modifying package: pdflib-6.0.0p1 20040804 -> 20041028

pdflib/pdflib.patch

@@ -10,409 +10,22 @@ Index: config/mkmainlib.inc
  	@-if test "$(WITH_SHARED)" = "yes"; then	\
  	    $(LIBTOOL) -n --finish $(libdir);\
  	else\
-
-Steve G <linux_4ever@yahoo.com>
-Libpng accesses memory that is out of bounds when creating an error message
-
-Index: pngerror.c
---- libs/png/pngerror.c.orig	2002-10-03 13:32:27.000000000 +0200
-+++ libs/png/pngerror.c	2004-04-28 13:24:22.000000000 +0200
-@@ -135,10 +135,13 @@
-       buffer[iout] = 0;
-    else
-    {
-+      png_size_t len;
-+      if ((len = png_strlen(error_message)) > 63)
-+          len = 63;
-       buffer[iout++] = ':';
-       buffer[iout++] = ' ';
--      png_memcpy(buffer+iout, error_message, 64);
--      buffer[iout+63] = 0;
-+      png_memcpy(buffer+iout, error_message, len);
-+      buffer[iout+len] = 0;
-    }
- }
+Index: configure
+--- configure.orig	2004-07-07 20:29:08.000000000 +0200
++++ configure	2004-10-27 17:04:45.110483011 +0200
+@@ -8866,6 +8866,7 @@
  
-Index: libs/png/pngrtran.c
---- libs/png/pngrtran.c.orig	2004-01-26 14:30:33 +0100
-+++ libs/png/pngrtran.c	2004-07-01 12:10:25 +0200
-@@ -1890,8 +1890,8 @@
-          /* This changes the data from GG to GGXX */
-          if (flags & PNG_FLAG_FILLER_AFTER)
-          {
--            png_bytep sp = row + (png_size_t)row_width;
--            png_bytep dp = sp  + (png_size_t)row_width;
-+            png_bytep sp = row + (png_size_t)row_width * 2;
-+            png_bytep dp = sp  + (png_size_t)row_width * 2;
-             for (i = 1; i < row_width; i++)
-             {
-                *(--dp) = hi_filler;
-@@ -1908,8 +1908,8 @@
-          /* This changes the data from GG to XXGG */
-          else
-          {
--            png_bytep sp = row + (png_size_t)row_width;
--            png_bytep dp = sp  + (png_size_t)row_width;
-+            png_bytep sp = row + (png_size_t)row_width * 2;
-+            png_bytep dp = sp  + (png_size_t)row_width * 2;
-             for (i = 0; i < row_width; i++)
-             {
-                *(--dp) = *(--sp);
-@@ -1966,8 +1966,8 @@
-          /* This changes the data from RRGGBB to RRGGBBXX */
-          if (flags & PNG_FLAG_FILLER_AFTER)
-          {
--            png_bytep sp = row + (png_size_t)row_width * 3;
--            png_bytep dp = sp  + (png_size_t)row_width;
-+            png_bytep sp = row + (png_size_t)row_width * 6;
-+            png_bytep dp = sp  + (png_size_t)row_width * 2;
-             for (i = 1; i < row_width; i++)
-             {
-                *(--dp) = hi_filler;
-@@ -1988,8 +1988,8 @@
-          /* This changes the data from RRGGBB to XXRRGGBB */
-          else
-          {
--            png_bytep sp = row + (png_size_t)row_width * 3;
--            png_bytep dp = sp  + (png_size_t)row_width;
-+            png_bytep sp = row + (png_size_t)row_width * 6;
-+            png_bytep dp = sp  + (png_size_t)row_width * 2;
-             for (i = 0; i < row_width; i++)
-             {
-                *(--dp) = *(--sp);
-
-http://www.graphicsmagick.org/libpng/beta/patches/INFO.txt
-
-> [Problems discovered and fixed by] Chris Evans
-> 
-> 1) Remotely exploitable stack-based buffer overrun in png_handle_tRNS (pngrutil.c)
-> 2) Dangerous code in png_handle_sBIT (pngrutil.c)
-CAN-2004-0597
-
-> 3) Possible NULL-pointer crash in png_handle_iCCP (pngrutil.c)
->    this flaw is duplicated in multiple other locations.
-CAN-2004-0598
-
-> 4) Theoretical integer overflow in allocation in png_handle_sPLT (pngrutil.c)
-> 5) Integer overflow in png_read_png (pngread.c)
-> 6) Integer overflows during progressive reading.
-> 7) Other flaws.  [integer overflows]
-CAN-2004-0599
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch03-trns-chunk-overflow.txt
-    Use to patch libpng-1.0.9 through 1.2.5
-    This fixes the most dangerous of the newly reported vulnerabilities
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch03/pngrutil.c
---- libs/png/pngrutil.c.orig	Thu Oct  3 06:32:30 2002
-+++ libs/png/pngrutil.c	Fri Jul 23 18:54:36 2004
-@@ -1241,7 +1241,8 @@
-          /* Should be an error, but we can cope with it */
-          png_warning(png_ptr, "Missing PLTE before tRNS");
-       }
--      else if (length > (png_uint_32)png_ptr->num_palette)
-+      if (length > (png_uint_32)png_ptr->num_palette ||
-+          length > PNG_MAX_PALETTE_LENGTH)
-       {
-          png_warning(png_ptr, "Incorrect tRNS chunk length");
-          png_crc_finish(png_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch04-get-uint-31.txt
-    Use to patch libpng-1.0.6 through 1.2.5
-    This patch defines PNG_UINT_31_MAX, PNG_UINT_32_MAX, PNG_SIZE_MAX,
-    and png_get_uint_31(), which are needed by patches 05-08.
-
-diff -r -U 3 libpng-1.2.5/png.h libpng-1.2.5patch04/png.h
---- libs/png/png.h.orig	Thu Oct  3 06:32:26 2002
-+++ libs/png/png.h	Fri Jul 23 18:56:27 2004
-@@ -833,7 +833,11 @@
- typedef png_info FAR * FAR * png_infopp;
  
- /* Maximum positive integer used in PNG is (2^31)-1 */
--#define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_31_MAX ((png_uint_32)0x7fffffffL)
-+#define PNG_UINT_32_MAX (~((png_uint_32)0))
-+#define PNG_SIZE_MAX (~((png_size_t)0))
-+/* PNG_MAX_UINT is deprecated; use PNG_UINT_31_MAX instead. */
-+#define PNG_MAX_UINT PNG_UINT_31_MAX
+ # pnglib
++if [ ".$PNGLIBINC" = . -a ".$PNGLIBLINK" = . ]; then
+ if test -d libs/png ; then
+     PNGLIBINC="-I\$(top_builddir)/libs/png"
+     PNGLIBLINK="\$(top_builddir)/libs/png/libpng\$(LA)"
+@@ -8875,6 +8876,7 @@
+     PNGLIBINC=""
+     PNGLIBLINK=""
+ fi
++fi
  
- /* These describe the color_type field in png_info. */
- /* color type masks */
-@@ -2655,6 +2659,8 @@
- PNG_EXTERN png_uint_32 png_get_uint_32 PNGARG((png_bytep buf));
- PNG_EXTERN png_uint_16 png_get_uint_16 PNGARG((png_bytep buf));
- #endif /* !PNG_READ_BIG_ENDIAN_SUPPORTED */
-+PNG_EXTERN png_uint_32 png_get_uint_31 PNGARG((png_structp png_ptr,
-+  png_bytep buf));
  
- /* Initialize png_ptr struct for reading, and allocate any other memory.
-  * (old interface - DEPRECATED - use png_create_read_struct instead).
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch04/pngrutil.c
---- libs/png/pngrutil.c.orig	Thu Oct  3 06:32:30 2002
-+++ libs/png/pngrutil.c	Fri Jul 23 18:56:27 2004
-@@ -38,6 +38,14 @@
- #  endif
- #endif
  
-+png_uint_32 /* PRIVATE */
-+png_get_uint_31(png_structp png_ptr, png_bytep buf)
-+{
-+   png_uint_32 i = png_get_uint_32(buf);
-+   if (i > PNG_UINT_31_MAX)
-+     png_error(png_ptr, "PNG unsigned integer out of range.\n");
-+   return (i);
-+}
- #ifndef PNG_READ_BIG_ENDIAN_SUPPORTED
- /* Grab an unsigned 32-bit integer from a buffer in big-endian format. */
- png_uint_32 /* PRIVATE */
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch06-pngread-chunklength.txt
-    Use to patch libpng-1.0.13 through 1.0.15 and 1.2.2 through 1.2.5.
-    Requires libpng-patch04-*
-
-diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch06/pngread.c
---- libs/png/pngread.c.orig	Thu Oct  3 06:32:29 2002
-+++ libs/png/pngread.c	Fri Jul 23 18:59:57 2004
-@@ -384,7 +384,7 @@
-       png_uint_32 length;
- 
-       png_read_data(png_ptr, chunk_length, 4);
--      length = png_get_uint_32(chunk_length);
-+      length = png_get_uint_31(png_ptr,chunk_length);
- 
-       png_reset_crc(png_ptr);
-       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -392,9 +392,6 @@
-       png_debug2(0, "Reading %s chunk, length=%lu.\n", png_ptr->chunk_name,
-          length);
- 
--      if (length > PNG_MAX_UINT)
--         png_error(png_ptr, "Invalid chunk length.");
--
-       /* This should be a binary subdivision search or a hash for
-        * matching the chunk name rather than a linear search.
-        */
-@@ -673,10 +670,7 @@
-             png_crc_finish(png_ptr, 0);
- 
-             png_read_data(png_ptr, chunk_length, 4);
--            png_ptr->idat_size = png_get_uint_32(chunk_length);
--
--            if (png_ptr->idat_size > PNG_MAX_UINT)
--              png_error(png_ptr, "Invalid chunk length.");
-+            png_ptr->idat_size = png_get_uint_31(png_ptr,chunk_length);
- 
-             png_reset_crc(png_ptr);
-             png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-@@ -946,15 +940,12 @@
- #endif /* PNG_GLOBAL_ARRAYS */
- 
-       png_read_data(png_ptr, chunk_length, 4);
--      length = png_get_uint_32(chunk_length);
-+      length = png_get_uint_31(png_ptr,chunk_length);
- 
-       png_reset_crc(png_ptr);
-       png_crc_read(png_ptr, png_ptr->chunk_name, 4);
- 
-       png_debug1(0, "Reading %s chunk.\n", png_ptr->chunk_name);
--
--      if (length > PNG_MAX_UINT)
--         png_error(png_ptr, "Invalid chunk length.");
- 
-       if (!png_memcmp(png_ptr->chunk_name, png_IHDR, 4))
-          png_handle_IHDR(png_ptr, info_ptr, length);
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch07-png-read-png-overflow.txt
-    Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png().
-    Requires libpng-patch04-*
-  
-diff -r -U 3 libpng-1.2.5/pngread.c libpng-1.2.5patch07/pngread.c
---- libs/png/pngread.c.orig	Thu Oct  3 06:32:29 2002
-+++ libs/png/pngread.c	Fri Jul 23 19:01:39 2004
-@@ -1299,6 +1299,9 @@
-     */
-    png_read_info(png_ptr, info_ptr);
- 
-+   if (info_ptr->height > PNG_UINT_32_MAX/sizeof(png_bytep))
-+      png_error(png_ptr,"Image is too high to process with png_read_png()");
-+
-    /* -------------- image transformations start here ------------------- */
- 
- #if defined(PNG_READ_16_TO_8_SUPPORTED)
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch08-splt-buffer-overflow.txt
-    Use to patch libpng-1.0.6 through 1.2.5. Libpng-1.0.5 and earlier didn't implement png_read_png().
-    Requires libpng-patch04-*
-
-The "sPLT chunk too long" check from Matthias Clasen (RedHat libpng package maintainer)
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch08/pngrutil.c
---- libs/png/pngrutil.c.orig	Thu Oct  3 06:32:30 2002
-+++ libs/png/pngrutil.c	Fri Jul 23 19:02:48 2004
-@@ -1154,8 +1154,18 @@
-    }
- 
-    new_palette.nentries = data_length / entry_size;
--   new_palette.entries = (png_sPLT_entryp)png_malloc(
-+   if (new_palette.nentries > PNG_SIZE_MAX / sizeof(png_sPLT_entry))
-+   {
-+       png_warning(png_ptr, "sPLT chunk too long");
-+       return;
-+   }
-+   new_palette.entries = (png_sPLT_entryp)png_malloc_warn(
-        png_ptr, new_palette.nentries * sizeof(png_sPLT_entry));
-+   if (new_palette.entries == NULL)
-+   {
-+       png_warning(png_ptr, "sPLT chunk requires too much memory");
-+       return;
-+   }
- 
- #ifndef PNG_NO_POINTER_INDEXING
-    for (i = 0; i < new_palette.nentries; i++)
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch09-null-iccp-profile.txt
-    Use to patch libpng-1.0.9 through 1.2.5. Does not work with libpng-1.0.6-1.0.8.
-    Libpng-1.0.5 and earlier didn't implement iCCP chunk reading.
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch09/pngrutil.c
---- libs/png/pngrutil.c.orig	Thu Oct  3 06:32:30 2002
-+++ libs/png/pngrutil.c	Fri Jul 23 19:04:28 2004
-@@ -977,8 +977,7 @@
-    png_bytep pC;
-    png_charp profile;
-    png_uint_32 skip = 0;
--   png_uint_32 profile_size = 0;
--   png_uint_32 profile_length = 0;
-+   png_uint_32 profile_size, profile_length;
-    png_size_t slength, prefix_length, data_length;
- 
-    png_debug(1, "in png_handle_iCCP\n");
-
-http://www.graphicsmagick.org/libpng/beta/patches/libpng-patch10-find-duplicate-chunk.txt
-    Use to patch libpng-1.0.6 through 1.2.5 Does not work with libpng-1.0.5 and earlier.
-    No security problem. The bugs are similar to the one fixed in patch
-    03, but the only effect is that libpng will fail to detect misplaced
-    harmless duplicate chunks.
-
-diff -r -U 3 libpng-1.2.5/pngrutil.c libpng-1.2.5patch10/pngrutil.c
---- libs/png/pngrutil.c.orig	Thu Oct  3 06:32:30 2002
-+++ libs/png/pngrutil.c	Fri Jul 23 19:05:40 2004
-@@ -579,7 +579,7 @@
-       /* Should be an error, but we can cope with it */
-       png_warning(png_ptr, "Out of place gAMA chunk");
- 
--   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
-+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_gAMA)
- #if defined(PNG_READ_sRGB_SUPPORTED)
-       && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -660,7 +660,7 @@
-       /* Should be an error, but we can cope with it */
-       png_warning(png_ptr, "Out of place sBIT chunk");
-    }
--   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
-+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sBIT))
-    {
-       png_warning(png_ptr, "Duplicate sBIT chunk");
-       png_crc_finish(png_ptr, length);
-@@ -729,7 +729,7 @@
-       /* Should be an error, but we can cope with it */
-       png_warning(png_ptr, "Missing PLTE before cHRM");
- 
--   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
-+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_cHRM)
- #if defined(PNG_READ_sRGB_SUPPORTED)
-       && !(info_ptr->valid & PNG_INFO_sRGB)
- #endif
-@@ -891,7 +891,7 @@
-       /* Should be an error, but we can cope with it */
-       png_warning(png_ptr, "Out of place sRGB chunk");
- 
--   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
-+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_sRGB))
-    {
-       png_warning(png_ptr, "Duplicate sRGB chunk");
-       png_crc_finish(png_ptr, length);
-@@ -995,7 +995,7 @@
-       /* Should be an error, but we can cope with it */
-       png_warning(png_ptr, "Out of place iCCP chunk");
- 
--   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
-+   if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_iCCP))
-    {
-       png_warning(png_ptr, "Duplicate iCCP chunk");
-       png_crc_finish(png_ptr, length);
-
-This patch from Chris Evans avoids a host of security problems related
-to buffer overflows that might occur when processing very large images.
-It causes the reader to reject any images claiming to have more rows or
-columns the png format supports.
-
-diff -ru libpng-1.2.5/png.h libpng-1.2.5.fix/png.h
---- libs/png/png.h.orig	2002-10-03 12:32:26.000000000 +0100
-+++ libs/png/png.h	2004-07-13 23:18:10.000000000 +0100
-@@ -835,6 +835,9 @@
- /* Maximum positive integer used in PNG is (2^31)-1 */
- #define PNG_MAX_UINT ((png_uint_32)0x7fffffffL)
-
-+/* Constraints on width, height, (2 ^ 24) - 1*/
-+#define PNG_MAX_DIMENSION 16777215
-+
- /* These describe the color_type field in png_info. */
- /* color type masks */
- #define PNG_COLOR_MASK_PALETTE    1
-diff -ru libpng-1.2.5/pngrutil.c libpng-1.2.5.fix/pngrutil.c
---- libs/png/pngrutil.c.orig	2004-07-13 13:36:37.000000000 +0100
-+++ libs/png/pngrutil.c	2004-07-13 23:43:02.000000000 +0100
-@@ -350,7 +350,11 @@
-    png_crc_finish(png_ptr, 0);
-
-    width = png_get_uint_32(buf);
-+   if (width > PNG_MAX_DIMENSION)
-+      png_error(png_ptr, "Width is too large");
-    height = png_get_uint_32(buf + 4);
-+   if (height > PNG_MAX_DIMENSION)
-+      png_error(png_ptr, "Height is too large");
-    bit_depth = buf[8];
-    color_type = buf[9];
-    compression_type = buf[10];
-@@ -675,7 +679,7 @@
-    else
-       truelen = (png_size_t)png_ptr->channels;
-
--   if (length != truelen)
-+   if (length != truelen || length > 4)
-    {
-       png_warning(png_ptr, "Incorrect sBIT chunk length");
-       png_crc_finish(png_ptr, length);
-@@ -1400,7 +1405,7 @@
- void /* PRIVATE */
- png_handle_hIST(png_structp png_ptr, png_infop info_ptr, png_uint_32 length)
- {
--   int num, i;
-+   unsigned int num, i;
-    png_uint_16 readbuf[PNG_MAX_PALETTE_LENGTH];
-
-    png_debug(1, "in png_handle_hIST\n");
-@@ -1426,8 +1431,8 @@
-       return;
-    }
-
--   num = (int)length / 2 ;
--   if (num != png_ptr->num_palette)
-+   num = length / 2 ;
-+   if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH)
-    {
-       png_warning(png_ptr, "Incorrect hIST chunk length");
-       png_crc_finish(png_ptr, length);
-@@ -2868,6 +2873,9 @@
-                png_read_data(png_ptr, chunk_length, 4);
-                png_ptr->idat_size = png_get_uint_32(chunk_length);
-
-+               if (png_ptr->idat_size > PNG_MAX_UINT)
-+                  png_error(png_ptr, "Invalid chunk length.");
-+
-                png_reset_crc(png_ptr);
-                png_crc_read(png_ptr, png_ptr->chunk_name, 4);
-                if (png_memcmp(png_ptr->chunk_name, (png_bytep)png_IDAT, 4))
-

pdflib/pdflib.spec

@@ -38,7 +38,7 @@ Class:        BASE
 Group:        Graphics
 License:      PDFlib
 Version:      %{V_long}
-Release:      20040804
+Release:      20041028
 
 #   list of sources
 Source0:      http://www.pdflib.com/products/pdflib/download/%{V_comp}src/PDFlib-Lite-%{V_long}.tar.gz
@@ -47,8 +47,8 @@ Patch0:       pdflib.patch
 #   build information
 Prefix:       %{l_prefix}
 BuildRoot:    %{l_buildroot}
-BuildPreReq:  OpenPKG, openpkg >= 20040130, make
-PreReq:       OpenPKG, openpkg >= 20040130
+BuildPreReq:  OpenPKG, openpkg >= 20040130, png, make
+PreReq:       OpenPKG, openpkg >= 20040130, png
 AutoReq:      no
 AutoReqProv:  no
 
@@ -66,12 +66,15 @@ AutoReqProv:  no
 
 %prep
     %setup -q -n PDFlib-Lite-%{V_long}
+    rm -rf libs/png
     %patch -p0
 
 %build
     CC="%{l_cc}" \
     CFLAGS="%{l_cflags -O}" \
     INSTALL="%{l_shtool} install -c" \
+    PNGLIBINC="-I%{l_prefix}/include/libpng" \
+    PNGLIBLINK="-lpng -lz" \
     ./configure \
         --prefix=%{l_prefix} \
         --disable-shared