Attachment 60264 Details for Bug 137156

[patch] updated patch from Martin Pitt

xpdf.CVE-2005-3191_2_3.diff (text/plain), 5.30 KB, created by Dirk Mueller on 2005-12-12 09:58:27 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Dirk Mueller

Created: 2005-12-12 09:58:27 UTC

Size: 5.30 KB

patch

obsolete

>diff -u xpdf-3.00/debian/changelog xpdf-3.00/debian/changelog
>--- xpdf-3.00/debian/changelog
>+++ xpdf-3.00/debian/changelog
>@@ -1,3 +1,22 @@
>+xpdf (3.00-11ubuntu3.4) hoary-security; urgency=low
>+
>+  * SECURITY UPDATE: Multiple integer/buffer overflows.
>+  * xpdf/Stream.cc, DCTStream::readBaselineSOF(),
>+    DCTStream::readProgressiveSOF(), DCTStream::readScanInfo():
>+    - Check numComps for invalid values.
>+    - http://www.idefense.com/application/poi/display?id=342&type=vulnerabilities
>+    - CVE-2005-3191
>+  * xpdf/Stream.cc, StreamPredictor::StreamPredictor():
>+    - Check rowBytes for invalid values.
>+    - http://www.idefense.com/application/poi/display?id=344&type=vulnerabilities
>+    - CVE-2005-3192
>+  * xpdf/JPXStream.cc, JPXStream::readCodestream():
>+    - Check img.nXTiles * img.nYTiles * sizeof for integer overflow.
>+    - http://www.idefense.com/application/poi/display?id=345&type=vulnerabilities
>+    - CVE-2005-3193
>+
>+ -- Martin Pitt <martin.pitt@ubuntu.com>  Fri,  9 Dec 2005 14:18:55 +0100
>+
> xpdf (3.00-11ubuntu3.1) hoary-security; urgency=low
> 
>   * SECURITY UPDATE: Fix Denial of Service vulnerability.
>only in patch2:
>unchanged:
>--- xpdf-3.00.orig/xpdf/JPXStream.cc
>+++ xpdf-3.00/xpdf/JPXStream.cc
>@@ -7,6 +7,7 @@
> //========================================================================
> 
> #include <aconf.h>
>+#include <limits.h>
> 
> #ifdef USE_GCC_PRAGMAS
> #pragma implementation
>@@ -666,7 +667,7 @@
>   int segType;
>   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
>   Guint precinctSize, style;
>-  Guint segLen, capabilities, comp, i, j, r;
>+  Guint segLen, capabilities, nTiles, comp, i, j, r;
> 
>   //----- main header
>   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
>@@ -701,8 +702,19 @@
> 	            / img.xTileSize;
>       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
> 	            / img.yTileSize;
>-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
>-				     sizeof(JPXTile));
>+      // check for overflow before allocating memory
>+      if (img.nXTiles <= 0 || img.nYTiles <= 0 || 
>+              img.nXTiles >= INT_MAX/img.nYTiles) {
>+          error(getPos(), "Bad tile count in JPX SIZ marker segment");
>+          return gFalse;
>+      }
>+      nTiles = img.nXTiles * img.nYTiles;
>+      if (nTiles >= INT_MAX/sizeof(JPXTile)) {
>+	error(getPos(), "Bad tile count in JPX SIZ marker segment");
>+	return gFalse;
>+      }
>+      img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
>+
>       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
> 	img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
> 							sizeof(JPXTileComp));
>only in patch2:
>unchanged:
>--- xpdf-3.00.orig/xpdf/Stream.h
>+++ xpdf-3.00/xpdf/Stream.h
>@@ -233,6 +233,8 @@
> 
>   ~StreamPredictor();
> 
>+  GBool isOk() { return ok; }
>+
>   int lookChar();
>   int getChar();
> 
>@@ -250,6 +252,7 @@
>   int rowBytes;			// bytes per line
>   Guchar *predLine;		// line buffer
>   int predIdx;			// current index in predLine
>+  GBool ok;
> };
> 
> //------------------------------------------------------------------------
>only in patch2:
>unchanged:
>--- xpdf-3.00.orig/xpdf/Stream.cc
>+++ xpdf-3.00/xpdf/Stream.cc
>@@ -15,6 +15,7 @@
> #include <stdio.h>
> #include <stdlib.h>
> #include <stddef.h>
>+#include <limits.h>
> #ifndef WIN32
> #include <unistd.h>
> #endif
>@@ -412,13 +413,28 @@
>   width = widthA;
>   nComps = nCompsA;
>   nBits = nBitsA;
>+  predLine = NULL;
>+  ok = gFalse;
> 
>+  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
>+      nComps >= INT_MAX/nBits ||
>+      width >= INT_MAX/nComps/nBits) {
>+    return;
>+  }
>   nVals = width * nComps;
>+  if (nVals * nBits + 7 <= 0) {
>+    return;
>+  }
>   pixBytes = (nComps * nBits + 7) >> 3;
>   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
>+  if (rowBytes < 0) {
>+    return;
>+  }
>   predLine = (Guchar *)gmalloc(rowBytes);
>   memset(predLine, 0, rowBytes);
>   predIdx = rowBytes;
>+
>+  ok = gTrue;
> }
> 
> StreamPredictor::~StreamPredictor() {
>@@ -1012,6 +1028,10 @@
>     FilterStream(strA) {
>   if (predictor != 1) {
>     pred = new StreamPredictor(this, predictor, columns, colors, bits);
>+    if (!pred->isOk()) {
>+      delete pred;
>+      pred = NULL;
>+    }
>   } else {
>     pred = NULL;
>   }
>@@ -2897,6 +2917,10 @@
>   height = read16();
>   width = read16();
>   numComps = str->getChar();
>+  if (numComps <= 0 || numComps > 4) {
>+    error(getPos(), "Bad number of components in DCT stream", prec);
>+    return gFalse;
>+  }
>   if (prec != 8) {
>     error(getPos(), "Bad DCT precision %d", prec);
>     return gFalse;
>@@ -2923,6 +2947,10 @@
>   height = read16();
>   width = read16();
>   numComps = str->getChar();
>+  if (numComps <= 0 || numComps > 4) {
>+    error(getPos(), "Bad number of components in DCT stream", prec);
>+    return gFalse;
>+  }
>   if (prec != 8) {
>     error(getPos(), "Bad DCT precision %d", prec);
>     return gFalse;
>@@ -2945,6 +2973,10 @@
> 
>   length = read16() - 2;
>   scanInfo.numComps = str->getChar();
>+  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
>+    error(getPos(), "Bad number of components in DCT stream");
>+    return gFalse;
>+  }
>   --length;
>   if (length != 2 * scanInfo.numComps + 3) {
>     error(getPos(), "Bad DCT scan info block");
>@@ -3255,6 +3287,10 @@
>     FilterStream(strA) {
>   if (predictor != 1) {
>     pred = new StreamPredictor(this, predictor, columns, colors, bits);
>+    if (!pred->isOk()) {
>+      delete pred;
>+      pred = NULL;
>+    }
>   } else {
>     pred = NULL;
>   }

Actions: View | Diff

Attachments on bug 137156: 59932 | 59935 | 60106 | 60190 | 60194 | 60264 | 60265 | 60405 | 60994 | 60995 | 60998 | 62964