1 files changed, 47 insertions, 0 deletions

diff --git a/app-text/ghostscript-gnu/files/ghostscript-CVE-2007-2721.patch b/app-text/ghostscript-gnu/files/ghostscript-CVE-2007-2721.patch
new file mode 100644
index 000000000000..799bf51ee63f
--- /dev/null
+++ b/app-text/ghostscript-gnu/files/ghostscript-CVE-2007-2721.patch
@@ -0,0 +1,47 @@
+--- /trunk/gs/jasper/src/libjasper/jp2/jp2_cod.c	2007/10/17 18:27:58	8297
++++ trunk/gs/jasper/src/libjasper/jp2/jp2_cod.c	2007/10/17 23:04:50	8298
+@@ -247,7 +247,7 @@
+ 	box = 0;
+ 	tmpstream = 0;
+ 
+-	if (!(box = jas_malloc(sizeof(jp2_box_t)))) {
++	if (!(box = jas_calloc(1, sizeof(jp2_box_t)))) {
+ 		goto error;
+ 	}
+ 	box->ops = &jp2_boxinfo_unk.ops;
+--- /trunk/gs/jasper/src/libjasper/jpc/jpc_cs.c	2007/10/17 18:27:58	8297
++++ trunk/gs/jasper/src/libjasper/jpc/jpc_cs.c	2007/10/17 23:04:50	8298
+@@ -991,7 +991,10 @@
+ 		compparms->numstepsizes = (len - n) / 2;
+ 		break;
+ 	}
+-if (compparms->numstepsizes > 0) {
++if (compparms->numstepsizes > 3 * JPC_MAXRLVLS + 1) {
++		jpc_qcx_destroycompparms(compparms);
++                return -1;
++        } else if (compparms->numstepsizes > 0) {
+ 	compparms->stepsizes = jas_malloc(compparms->numstepsizes *
+ 	  sizeof(uint_fast32_t));
+ 	assert(compparms->stepsizes);
+--- /trunk/gs/jasper/src/libjasper/jpc/jpc_dec.c	2007/10/17 18:27:58	8297
++++ trunk/gs/jasper/src/libjasper/jpc/jpc_dec.c	2007/10/17 23:04:50	8298
+@@ -1219,7 +1219,7 @@
+ 	dec->numhtiles = JPC_CEILDIV(dec->xend - dec->tilexoff, dec->tilewidth);
+ 	dec->numvtiles = JPC_CEILDIV(dec->yend - dec->tileyoff, dec->tileheight);
+ 	dec->numtiles = dec->numhtiles * dec->numvtiles;
+-	if (!(dec->tiles = jas_malloc(dec->numtiles * sizeof(jpc_dec_tile_t)))) {
++	if (!(dec->tiles = jas_calloc(dec->numtiles, sizeof(jpc_dec_tile_t)))) {
+ 		return -1;
+ 	}
+ 
+@@ -1243,7 +1243,7 @@
+ 		tile->pkthdrstreampos = 0;
+ 		tile->pptstab = 0;
+ 		tile->cp = 0;
+-		if (!(tile->tcomps = jas_malloc(dec->numcomps *
++		if (!(tile->tcomps = jas_calloc(dec->numcomps,
+ 		  sizeof(jpc_dec_tcomp_t)))) {
+ 			return -1;
+ 		}
+ 
+