Bugzilla – Attachment 62964 Details for
Bug 137156
VUL-0: CVE-2005-3193: xpdf: overflows
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
untested backport to xpdf1
f (text/plain), 3.51 KB, created by
Ludwig Nussel
on 2006-01-11 16:30:17 UTC
(
hide
)
Description:
untested backport to xpdf1
Filename:
MIME Type:
Creator:
Ludwig Nussel
Created:
2006-01-11 16:30:17 UTC
Size:
3.51 KB
patch
obsolete
>Index: xpdf/xpdf/Stream.h >=================================================================== >--- xpdf.orig/xpdf/Stream.h >+++ xpdf/xpdf/Stream.h >@@ -217,6 +217,8 @@ public: > > ~StreamPredictor(); > >+ GBool isOk() { return ok; } >+ > int lookChar(); > int getChar(); > >@@ -234,6 +236,7 @@ private: > int rowBytes; // bytes per line > Guchar *predLine; // line buffer > int predIdx; // current index in predLine >+ GBool ok; > }; > > //------------------------------------------------------------------------ >Index: xpdf/xpdf/Stream.cc >=================================================================== >--- xpdf.orig/xpdf/Stream.cc >+++ xpdf/xpdf/Stream.cc >@@ -13,6 +13,7 @@ > #include <stdio.h> > #include <stdlib.h> > #include <stddef.h> >+#include <limits.h> > #ifndef WIN32 > #include <unistd.h> > #endif >@@ -414,12 +415,29 @@ StreamPredictor::StreamPredictor(Stream > this->nComps = nComps; > this->nBits = nBits; > >+ predLine = NULL; >+ ok = gFalse; >+ >+ if (width <= 0 || nComps <= 0 || nBits <= 0 || >+ nComps >= INT_MAX/nBits || >+ width >= INT_MAX/nComps/nBits) { >+ return; >+ } >+ > nVals = width * nComps; >+ if (nVals * nBits + 7 <= 0) { >+ return; >+ } > pixBytes = (nComps * nBits + 7) >> 3; > rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; >+ if (rowBytes < 0) { >+ return; >+ } > predLine = (Guchar *)gmalloc(rowBytes); > memset(predLine, 0, rowBytes); > predIdx = rowBytes; >+ >+ ok = gTrue; > } > > StreamPredictor::~StreamPredictor() { >@@ -852,6 +870,10 @@ LZWStream::LZWStream(Stream *str, int pr > FilterStream(str) { > if (predictor1 != 1) { > pred = new StreamPredictor(this, predictor1, columns1, colors1, bits1); >+ if (!pred->isOk()) { >+ delete pred; >+ pred = NULL; >+ } > } else { > pred = NULL; > } >@@ -1275,6 +1297,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *s > this->rows = rows; > this->endOfBlock = endOfBlock; > this->black = black; >+ if (columns < 1 || columns >= INT_MAX / sizeof(short)) { >+ error(-1, "invalid number of columns"); >+ exit(1); >+ } > refLine = (short *)gmalloc((columns + 3) * sizeof(short)); > codingLine = (short *)gmalloc((columns + 2) * sizeof(short)); > >@@ -2573,6 +2599,11 @@ GBool DCTStream::readFrameInfo() { > height = read16(); > width = read16(); > numComps = str->getChar(); >+ if (numComps <= 0 || numComps > 4) { >+ numComps = 0; >+ error(getPos(), "Bad number of components in DCT stream"); >+ return gFalse; >+ } > length -= 6; > if (prec != 8) { > error(getPos(), "Bad DCT precision %d", prec); >@@ -2658,12 +2689,12 @@ GBool DCTStream::readHuffmanTables() { > while (length > 0) { > index = str->getChar(); > --length; >- if ((index & 0x0f) >= 4) { >+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { > error(getPos(), "Bad DCT Huffman table"); > return gFalse; > } > if (index & 0x10) { >- index &= 0x0f; >+ index &= 0x03; > if (index >= numACHuffTables) > numACHuffTables = index+1; > tbl = &acHuffTables[index]; >@@ -2743,9 +2774,11 @@ int DCTStream::readMarker() { > do { > do { > c = str->getChar(); >+ if(c == EOF) return EOF; > } while (c != 0xff); > do { > c = str->getChar(); >+ if(c == EOF) return EOF; > } while (c == 0xff); > } while (c == 0x00); > return c; >@@ -2851,6 +2884,10 @@ FlateStream::FlateStream(Stream *str, in > FilterStream(str) { > if (predictor1 != 1) { > pred = new StreamPredictor(this, predictor1, columns1, colors1, bits1); >+ if (!pred->isOk()) { >+ delete pred; >+ pred = NULL; >+ } > } else { > pred = NULL; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=62964">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 137156
:
59932
|
59935
|
60106
|
60190
|
60194
|
60264
|
60265
|
60405
|
60994
|
60995
|
60998
| 62964