From 5bceec9d61d924c41aa1e7774ec849448f957888 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@fedoraproject.org>
Date: Fri, 7 May 2010 09:11:43 +0000
Subject: [PATCH] - fix CVE-2010-0829 (#589607)

---
 ...vipng-multiple-array-indexing-errors.patch | 92 +++++++++++++++++++
 texlive.spec                                  |  7 +-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch

diff --git a/texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch b/texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
new file mode 100644
index 0000000..9fa9e37
--- /dev/null
+++ b/texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
@@ -0,0 +1,92 @@
+diff -up texlive-2007/texk/dvipng/draw.c.CVE-2010-0829 texlive-2007/texk/dvipng/draw.c
+--- texlive-2007/texk/dvipng/draw.c.CVE-2010-0829	2006-11-07 21:40:00.000000000 +0100
++++ texlive-2007/texk/dvipng/draw.c	2010-05-07 10:54:31.532938790 +0200
+@@ -99,7 +99,15 @@ dviunits SetChar(int32_t c)
+ 
+   if (currentfont==NULL) 
+     Fatal("faulty DVI, trying to set character from null font");
+-  ptr = currentfont->chr[c];
++  if (c<0 || c>LASTFNTCHAR) {
++    Warning("glyph index out of range (%d), skipping",c);
++    return(0);
++  }
++  ptr=currentfont->chr[c];
++  if (ptr==NULL) {
++    Warning("unable to draw glyph %d, skipping",c);
++    return(0);
++  }
+ #ifdef DEBUG
+   switch (currentfont->type) {
+   case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n  VF CHAR:\t")); break;
+@@ -108,13 +116,13 @@ dviunits SetChar(int32_t c)
+   case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n  FT CHAR:\t")); break;
+   default: DEBUG_PRINT(DEBUG_DVI,("\n  NO CHAR:\t"))
+   }
+-  if (isprint(c))
++  if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
+     DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
+   DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,hh,vv,ptr?ptr->tfmw:0));
+ #endif
+   if (currentfont->type==FONT_TYPE_VF) {
+-    return(SetVF(c));
+-  } else if (ptr) {
++    return(SetVF(ptr));
++  } else {
+     if (ptr->data == NULL) 
+       switch(currentfont->type) {
+       case FONT_TYPE_PK:	LoadPK(c, ptr); break;
+@@ -128,7 +136,7 @@ dviunits SetChar(int32_t c)
+ 	Fatal("undefined fonttype %d",currentfont->type);
+       }
+     if (page_imagep != NULL)
+-      return(SetGlyph(c, hh, vv));
++      return(SetGlyph(ptr, hh, vv));
+     else {
+       /* Expand bounding box if necessary */
+       min(x_min,hh - ptr->xOffset/shrinkfactor);
+diff -up texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829 texlive-2007/texk/dvipng/dvipng.h
+--- texlive-2007/texk/dvipng/dvipng.h.CVE-2010-0829	2006-12-24 01:02:30.000000000 +0100
++++ texlive-2007/texk/dvipng/dvipng.h	2010-05-07 08:11:10.249916801 +0200
+@@ -387,9 +387,9 @@ void      DrawPages(void);
+ void      WriteImage(char*, int);
+ void      LoadPK(int32_t, register struct char_entry *);
+ int32_t   SetChar(int32_t);
+-dviunits  SetGlyph(int32_t c, int32_t hh,int32_t vv);
++dviunits  SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
+ void      Gamma(double gamma);
+-int32_t   SetVF(int32_t);
++int32_t   SetVF(struct char_entry *ptr);
+ int32_t   SetRule(int32_t, int32_t, int32_t, int32_t);
+ void      SetSpecial(char *, int32_t, int32_t, int32_t);
+ void      BeginVFMacro(struct font_entry*);
+diff -up texlive-2007/texk/dvipng/set.c.CVE-2010-0829 texlive-2007/texk/dvipng/set.c
+--- texlive-2007/texk/dvipng/set.c.CVE-2010-0829	2006-11-07 21:40:00.000000000 +0100
++++ texlive-2007/texk/dvipng/set.c	2010-05-07 10:55:57.807931411 +0200
+@@ -202,10 +202,9 @@ void Gamma(double gamma)
+   }
+ }
+ 
+-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
++dviunits SetGlyph(struct char_entry *ptr, int32_t hh, int32_t vv)
+ /* gdImageChar can only do monochrome glyphs */
+ {
+-  register struct char_entry *ptr = currentfont->chr[c];
+   int dst_alpha,dst_weight,tot_weight,alpha;
+   int x,y,pos=0;
+   int bgColor,pixelgrey,pixelcolor;
+diff -up texlive-2007/texk/dvipng/vf.c.CVE-2010-0829 texlive-2007/texk/dvipng/vf.c
+--- texlive-2007/texk/dvipng/vf.c.CVE-2010-0829	2006-11-07 21:40:00.000000000 +0100
++++ texlive-2007/texk/dvipng/vf.c	2010-05-07 08:11:10.252917007 +0200
+@@ -28,11 +28,10 @@
+ #define VF_ID 202
+ #define LONG_CHAR 242
+ 
+-int32_t SetVF(int32_t c) 
++int32_t SetVF(struct char_entry* ptr) 
+ {
+   struct font_entry* currentvf;
+   unsigned char *command,*end;
+-  struct char_entry* ptr=currentfont->chr[c];
+ 
+   currentvf=currentfont;
+   BeginVFMacro(currentvf);
diff --git a/texlive.spec b/texlive.spec
index 9bc09b3..1fac46b 100644
--- a/texlive.spec
+++ b/texlive.spec
@@ -21,7 +21,7 @@
 
 Name:		texlive
 Version:	%{texlive_ver}
-Release:	50%{?dist}
+Release:	51%{?dist}
 Summary:	Binaries for the TeX formatting system
 
 Group:		Applications/Publishing
@@ -78,6 +78,7 @@ Patch31:	texlive-elif.patch
 Patch32:	texlive-getline.patch
 Patch33:	texlive-poolfix.patch
 Patch34:	texlive-dvipsconfig.patch
+Patch35:	texlive-CVE-2010-0829-dvipng-multiple-array-indexing-errors.patch
 
 ######
 # mpeters contributed patches
@@ -411,6 +412,7 @@ chmod -x texk/dvipdfm/encodings.c
 %patch32 -p1 -b .getline
 %patch33 -p1 -b .poolfix
 %patch34 -p1 -b .dvipsconfig
+%patch35 -p1 -b .CVE-2010-0829
 
 # fix non utf man pages
 %patch42 -p1 -b .notutf8-2
@@ -1251,6 +1253,9 @@ fi
 %{_mandir}/man1/texutil.1*
 
 %changelog
+* Fri May 07 2010 Jindrich Novy <jnovy@redhat.com> 2007-51
+- fix CVE-2010-0829 (#589607)
+
 * Tue May 04 2010 Jindrich Novy <jnovy@redhat.com> 2007-50
 - rebuild because of poppler soname bump