NMU patch for the kpdf vulnerability

[Adeodato Simó <asp16@alu.ua.es>]

tag 278173 patch
stop

  I attach a possible NMU patch for the kpdf integer overflow
  vulnerability, still present in sarge, ready to be compiled and
  uploaded by some member of the release team or d-qt-kde.

  The patch includes the improvements to the initial fix as issued by
  KDE, present now in their CVS.

  thanks,

-- 
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
A conclusion is simply the place where someone got tired of thinking.

diff -u -rN kdegraphics-3.2.3/debian/changelog kdegraphics-3.2.3-1.2/debian/changelog
--- kdegraphics-3.2.3/debian/changelog	2004-11-06 04:23:42.000000000 +0100
+++ kdegraphics-3.2.3-1.2/debian/changelog	2004-11-06 04:25:37.000000000 +0100
@@ -1,3 +1,13 @@
+kdegraphics (4:3.2.3-1.2) testing-proposed-updates; urgency=low
+
+  * Non-maintainer upload to testing to fix security issue.
+
+  * Included fix for KDE Security Advisory 20041021-1: kpdf integer overflows
+    <http://www.kde.org/info/security/advisory-20041021-1.txt>. (Closes: #278173)
+    [Include the improvements by Martin Schulze as available in upstream's CVS.]
+
+ -- Adeodato Simó <asp16@alu.ua.es>  Sat, 06 Nov 2004 04:25:37 +0100
+
 kdegraphics (4:3.2.3-1.1) testing-proposed-updates; urgency=low
 
   * Non-maintainer upload with approval from Ben Burton.
diff -u -rN kdegraphics-3.2.3/debian/patches/10_fix-CAN-2004-0888.diff kdegraphics-3.2.3-1.2/debian/patches/10_fix-CAN-2004-0888.diff
--- kdegraphics-3.2.3/debian/patches/10_fix-CAN-2004-0888.diff	1970-01-01 01:00:00.000000000 +0100
+++ kdegraphics-3.2.3-1.2/debian/patches/10_fix-CAN-2004-0888.diff	2004-11-06 04:29:08.000000000 +0100
@@ -0,0 +1,101 @@
+  First hunk:
+
+    http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kpdf/xpdf/Catalog.cc.diff?only_with_tag=KDE_3_2_BRANCH&r1=text&tr1=1.3&r2=text&tr2=1.3.2.3
+
+--- kdegraphics/kpdf/xpdf/Catalog.cc	2003/08/20 21:25:12	1.3
++++ kdegraphics/kpdf/xpdf/Catalog.cc	2004/10/28 09:25:05	1.3.2.3
+@@ -12,6 +12,7 @@
+ #pragma implementation
+ #endif
+ 
++#include <limits.h>
+ #include <stddef.h>
+ #include "gmem.h"
+ #include "Object.h"
+@@ -63,6 +64,12 @@ Catalog::Catalog(XRef *xrefA) {
+   }
+   pagesSize = numPages0 = obj.getInt();
+   obj.free();
++  if ((unsigned) pagesSize >= INT_MAX / sizeof(Page *) ||
++      (unsigned) pagesSize >= INT_MAX / sizeof(Ref)) {
++    error(-1, "Invalid 'pagesSize'");
++    ok = gFalse;
++    return;
++  }
+   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
+   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
+   for (i = 0; i < pagesSize; ++i) {
+@@ -190,6 +197,11 @@ int Catalog::readPageTree(Dict *pagesDic
+       }
+       if (start >= pagesSize) {
+ 	pagesSize += 32;
++        if ((unsigned) pagesSize >= INT_MAX / sizeof(Page *) ||
++            (unsigned) pagesSize >= INT_MAX / sizeof(Ref)) {
++          error(-1, "Invalid 'pagesSize' parameter.");
++          goto err3;
++        }
+ 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
+ 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
+ 	for (j = pagesSize - 32; j < pagesSize; ++j) {
+
+
+  Second hunk:
+    http://webcvs.kde.org/cgi-bin/cvsweb.cgi/kdegraphics/kpdf/xpdf/XRef.cc.diff?only_with_tag=KDE_3_2_BRANCH&r1=text&tr1=1.3&r2=text&tr2=1.3.2.4
+
+--- kdegraphics/kpdf/xpdf/XRef.cc	2003/08/20 21:25:12	1.3
++++ kdegraphics/kpdf/xpdf/XRef.cc	2004/10/28 09:35:21	1.3.2.4
+@@ -12,6 +12,7 @@
+ #pragma implementation
+ #endif
+ 
++#include <limits.h>
+ #include <stdlib.h>
+ #include <stddef.h>
+ #include <string.h>
+@@ -76,6 +77,12 @@ XRef::XRef(BaseStream *strA, GString *ow
+ 
+   // trailer is ok - read the xref table
+   } else {
++    if ((unsigned) size >= INT_MAX / sizeof(XRefEntry)) {
++      error(-1, "Invalid 'size' inside xref table.");
++      ok = gFalse;
++      errCode = errDamaged;
++      return;
++    }
+     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
+     for (i = 0; i < size; ++i) {
+       entries[i].offset = 0xffffffff;
+@@ -267,6 +274,10 @@ GBool XRef::readXRef(Guint *pos) {
+     // table size
+     if (first + n > size) {
+       newSize = size + 256;
++      if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) {
++        error(-1, "Invalid 'newSize'");
++        goto err2;
++      }
+       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
+       for (i = size; i < newSize; ++i) {
+ 	entries[i].offset = 0xffffffff;
+@@ -415,6 +426,10 @@ GBool XRef::constructXRef() {
+ 	    if (!strncmp(p, "obj", 3)) {
+ 	      if (num >= size) {
+ 		newSize = (num + 1 + 255) & ~255;
++	        if ((unsigned) newSize >= INT_MAX / sizeof(XRefEntry)) {
++	          error(-1, "Invalid 'obj' parameters.");
++	          return gFalse;
++	        }
+ 		entries = (XRefEntry *)
+ 		            grealloc(entries, newSize * sizeof(XRefEntry));
+ 		for (i = size; i < newSize; ++i) {
+@@ -436,6 +451,11 @@ GBool XRef::constructXRef() {
+     } else if (!strncmp(p, "endstream", 9)) {
+       if (streamEndsLen == streamEndsSize) {
+ 	streamEndsSize += 64;
++        if ((unsigned) streamEndsSize >= INT_MAX / sizeof(int)) {
++          error(-1, "Invalid 'endstream' parameter.");
++          return gFalse;
++        }
++
+ 	streamEnds = (Guint *)grealloc(streamEnds,
+ 				       streamEndsSize * sizeof(int));
+       }