|
Lines 1-3
Link Here
|
|
|
1 |
xpdf (3.00-11ubuntu3.4) hoary-security; urgency=low |
| 2 |
|
| 3 |
* SECURITY UPDATE: Multiple integer/buffer overflows. |
| 4 |
* xpdf/Stream.cc, DCTStream::readBaselineSOF(), |
| 5 |
DCTStream::readProgressiveSOF(), DCTStream::readScanInfo(): |
| 6 |
- Check numComps for invalid values. |
| 7 |
- http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities |
| 8 |
- CVE-2005-3191 |
| 9 |
* xpdf/Stream.cc, StreamPredictor::StreamPredictor(): |
| 10 |
- Check rowBytes for invalid values. |
| 11 |
- http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities |
| 12 |
- CVE-2005-3192 |
| 13 |
* xpdf/JPXStream.cc, JPXStream::readCodestream(): |
| 14 |
- Check img.nXTiles * img.nYTiles * sizeof for integer overflow. |
| 15 |
- http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities |
| 16 |
- CVE-2005-3193 |
| 17 |
|
| 18 |
-- Martin Pitt <martin.pitt@ubuntu.com> Fri, 9 Dec 2005 14:18:55 +0100 |
| 19 |
|
| 1 |
xpdf (3.00-11ubuntu3.1) hoary-security; urgency=low |
20 |
xpdf (3.00-11ubuntu3.1) hoary-security; urgency=low |
| 2 |
|
21 |
|
| 3 |
* SECURITY UPDATE: Fix Denial of Service vulnerability. |
22 |
* SECURITY UPDATE: Fix Denial of Service vulnerability. |
| 4 |
-- xpdf-3.00.orig/xpdf/JPXStream.cc |
23 |
++ xpdf-3.00/xpdf/JPXStream.cc |
|
Lines 7-12
Link Here
|
| 7 |
//======================================================================== |
7 |
//======================================================================== |
| 8 |
|
8 |
|
| 9 |
#include <aconf.h> |
9 |
#include <aconf.h> |
|
|
10 |
#include <limits.h> |
| 10 |
|
11 |
|
| 11 |
#ifdef USE_GCC_PRAGMAS |
12 |
#ifdef USE_GCC_PRAGMAS |
| 12 |
#pragma implementation |
13 |
#pragma implementation |
|
Lines 666-672
Link Here
|
| 666 |
int segType; |
667 |
int segType; |
| 667 |
GBool haveSIZ, haveCOD, haveQCD, haveSOT; |
668 |
GBool haveSIZ, haveCOD, haveQCD, haveSOT; |
| 668 |
Guint precinctSize, style; |
669 |
Guint precinctSize, style; |
| 669 |
Guint segLen, capabilities, comp, i, j, r; |
670 |
Guint segLen, capabilities, nTiles, comp, i, j, r; |
| 670 |
|
671 |
|
| 671 |
//----- main header |
672 |
//----- main header |
| 672 |
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; |
673 |
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; |
|
Lines 701-708
Link Here
|
| 701 |
/ img.xTileSize; |
702 |
/ img.xTileSize; |
| 702 |
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) |
703 |
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) |
| 703 |
/ img.yTileSize; |
704 |
/ img.yTileSize; |
| 704 |
img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * |
705 |
// check for overflow before allocating memory |
| 705 |
sizeof(JPXTile)); |
706 |
if (img.nXTiles <= 0 || img.nYTiles <= 0 || |
|
|
707 |
img.nXTiles >= INT_MAX/img.nYTiles) { |
| 708 |
error(getPos(), "Bad tile count in JPX SIZ marker segment"); |
| 709 |
return gFalse; |
| 710 |
} |
| 711 |
nTiles = img.nXTiles * img.nYTiles; |
| 712 |
if (nTiles >= INT_MAX/sizeof(JPXTile)) { |
| 713 |
error(getPos(), "Bad tile count in JPX SIZ marker segment"); |
| 714 |
return gFalse; |
| 715 |
} |
| 716 |
img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); |
| 717 |
|
| 706 |
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { |
718 |
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { |
| 707 |
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * |
719 |
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * |
| 708 |
sizeof(JPXTileComp)); |
720 |
sizeof(JPXTileComp)); |
| 709 |
-- xpdf-3.00.orig/xpdf/Stream.h |
721 |
++ xpdf-3.00/xpdf/Stream.h |
|
Lines 233-238
Link Here
|
| 233 |
|
233 |
|
| 234 |
~StreamPredictor(); |
234 |
~StreamPredictor(); |
| 235 |
|
235 |
|
|
|
236 |
GBool isOk() { return ok; } |
| 237 |
|
| 236 |
int lookChar(); |
238 |
int lookChar(); |
| 237 |
int getChar(); |
239 |
int getChar(); |
| 238 |
|
240 |
|
|
Lines 250-255
Link Here
|
| 250 |
int rowBytes; // bytes per line |
252 |
int rowBytes; // bytes per line |
| 251 |
Guchar *predLine; // line buffer |
253 |
Guchar *predLine; // line buffer |
| 252 |
int predIdx; // current index in predLine |
254 |
int predIdx; // current index in predLine |
|
|
255 |
GBool ok; |
| 253 |
}; |
256 |
}; |
| 254 |
|
257 |
|
| 255 |
//------------------------------------------------------------------------ |
258 |
//------------------------------------------------------------------------ |
| 256 |
-- xpdf-3.00.orig/xpdf/Stream.cc |
259 |
++ xpdf-3.00/xpdf/Stream.cc |
|
Lines 15-20
Link Here
|
| 15 |
#include <stdio.h> |
15 |
#include <stdio.h> |
| 16 |
#include <stdlib.h> |
16 |
#include <stdlib.h> |
| 17 |
#include <stddef.h> |
17 |
#include <stddef.h> |
|
|
18 |
#include <limits.h> |
| 18 |
#ifndef WIN32 |
19 |
#ifndef WIN32 |
| 19 |
#include <unistd.h> |
20 |
#include <unistd.h> |
| 20 |
#endif |
21 |
#endif |
|
Lines 412-424
Link Here
|
| 412 |
width = widthA; |
413 |
width = widthA; |
| 413 |
nComps = nCompsA; |
414 |
nComps = nCompsA; |
| 414 |
nBits = nBitsA; |
415 |
nBits = nBitsA; |
|
|
416 |
predLine = NULL; |
| 417 |
ok = gFalse; |
| 415 |
|
418 |
|
|
|
419 |
if (width <= 0 || nComps <= 0 || nBits <= 0 || |
| 420 |
nComps >= INT_MAX/nBits || |
| 421 |
width >= INT_MAX/nComps/nBits) { |
| 422 |
return; |
| 423 |
} |
| 416 |
nVals = width * nComps; |
424 |
nVals = width * nComps; |
|
|
425 |
if (nVals * nBits + 7 <= 0) { |
| 426 |
return; |
| 427 |
} |
| 417 |
pixBytes = (nComps * nBits + 7) >> 3; |
428 |
pixBytes = (nComps * nBits + 7) >> 3; |
| 418 |
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; |
429 |
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; |
|
|
430 |
if (rowBytes < 0) { |
| 431 |
return; |
| 432 |
} |
| 419 |
predLine = (Guchar *)gmalloc(rowBytes); |
433 |
predLine = (Guchar *)gmalloc(rowBytes); |
| 420 |
memset(predLine, 0, rowBytes); |
434 |
memset(predLine, 0, rowBytes); |
| 421 |
predIdx = rowBytes; |
435 |
predIdx = rowBytes; |
|
|
436 |
|
| 437 |
ok = gTrue; |
| 422 |
} |
438 |
} |
| 423 |
|
439 |
|
| 424 |
StreamPredictor::~StreamPredictor() { |
440 |
StreamPredictor::~StreamPredictor() { |
|
Lines 1012-1017
Link Here
|
| 1012 |
FilterStream(strA) { |
1028 |
FilterStream(strA) { |
| 1013 |
if (predictor != 1) { |
1029 |
if (predictor != 1) { |
| 1014 |
pred = new StreamPredictor(this, predictor, columns, colors, bits); |
1030 |
pred = new StreamPredictor(this, predictor, columns, colors, bits); |
|
|
1031 |
if (!pred->isOk()) { |
| 1032 |
delete pred; |
| 1033 |
pred = NULL; |
| 1034 |
} |
| 1015 |
} else { |
1035 |
} else { |
| 1016 |
pred = NULL; |
1036 |
pred = NULL; |
| 1017 |
} |
1037 |
} |
|
Lines 2897-2902
Link Here
|
| 2897 |
height = read16(); |
2917 |
height = read16(); |
| 2898 |
width = read16(); |
2918 |
width = read16(); |
| 2899 |
numComps = str->getChar(); |
2919 |
numComps = str->getChar(); |
|
|
2920 |
if (numComps <= 0 || numComps > 4) { |
| 2921 |
error(getPos(), "Bad number of components in DCT stream", prec); |
| 2922 |
return gFalse; |
| 2923 |
} |
| 2900 |
if (prec != 8) { |
2924 |
if (prec != 8) { |
| 2901 |
error(getPos(), "Bad DCT precision %d", prec); |
2925 |
error(getPos(), "Bad DCT precision %d", prec); |
| 2902 |
return gFalse; |
2926 |
return gFalse; |
|
Lines 2923-2928
Link Here
|
| 2923 |
height = read16(); |
2947 |
height = read16(); |
| 2924 |
width = read16(); |
2948 |
width = read16(); |
| 2925 |
numComps = str->getChar(); |
2949 |
numComps = str->getChar(); |
|
|
2950 |
if (numComps <= 0 || numComps > 4) { |
| 2951 |
error(getPos(), "Bad number of components in DCT stream", prec); |
| 2952 |
return gFalse; |
| 2953 |
} |
| 2926 |
if (prec != 8) { |
2954 |
if (prec != 8) { |
| 2927 |
error(getPos(), "Bad DCT precision %d", prec); |
2955 |
error(getPos(), "Bad DCT precision %d", prec); |
| 2928 |
return gFalse; |
2956 |
return gFalse; |
|
Lines 2945-2950
Link Here
|
| 2945 |
|
2973 |
|
| 2946 |
length = read16() - 2; |
2974 |
length = read16() - 2; |
| 2947 |
scanInfo.numComps = str->getChar(); |
2975 |
scanInfo.numComps = str->getChar(); |
|
|
2976 |
if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { |
| 2977 |
error(getPos(), "Bad number of components in DCT stream"); |
| 2978 |
return gFalse; |
| 2979 |
} |
| 2948 |
--length; |
2980 |
--length; |
| 2949 |
if (length != 2 * scanInfo.numComps + 3) { |
2981 |
if (length != 2 * scanInfo.numComps + 3) { |
| 2950 |
error(getPos(), "Bad DCT scan info block"); |
2982 |
error(getPos(), "Bad DCT scan info block"); |
|
Lines 3255-3260
Link Here
|
| 3255 |
FilterStream(strA) { |
3287 |
FilterStream(strA) { |
| 3256 |
if (predictor != 1) { |
3288 |
if (predictor != 1) { |
| 3257 |
pred = new StreamPredictor(this, predictor, columns, colors, bits); |
3289 |
pred = new StreamPredictor(this, predictor, columns, colors, bits); |
|
|
3290 |
if (!pred->isOk()) { |
| 3291 |
delete pred; |
| 3292 |
pred = NULL; |
| 3293 |
} |
| 3258 |
} else { |
3294 |
} else { |
| 3259 |
pred = NULL; |
3295 |
pred = NULL; |
| 3260 |
} |
3296 |
} |