Imported Upstream version 1.0.71

7 files changed, 66 insertions, 37 deletions

diff --git a/INSTALL b/INSTALL
index 023e0acb0..6022924e8 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,4 +1,4 @@
-INSTALL - OpenPrinting CUPS Filters v1.0.70 - 2015-06-26
+INSTALL - OpenPrinting CUPS Filters v1.0.71 - 2015-07-02
 --------------------------------------------------------
 
 This file describes how to compile and install OpenPrinting CUPS
diff --git a/NEWS b/NEWS
index ebf4450ff..3d4af8d52 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,16 @@
-NEWS - OpenPrinting CUPS Filters v1.0.70 - 2015-06-26
+NEWS - OpenPrinting CUPS Filters v1.0.71 - 2015-07-02
 -----------------------------------------------------
 
+CHANGES IN V1.0.71
+
+  	- texttopdf: The Page allocation is moved into textcommon.c, where it
+	  does all the necessary checking: lower-bounds for CVE-2015-3258 and
+	  upper-bounds for CVE-2015-3259 due to integer overflows for the
+	  calloc() call initialising Page[0] and the memset() call in
+	  texttopdf.c's WritePage() function zeroing the entire array. Thanks
+	  to Tim Waugh from Red Hat for the patch.
+	- texttopdf: Upper-bounds checking (CVE-2015-3259).
+
 CHANGES IN V1.0.70
 
 	- texttopdf: Fixed buffer overflow on size allocation of texttopdf
diff --git a/README b/README
index bdf154d08..dbe7c97d6 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-README - OpenPrinting CUPS Filters v1.0.70 - 2015-06-26
+README - OpenPrinting CUPS Filters v1.0.71 - 2015-07-02
 -------------------------------------------------------
 
 Looking for compile instructions?  Read the file "INSTALL.txt"
diff --git a/configure b/configure
index 74fd388c6..52a744d22 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for cups-filters 1.0.70.
+# Generated by GNU Autoconf 2.69 for cups-filters 1.0.71.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='cups-filters'
 PACKAGE_TARNAME='cups-filters'
-PACKAGE_VERSION='1.0.70'
-PACKAGE_STRING='cups-filters 1.0.70'
+PACKAGE_VERSION='1.0.71'
+PACKAGE_STRING='cups-filters 1.0.71'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1443,7 +1443,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures cups-filters 1.0.70 to adapt to many kinds of systems.
+\`configure' configures cups-filters 1.0.71 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1513,7 +1513,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of cups-filters 1.0.70:";;
+     short | recursive ) echo "Configuration of cups-filters 1.0.71:";;
    esac
   cat <<\_ACEOF
 
@@ -1706,7 +1706,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-cups-filters configure 1.0.70
+cups-filters configure 1.0.71
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2313,7 +2313,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by cups-filters $as_me 1.0.70, which was
+It was created by cups-filters $as_me 1.0.71, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3264,7 +3264,7 @@ fi
 
 # Define the identity of the package.
  PACKAGE='cups-filters'
- VERSION='1.0.70'
+ VERSION='1.0.71'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -19459,7 +19459,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by cups-filters $as_me 1.0.70, which was
+This file was extended by cups-filters $as_me 1.0.71, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19525,7 +19525,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-cups-filters config.status 1.0.70
+cups-filters config.status 1.0.71
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 771ed1fb6..0fe292b91 100644
--- a/configure.ac
+++ b/configure.ac
@@ -7,7 +7,7 @@ AC_PREREQ([2.65])
 # ====================
 m4_define([cups_filters_version_major],[1])
 m4_define([cups_filters_version_minor],[0])
-m4_define([cups_filters_version_micro],[70])
+m4_define([cups_filters_version_micro],[71])
 m4_define([cups_filters_version],[cups_filters_version_major.cups_filters_version_minor.cups_filters_version_micro])
 
 # =============
diff --git a/filter/textcommon.c b/filter/textcommon.c
index 834655177..5cf9833c1 100644
--- a/filter/textcommon.c
+++ b/filter/textcommon.c
@@ -26,6 +26,7 @@
  */
 
 #include "textcommon.h"
+#include <limits.h>
 
 
 /*
@@ -644,6 +645,45 @@ TextMain(const char *name,	/* I - Name of filter */
   if (PrettyPrint)
     PageTop -= 216.0f / LinesPerInch;
 
+ /*
+  * Allocate memory for the page...
+  */
+
+  SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch;
+  SizeLines   = (PageTop - PageBottom) / 72.0 * LinesPerInch;
+
+ /*
+  * Enforce minimum size...
+  */
+  if (SizeColumns < 1)
+    SizeColumns = 1;
+  if (SizeLines < 1)
+    SizeLines = 1;
+
+  if (SizeLines >= INT_MAX / SizeColumns / sizeof(lchar_t))
+  {
+    fprintf(stderr, "ERROR: bad page size\n");
+    exit(1);
+  }
+
+  Page    = calloc(sizeof(lchar_t *), SizeLines);
+  if (!Page)
+  {
+    fprintf(stderr, "ERROR: cannot allocate memory for page\n");
+    exit(1);
+  }
+
+  Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
+  if (!Page[0])
+  {
+    free(Page);
+    fprintf(stderr, "ERROR: cannot allocate memory for page\n");
+    exit(1);
+  }
+
+  for (i = 1; i < SizeLines; i ++)
+    Page[i] = Page[0] + i * SizeColumns;
+
   Copies = atoi(argv[4]);
 
   WriteProlog(argv[3], argv[2], getenv("CLASSIFICATION"),
@@ -1122,6 +1162,8 @@ TextMain(const char *name,	/* I - Name of filter */
   if (ppd != NULL)
     ppdClose(ppd);
 
+  free(Page[0]);
+  free(Page);
   return (0);
 }
 
diff --git a/filter/texttopdf.c b/filter/texttopdf.c
index fc3b47587..fe5974ad6 100644
--- a/filter/texttopdf.c
+++ b/filter/texttopdf.c
@@ -172,9 +172,6 @@ WriteEpilogue(void)
 		{ "FN","FB","FI" };
   int i,j;
 
-  free(Page[0]);
-  free(Page);
-
   // embed fonts
   for (i = PrettyPrint ? 2 : 1; i >= 0; i --) {
     for (j = 0; j < NumFonts; j ++) 
@@ -333,26 +330,6 @@ WriteProlog(const char *title,		/* I - Title of job */
     PageTop    -= 36;
   }
 
- /*
-  * Allocate memory for the page...
-  */
-
-  SizeColumns = (PageRight - PageLeft) / 72.0 * CharsPerInch;
-  SizeLines   = (PageTop - PageBottom) / 72.0 * LinesPerInch;
-
- /*
-  * Enforce minimum size...
-  */
-  if (SizeColumns < 1)
-    SizeColumns = 1;
-  if (SizeLines < 1)
-    SizeLines = 1;
-
-  Page    = calloc(sizeof(lchar_t *), SizeLines);
-  Page[0] = calloc(sizeof(lchar_t), SizeColumns * SizeLines);
-  for (i = 1; i < SizeLines; i ++)
-    Page[i] = Page[0] + i * SizeColumns;
-
   if (PageColumns > 1)
   {
     ColumnGutter = CharsPerInch / 2;