[i] = obj2.getInt();
+     obj2.free();
++    if (w[i] < 0 || w[i] > 4) {
++      goto err1;
++    }
+   }
+   obj.free();
+ 
+@@ -513,13 +548,14 @@
+       }
+       n = obj.getInt();
+       obj.free();
+-      if (!readXRefStreamSection(xrefStr, w, first, n)) {
++      if (first < 0 || n < 0 ||
++	  !readXRefStreamSection(xrefStr, w, first, n)) {
+ 	idx.free();
+ 	goto err0;
+       }
+     }
+   } else {
+-    if (!readXRefStreamSection(xrefStr, w, 0, size)) {
++    if (!readXRefStreamSection(xrefStr, w, 0, newSize)) {
+       idx.free();
+       goto err0;
+     }
+@@ -551,10 +587,20 @@
+   Guint offset;
+   int type, gen, c, newSize, i, j;
+ 
++  if (first + n < 0) {
++    return gFalse;
++  }
+   if (first + n > size) {
+     for (newSize = size ? 2 * size : 1024;
+-	 first + n > newSize;
++	 first + n > newSize && newSize > 0;
+ 	 newSize <<= 1) ;
++    if (newSize < 0) {
++      return gFalse;
++    }
++    if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++      error(-1, "Invalid 'size' inside xref table.");
++      return gFalse;
++    }
+     entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+     for (i = size; i < newSize; ++i) {
+       entries[i].offset = 0xffffffff;
+@@ -585,24 +631,26 @@
+       }
+       gen = (gen << 8) + c;
+     }
+-    switch (type) {
+-    case 0:
+-      entries[i].offset = offset;
+-      entries[i].gen = gen;
+-      entries[i].type = xrefEntryFree;
+-      break;
+-    case 1:
+-      entries[i].offset = offset;
+-      entries[i].gen = gen;
+-      entries[i].type = xrefEntryUncompressed;
+-      break;
+-    case 2:
+-      entries[i].offset = offset;
+-      entries[i].gen = gen;
+-      entries[i].type = xrefEntryCompressed;
+-      break;
+-    default:
+-      return gFalse;
++    if (entries[i].offset == 0xffffffff) {
++      switch (type) {
++      case 0:
++	entries[i].offset = offset;
++	entries[i].gen = gen;
++	entries[i].type = xrefEntryFree;
++	break;
++      case 1:
++	entries[i].offset = offset;
++	entries[i].gen = gen;
++	entries[i].type = xrefEntryUncompressed;
++	break;
++      case 2:
++	entries[i].offset = offset;
++	entries[i].gen = gen;
++	entries[i].type = xrefEntryCompressed;
++	break;
++      default:
++	return gFalse;
++      }
+     }
+   }
+ 
+@@ -664,38 +712,48 @@
+     // look for object
+     } else if (isdigit(*p)) {
+       num = atoi(p);
+-      do {
+-	++p;
+-      } while (*p && isdigit(*p));
+-      if (isspace(*p)) {
++      if (num > 0) {
+ 	do {
+ 	  ++p;
+-	} while (*p && isspace(*p));
+-	if (isdigit(*p)) {
+-	  gen = atoi(p);
++	} while (*p && isdigit(*p));
++	if (isspace(*p)) {
+ 	  do {
+ 	    ++p;
+-	  } while (*p && isdigit(*p));
+-	  if (isspace(*p)) {
++	  } while (*p && isspace(*p));
++	  if (isdigit(*p)) {
++	    gen = atoi(p);
+ 	    do {
+ 	      ++p;
+-	    } while (*p && isspace(*p));
+-	    if (!strncmp(p, "obj", 3)) {
+-	      if (num >= size) {
+-		newSize = (num + 1 + 255) & ~255;
+-		entries = (XRefEntry *)
+-		            grealloc(entries, newSize * sizeof(XRefEntry));
+-		for (i = size; i < newSize; ++i) {
+-		  entries[i].offset = 0xffffffff;
+-		  entries[i].type = xrefEntryFree;
++	    } while (*p && isdigit(*p));
++	    if (isspace(*p)) {
++	      do {
++		++p;
++	      } while (*p && isspace(*p));
++	      if (!strncmp(p, "obj", 3)) {
++		if (num >= size) {
++		  newSize = (num + 1 + 255) & ~255;
++		  if (newSize < 0) {
++		    error(-1, "Bad object number");
++		    return gFalse;
++		  }
++                  if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
++                    error(-1, "Invalid 'obj' parameters.");
++                    return gFalse;
++                  }
++		  entries = (XRefEntry *)
++		      grealloc(entries, newSize * sizeof(XRefEntry));
++		  for (i = size; i < newSize; ++i) {
++		    entries[i].offset = 0xffffffff;
++		    entries[i].type = xrefEntryFree;
++		  }
++		  size = newSize;
++		}
++		if (entries[num].type == xrefEntryFree ||
++		    gen >= entries[num].gen) {
++		  entries[num].offset = pos - start;
++		  entries[num].gen = gen;
++		  entries[num].type = xrefEntryUncompressed;
+ 		}
+-		size = newSize;
+-	      }
+-	      if (entries[num].type == xrefEntryFree ||
+-		  gen >= entries[num].gen) {
+-		entries[num].offset = pos - start;
+-		entries[num].gen = gen;
+-		entries[num].type = xrefEntryUncompressed;
+ 	      }
+ 	    }
+ 	  }
+@@ -705,6 +763,10 @@
+     } else if (!strncmp(p, "endstream", 9)) {
+       if (streamEndsLen == streamEndsSize) {
+ 	streamEndsSize += 64;
++        if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
++          error(-1, "Invalid 'endstream' parameter.");
++          return gFalse;
++        }
+ 	streamEnds = (Guint *)grealloc(streamEnds,
+ 				       streamEndsSize * sizeof(int));
+       }
+

security/vuxml/vuln.xml

@@ -37,10 +37,13 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     <affects>
       <package>
 	<name>gpdf</name>
-	<name>xpdf</name>
 	<name>cups-base</name>
 	<range><ge>0</ge></range>
       </package>
+      <package>
+	<name>xpdf</name>
+	<range><lt>3.00_4</lt></range>
+      </package>
       <package>
 	<name>kdegraphics</name>
 	<range><lt>3.3.0_1</lt></range>