75301 – kde-base/kdegraphics: kpdf more xpdf issues CLASSIFIED

Bug 75301 - kde-base/kdegraphics: kpdf more xpdf issues CLASSIFIED

Summary: kde-base/kdegraphics: kpdf more xpdf issues CLASSIFIED

Status:	RESOLVED DUPLICATE of bug 75204

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.kde.org/info/security/advi...
Whiteboard:	A2 [upstream] jaervosz
Keywords:

Depends on:
Blocks:

Reported:	2004-12-22 05:07 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2006-12-27 01:11 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-22 05:07:13 UTC

In addition to the issue in the 20041021-1 advisory there is another CAN-2004-1125.

diff -u -5 -d -p -r1.4 Gfx.cc
--- Gfx.cc 28 Sep 2003 12:17:12 -0000 1.4
+++ Gfx.cc 22 Dec 2004 12:04:01 -0000
@@ -2379,11 +2379,13 @@ void Gfx::doImage(Object *ref, Stream *s
=20
     // get the mask
     haveMask =3D gFalse;
     dict->lookup("Mask", &maskObj);
     if (maskObj.isArray()) {
-      for (i =3D 0; i < maskObj.arrayGetLength(); ++i) {
+      for (i =3D 0;
+    i < maskObj.arrayGetLength() && i < 2*gfxColorMaxComps;
+    ++i) {
  maskObj.arrayGet(i, &obj1);
  maskColors[i] =3D obj1.getInt();
  obj1.free();
       }
       haveMask =3D gTrue;
Index: GfxState.cc

RCS file: /home/kde/kdegraphics/kpdf/xpdf/GfxState.cc,v
retrieving revision 1.3
diff -u -5 -d -p -r1.3 GfxState.cc
--- GfxState.cc 20 Aug 2003 21:25:12 -0000 1.3
+++ GfxState.cc 22 Dec 2004 12:04:02 -0000
@@ -706,10 +706,15 @@ GfxColorSpace *GfxICCBasedColorSpace::pa
     obj1.free();
     return NULL;
   }
   nCompsA =3D obj2.getInt();
   obj2.free();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "ICCBased color space with too many (%d > %d) components",
+   nCompsA, gfxColorMaxComps);
+    nCompsA =3D gfxColorMaxComps;
+  }
   if (dict->lookup("Alternate", &obj2)->isNull() ||
       !(altA =3D GfxColorSpace::parse(&obj2))) {
     switch (nCompsA) {
     case 1:
       altA =3D new GfxDeviceGrayColorSpace();
@@ -1045,10 +1050,15 @@ GfxColorSpace *GfxDeviceNColorSpace::par
   if (!arr->get(1, &obj1)->isArray()) {
     error(-1, "Bad DeviceN color space (names)");
     goto err2;
   }
   nCompsA =3D obj1.arrayGetLength();
+  if (nCompsA > gfxColorMaxComps) {
+    error(-1, "DeviceN color space with too many (%d > %d) components",
+=B7         nCompsA, gfxColorMaxComps);
+    nCompsA =3D gfxColorMaxComps;
+  }
   for (i =3D 0; i < nCompsA; ++i) {
     if (!obj1.arrayGet(i, &obj2)->isName()) {
       error(-1, "Bad DeviceN color space (names)");
       obj2.free();
       goto err2;

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-22 05:09:45 UTC

Two new issues in kpdf. Upstream announcement should come soon.

Please be ready to bump.

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2004-12-22 06:16:51 UTC

this is the patch for xpdf 2.0.0 stuff
kpdf includes version 3

anyways... kpdf appears to be patched in kde's CVS

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2004-12-22 08:16:23 UTC

This is obviously a dupe of bug 75204. Please reopen if I'm wrong.

*** This bug has been marked as a duplicate of 75204 ***