From a828cb1a5c0835d08a17c86f64d571436f93f980 Mon Sep 17 00:00:00 2001
From: infirit <infirit@gmail.com>
Date: Wed, 10 Dec 2014 00:58:36 +0100
Subject: backends: Fix several security issues in the dvi-backend.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See CVE-2010-2640, CVE-2010-2641, CVE-2010-2642 and  CVE-2010-2643.

Taken from evince commit: d4139205b010ed06310d14284e63114e88ec6de2
From: José Aliste <jaliste@src.gnome.org>
---
 backend/dvi/mdvi-lib/dviread.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'backend/dvi/mdvi-lib/dviread.c')

diff --git a/backend/dvi/mdvi-lib/dviread.c b/backend/dvi/mdvi-lib/dviread.c
index cd8cfa91..d0143205 100644
--- a/backend/dvi/mdvi-lib/dviread.c
+++ b/backend/dvi/mdvi-lib/dviread.c
@@ -1507,6 +1507,10 @@ int	special(DviContext *dvi, int opcode)
 	Int32	arg;
 	
 	arg = dugetn(dvi, opcode - DVI_XXX1 + 1);
+	if (arg <= 0) {
+		dvierr(dvi, _("malformed special length\n"));
+		return -1;
+	}
 	s = mdvi_malloc(arg + 1);
 	dread(dvi, s, arg);
 	s[arg] = 0;
-- 
cgit v1.2.1