source: trunk/server/common/patches/dvipng-CVE-2010-0829.patch @ 1559

--- ../dvipng-1.12/dvipng.h     2010-03-17 14:26:02.568367634 +0100
+++ /home/jalar/cvs/dvipng/dvipng.h     2010-03-18 08:43:26.383609220 +0100
@@ -387,9 +374,9 @@
 void      WriteImage(char*, int);
 void      LoadPK(int32_t, register struct char_entry *);
 int32_t   SetChar(int32_t);
-dviunits  SetGlyph(int32_t c, int32_t hh,int32_t vv);
+dviunits  SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv);
 void      Gamma(double gamma);
-int32_t   SetVF(int32_t);
+int32_t   SetVF(struct char_entry *ptr);
 int32_t   SetRule(int32_t, int32_t, int32_t, int32_t);
 void      SetSpecial(char *, int32_t, int32_t);
 void      BeginVFMacro(struct font_entry*);
--- ../dvipng-1.12/draw.c       2010-03-17 14:26:02.373968076 +0100
+++ /home/jalar/cvs/dvipng/draw.c       2010-03-17 13:52:14.625364911 +0100
@@ -79,9 +79,15 @@
 
   if (currentfont==NULL) 
     Fatal("faulty DVI, trying to set character from null font");
-
-  if (c>=0 && c<=LASTFNTCHAR) 
-    ptr = currentfont->chr[c];
+  if (c<0 || c>LASTFNTCHAR) {
+    Warning("glyph index out of range (%d), skipping",c);
+    return(0);
+  }
+  ptr=currentfont->chr[c];
+  if (ptr==NULL) {
+    Warning("unable to draw glyph %d, skipping",c);
+    return(0);
+  }
 #ifdef DEBUG
   switch (currentfont->type) {
   case FONT_TYPE_VF: DEBUG_PRINT(DEBUG_DVI,("\n  VF CHAR:\t")); break;
@@ -90,15 +96,15 @@
   case FONT_TYPE_FT: DEBUG_PRINT(DEBUG_DVI,("\n  FT CHAR:\t")); break;
   default: DEBUG_PRINT(DEBUG_DVI,("\n  NO CHAR:\t"))
   }
-  if (isprint(c))
+  if (debug & DEBUG_DVI && c>=0 && c<=UCHAR_MAX && isprint(c))
     DEBUG_PRINT(DEBUG_DVI,("'%c' ",c));
   DEBUG_PRINT(DEBUG_DVI,("%d at (%d,%d) tfmw %d", c,
                         dvi_stack->hh,dvi_stack->vv,ptr?ptr->tfmw:0));
 #endif
   if (currentfont->type==FONT_TYPE_VF) {
-    return(SetVF(c));
+    return(SetVF(ptr));
   } else {
-    if (ptr!=NULL && ptr->data == NULL) 
+    if (ptr->data == NULL) 
       switch(currentfont->type) {
       case FONT_TYPE_PK:       LoadPK(c, ptr); break;
 #ifdef HAVE_LIBT1
@@ -111,8 +117,8 @@
        Fatal("undefined fonttype %d",currentfont->type);
       }
     if (page_imagep != NULL)
-      return(SetGlyph(c, dvi_stack->hh, dvi_stack->vv));
-    else if (ptr!=NULL) {
+      return(SetGlyph(ptr, dvi_stack->hh, dvi_stack->vv));
+    else {
       /* Expand bounding box if necessary */
       min(x_min,dvi_stack->hh - ptr->xOffset/shrinkfactor);
       min(y_min,dvi_stack->vv - ptr->yOffset/shrinkfactor);
--- ../dvipng-1.12/vf.c 2010-03-17 14:26:02.438184849 +0100
+++ /home/jalar/cvs/dvipng/vf.c 2010-03-17 13:52:43.098991873 +0100
@@ -27,11 +27,10 @@
 #define VF_ID 202
 #define LONG_CHAR 242
 
-int32_t SetVF(int32_t c) 
+int32_t SetVF(struct char_entry* ptr) 
 {
   struct font_entry* currentvf;
   unsigned char *command,*end;
-  struct char_entry* ptr=currentfont->chr[c];
 
   currentvf=currentfont;
   BeginVFMacro(currentvf);
--- ../dvipng-1.12/set.c        2010-03-17 14:26:02.541089281 +0100
+++ /home/jalar/cvs/dvipng/set.c        2010-03-17 13:52:26.795955795 +0100
@@ -203,23 +202,13 @@
   }
 }
 
-dviunits SetGlyph(int32_t c, int32_t hh,int32_t vv)
+dviunits SetGlyph(struct char_entry *ptr, int32_t hh,int32_t vv)
 /* gdImageChar can only do monochrome glyphs */
 {
-  register struct char_entry *ptr;
   int dst_alpha,dst_weight,tot_weight,alpha;
   int x,y,pos=0;
   int bgColor,pixelgrey,pixelcolor;
 
-  if (c<0 || c>LASTFNTCHAR) {
-    Warning("glyph index too large (%d), skipping",c);
-    return(0);
-  }
-  ptr=currentfont->chr[c];
-  if (ptr==NULL) {
-    Warning("unable to draw glyph %d, skipping",c);
-    return(0);
-  }
   hh -= ptr->xOffset/shrinkfactor;
   vv -= ptr->yOffset/shrinkfactor;
   /* Initialize persistent color cache. Perhaps this should be in