Fix kpdf security issues, #290470

5 files changed, 269 insertions, 1 deletions

diff --git a/Documentation/package.unmask/kde-3.5 b/Documentation/package.unmask/kde-3.5
index 0fad2999..2316d65a 100644
--- a/Documentation/package.unmask/kde-3.5
+++ b/Documentation/package.unmask/kde-3.5
@@ -279,6 +279,7 @@
 =kde-base/kpat-3.5.10
 =kde-base/kpdf-3.5.10
 =kde-base/kpdf-3.5.10-r1
+=kde-base/kpdf-3.5.10-r2
 =kde-base/kpercentage-3.5.10
 =kde-base/kpersonalizer-3.5.10
 =kde-base/kpf-3.5.10
diff --git a/kde-base/kpdf/ChangeLog b/kde-base/kpdf/ChangeLog
index 3f9f001d..8be3cf62 100644
--- a/kde-base/kpdf/ChangeLog
+++ b/kde-base/kpdf/ChangeLog
@@ -2,6 +2,10 @@
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
 # $Header: /var/cvsroot/gentoo-x86/kde-base/kpdf/ChangeLog,v 1.173 2009/10/12 22:05:13 abcd Exp $
 
+  12 Nov 2009; Martin von Gagern (MvG) <Martin.vGagern@gmx.net>
+  +kpdf-3.5.10-r2.ebuild, +files/kpdf-3.5.10-xpdf-3.02pl4.patch:
+  Fix kpdf security issues, #290470
+
   12 Oct 2009; Jonathan Callen <abcd@gentoo.org> -kpdf-3.5.9.ebuild:
   KDE 3.5.9 removal
 
diff --git a/kde-base/kpdf/Manifest b/kde-base/kpdf/Manifest
index e9d1c427..bfd28ba3 100644
--- a/kde-base/kpdf/Manifest
+++ b/kde-base/kpdf/Manifest
@@ -1,8 +1,10 @@
 AUX kde-CVE-2009-1188.patch 491 RMD160 4b97605d34ca86894fe55a13bff3887468753b8b SHA1 3d3b00f3aaa53a5a17786559261c9089937be5da SHA256 592c9646aed0fade9c12dbadcfa91704e0430942078d8285bed29d9d70adaa3c
 AUX kpdf-3.5.10-font-hiding.patch 1053 RMD160 c61ec316deca92ea96926d9697191ac9525f3c6a SHA1 b83ca9a57514fbddcc5a09e12f3024457c831415 SHA256 8f06a56423579cab9a017ccf4cca7cd7cce40d6e12638ddc4640d3fed2611248
+AUX kpdf-3.5.10-xpdf-3.02pl4.patch 6605 RMD160 c8c41d1d816fd9c780f3acc2badf8e0f83d35f68 SHA1 df0598d9794eaafa5eaf37f7b99af1f539ba4ee6 SHA256 db9c8d7ab7d1a92db78e030baf5d95a2c39dd1d513b4d4403ef35575b0befa4f
 DIST kdegraphics-3.5.10.tar.bz2 7440912 RMD160 94278e4419ab99885fc9efae9b6ba5ba787f831e SHA1 9634e3ab364d017152fb6d636efad8811aeec6c3 SHA256 bdc73fa98008aa64b72636282bf0d83c7bb3e6d4ba1d0831277dda469b57408b
 DIST kpdf-3.5.10-JBIG2.tar.bz2 5533 RMD160 58bbb77e5d98abdfd3fe629dc34d6f53e67b4c3d SHA1 2d74673ee085ba8f22e4f27c323e5902f34dd525 SHA256 37a1e35b6a4a9ae8324ab5894cae216375c7d05b136386698bc23feca014ddb4
 EBUILD kpdf-3.5.10-r1.ebuild 1001 RMD160 671f9e390ad7cd7d34e4b3f34198455e60693d6c SHA1 6e822e8c2b593305e9ed7ccdc8285091e6403d93 SHA256 1ef28876ff0fa717c2ffd6e9bf8d33bb49950cc5cb661399e3f379bb92f298c9
+EBUILD kpdf-3.5.10-r2.ebuild 1047 RMD160 778b8bf347b7e7fe28019d9e379acd1d2fffcbc8 SHA1 109c30ce6b585344d2838f821fa3600ac259280d SHA256 ddfa7de66c2d31138b159207146d7fb10742d403ac3797b035980a3777c2714c
 EBUILD kpdf-3.5.10.ebuild 815 RMD160 525fba101344d38aad95814d3673ae3fc9f8a0b2 SHA1 674901cbc98e6c2c6b69ce2936724f2835c69a74 SHA256 2e8bbdcce56b14d6b6582f16ecdccb333dbb1e9fe1b9bb75a2ffb587a217304e
-MISC ChangeLog 23491 RMD160 be88a4226b27f24da21d02eeab16f5ae2550a0f8 SHA1 ab6f8eca9062d60eb17bfd59cf863a5da06a4ee0 SHA256 9a0f66b7480ec0e18b564c87da58b03982dc747ca111844cbf163bd45a378d9d
+MISC ChangeLog 23657 RMD160 7689a535591750b06e951c1b3d051434318933c7 SHA1 76ffac80087118ad46fae8adb6ffb3c4ffe6693e SHA256 a53442e8b6c001ee10c95b5913116c467572623fa7e8d83c4d13420e35b499a6
 MISC metadata.xml 156 RMD160 ecce3b981f150c45ae1e84e2d208e678d6124259 SHA1 b64f7c0b4e5db816d82ad19848f72118af129d35 SHA256 2f4da28506b9d4185f320f67a6191d30c7a921217ed4447ed46ea0bc4aefc79a
diff --git a/kde-base/kpdf/files/kpdf-3.5.10-xpdf-3.02pl4.patch b/kde-base/kpdf/files/kpdf-3.5.10-xpdf-3.02pl4.patch
new file mode 100644
index 00000000..8b0cecff
--- /dev/null
+++ b/kde-base/kpdf/files/kpdf-3.5.10-xpdf-3.02pl4.patch
@@ -0,0 +1,225 @@
+Adaptation of xpdf 3.02pl4 to kpdf.
+
+2009-11-12 Martin von Gagern
+References:
+ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
+https://bugs.gentoo.org/290470
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3603
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3604
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3606
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3608
+
+Index: kpdf-3.5.10/kpdf/xpdf/splash/Splash.cc
+===================================================================
+--- kpdf-3.5.10.orig/kpdf/xpdf/splash/Splash.cc
++++ kpdf-3.5.10/kpdf/xpdf/splash/Splash.cc
+@@ -12,6 +12,7 @@
+ 
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include "gmem.h"
+ #include "SplashErrorCodes.h"
+ #include "SplashMath.h"
+@@ -1937,7 +1938,10 @@ SplashError Splash::fillImageMask(Splash
+   xq = w % scaledWidth;
+ 
+   // allocate pixel buffer
+-  pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w);
++  if (yp < 0 || yp > INT_MAX - 1) {
++    return splashErrBadArg;
++  }
++  pixBuf = (SplashColorPtr)gmallocn(yp + 1, w);
+ 
+   // initialize the pixel pipe
+   pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha,
+@@ -2233,9 +2237,12 @@ SplashError Splash::drawImage(SplashImag
+   xq = w % scaledWidth;
+ 
+   // allocate pixel buffers
+-  colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
++  if (yp < 0 || yp > INT_MAX - 1 || w > INT_MAX / nComps) {
++    return splashErrBadArg;
++  }
++  colorBuf = (SplashColorPtr)gmallocn(yp + 1, w * nComps);
+   if (srcAlpha) {
+-    alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
++    alphaBuf = (Guchar *)gmallocn(yp + 1, w);
+   } else {
+     alphaBuf = NULL;
+   }
+Index: kpdf-3.5.10/kpdf/xpdf/splash/SplashBitmap.cc
+===================================================================
+--- kpdf-3.5.10.orig/kpdf/xpdf/splash/SplashBitmap.cc
++++ kpdf-3.5.10/kpdf/xpdf/splash/SplashBitmap.cc
+@@ -11,6 +11,7 @@
+ #endif
+ 
+ #include <stdio.h>
++#include <limits.h>
+ #include "gmem.h"
+ #include "SplashErrorCodes.h"
+ #include "SplashBitmap.h"
+@@ -27,30 +28,48 @@ SplashBitmap::SplashBitmap(int widthA, i
+   mode = modeA;
+   switch (mode) {
+   case splashModeMono1:
+-    rowSize = (width + 7) >> 3;
++    if (width > 0) {
++      rowSize = (width + 7) >> 3;
++    } else {
++      rowSize = -1;
++    }
+     break;
+   case splashModeMono8:
+-    rowSize = width;
++    if (width > 0) {
++      rowSize = width;
++    } else {
++      rowSize = -1;
++    }
+     break;
+   case splashModeRGB8:
+   case splashModeBGR8:
+-    rowSize = width * 3;
++    if (width > 0 && width <= INT_MAX / 3) {
++      rowSize = width * 3;
++    } else {
++      rowSize = -1;
++    }
+     break;
+ #if SPLASH_CMYK
+   case splashModeCMYK8:
+-    rowSize = width * 4;
++    if (width > 0 && width <= INT_MAX / 4) {
++      rowSize = width * 4;
++    } else {
++      rowSize = -1;
++    }
+     break;
+ #endif
+   }
+-  rowSize += rowPad - 1;
+-  rowSize -= rowSize % rowPad;
+-  data = (SplashColorPtr)gmallocn(rowSize, height);
++  if (rowSize > 0) {
++    rowSize += rowPad - 1;
++    rowSize -= rowSize % rowPad;
++  }
++  data = (SplashColorPtr)gmallocn(height, rowSize);
+   if (!topDown) {
+     data += (height - 1) * rowSize;
+     rowSize = -rowSize;
+   }
+   if (alphaA) {
+-    alpha = (Guchar *)gmalloc(width * height);
++    alpha = (Guchar *)gmallocn(width, height);
+   } else {
+     alpha = NULL;
+   }
+Index: kpdf-3.5.10/kpdf/xpdf/splash/SplashErrorCodes.h
+===================================================================
+--- kpdf-3.5.10.orig/kpdf/xpdf/splash/SplashErrorCodes.h
++++ kpdf-3.5.10/kpdf/xpdf/splash/SplashErrorCodes.h
+@@ -31,4 +31,6 @@
+ 
+ #define splashErrZeroImage       9      // image of 0x0
+ 
++#define splashErrBadArg          9	// bad argument
++
+ #endif
+Index: kpdf-3.5.10/kpdf/xpdf/xpdf/PSOutputDev.cc
+===================================================================
+--- kpdf-3.5.10.orig/kpdf/xpdf/xpdf/PSOutputDev.cc
++++ kpdf-3.5.10/kpdf/xpdf/xpdf/PSOutputDev.cc
+@@ -4386,7 +4386,7 @@ void PSOutputDev::doImageL1Sep(GfxImageC
+ 	     width, -height, height);
+ 
+   // allocate a line buffer
+-  lineBuf = (Guchar *)gmalloc(4 * width);
++  lineBuf = (Guchar *)gmallocn(width, 4);
+ 
+   // set up to process the data stream
+   imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
+Index: kpdf-3.5.10/kpdf/xpdf/xpdf/Stream.cc
+===================================================================
+--- kpdf-3.5.10.orig/kpdf/xpdf/xpdf/Stream.cc
++++ kpdf-3.5.10/kpdf/xpdf/xpdf/Stream.cc
+@@ -323,6 +323,10 @@ ImageStream::ImageStream(Stream *strA, i
+   } else {
+     imgLineSize = nVals;
+   }
++  if (width > INT_MAX / nComps) {
++    // force a call to gmallocn(-1,...), which will throw an exception
++    imgLineSize = -1;
++  }
+   imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
+   imgIdx = nVals;
+ }
+Index: kpdf-3.5.10/kpdf/xpdf/xpdf/XRef.cc
+===================================================================
+--- kpdf-3.5.10.orig/kpdf/xpdf/xpdf/XRef.cc
++++ kpdf-3.5.10/kpdf/xpdf/xpdf/XRef.cc
+@@ -52,6 +52,8 @@ public:
+   // generation 0.
+   ObjectStream(XRef *xref, int objStrNumA);
+ 
++  GBool isOk() { return ok; }
++
+   ~ObjectStream();
+ 
+   // Return the object number of this object stream.
+@@ -67,6 +69,7 @@ private:
+   int nObjects;			// number of objects in the stream
+   Object *objs;			// the objects (length = nObjects)
+   int *objNums;			// the object numbers (length = nObjects)
++  GBool ok;
+ };
+ 
+ ObjectStream::ObjectStream(XRef *xref, int objStrNumA) {
+@@ -80,6 +83,7 @@ ObjectStream::ObjectStream(XRef *xref, i
+   nObjects = 0;
+   objs = NULL;
+   objNums = NULL;
++  ok = gFalse;
+ 
+   if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) {
+     goto err1;
+@@ -105,6 +109,13 @@ ObjectStream::ObjectStream(XRef *xref, i
+     goto err1;
+   }
+ 
++  // this is an arbitrary limit to avoid integer overflow problems
++  // in the 'new Object[nObjects]' call (Acrobat apparently limits
++  // object streams to 100-200 objects)
++  if (nObjects > 1000000) {
++    error(-1, "Too many objects in an object stream");
++    goto err1;
++  }
+   objs = new Object[nObjects];
+   objNums = (int *)gmallocn(nObjects, sizeof(int));
+   offsets = (int *)gmallocn(nObjects, sizeof(int));
+@@ -161,10 +172,10 @@ ObjectStream::ObjectStream(XRef *xref, i
+   }
+ 
+   gfree(offsets);
++  ok = gTrue;
+ 
+  err1:
+   objStr.free();
+-  return;
+ }
+ 
+ ObjectStream::~ObjectStream() {
+@@ -837,6 +848,11 @@ Object *XRef::fetch(int num, int gen, Ob
+ 	delete objStr;
+       }
+       objStr = new ObjectStream(this, e->offset);
++      if (!objStr->isOk()) {
++	delete objStr;
++	objStr = NULL;
++	goto err;
++      }
+     }
+     objStr->getObject(e->gen, num, obj);
+     break;
diff --git a/kde-base/kpdf/kpdf-3.5.10-r2.ebuild b/kde-base/kpdf/kpdf-3.5.10-r2.ebuild
new file mode 100644
index 00000000..bee082e7
--- /dev/null
+++ b/kde-base/kpdf/kpdf-3.5.10-r2.ebuild
@@ -0,0 +1,36 @@
+# Copyright 1999-2009 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kpdf/kpdf-3.5.10-r1.ebuild,v 1.5 2009/10/10 18:21:58 armin76 Exp $
+
+KMNAME=kdegraphics
+EAPI="1"
+inherit kde-meta flag-o-matic
+
+SRC_URI="${SRC_URI}
+	mirror://gentoo/${P}-JBIG2.tar.bz2"
+
+DESCRIPTION="kpdf, a kde pdf viewer based on xpdf"
+KEYWORDS="alpha amd64 hppa ia64 ~mips ~ppc ~ppc64 sparc x86 ~x86-fbsd"
+IUSE=""
+KMEXTRA="kfile-plugins/pdf"
+
+DEPEND=">=media-libs/freetype-2.3
+	media-libs/t1lib
+	>=virtual/poppler-qt3-0.6.1"
+RDEPEND="${DEPEND}
+	|| ( >=kde-base/kdeprint-${PV}:${SLOT} >=kde-base/kdebase-${PV}:${SLOT} )"
+
+PATCHES=( "${FILESDIR}/kde-CVE-2009-1188.patch"
+	"${WORKDIR}/${P}-JBIG2.patch"
+	"${FILESDIR}/${P}-font-hiding.patch"
+	"${FILESDIR}/kpdf-3.5.10-xpdf-3.02pl4.patch" )
+
+src_compile() {
+	local myconf="--with-poppler"
+	replace-flags "-Os" "-O2" # see bug 114822
+
+	# Fix the desktop file.
+	sed -i -e "s:PDFViewer;:Viewer;:" "${S}/kpdf/shell/kpdf.desktop"
+
+	kde-meta_src_compile
+}