Attachment 209335 Details for Bug 290470 – kword-xpdf-overflows.patch

[patch] kword-xpdf-overflows.patch

kword-xpdf-overflows.patch (text/plain), 1.33 KB, created by Alex Legler (RETIRED) on 2009-11-05 14:22:31 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alex Legler (RETIRED)

Created: 2009-11-05 14:22:31 UTC

Size: 1.33 KB

patch

obsolete

>Patch for CVE-2009-3606 and CVE-2009-3609, adopted to kword, Gentoo bug 290470. -a3li@g.o
>
>diff -Naur koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc
>--- koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc	2009-02-04 17:36:28.000000000 +0100
>+++ koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/PSOutputDev.cc	2009-11-05 14:59:50.824849320 +0100
>@@ -2322,7 +2322,7 @@
> 	     width, -height, height);
> 
>   // allocate a line buffer
>-  lineBuf = (Guchar *)gmalloc(4 * width);
>+  lineBuf = (Guchar *)gmallocn(width, 4);
> 
>   // set up to process the data stream
>   imgStr = new ImageStream(str, width, colorMap->getNumPixelComps(),
>diff -Naur koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/Stream.cc
>--- koffice-1.6.3.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc	2009-02-04 17:36:28.000000000 +0100
>+++ koffice-1.6.3/filters/kword/pdf/xpdf/xpdf/Stream.cc	2009-11-05 15:10:20.680847015 +0100
>@@ -327,7 +327,11 @@
>   } else {
>     imgLineSize = nVals;
>   }
>-  imgLine = (Guchar *)gmalloc(imgLineSize * sizeof(Guchar));
>+  if (width > INT_MAX / nComps) {
>+    // force a call to gmallocn(-1,...), which will throw an exception
>+    imgLineSize = -1;
>+  }
>+  imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar));
>   imgIdx = nVals;
> }
>

Actions: View | Diff

Attachments on bug 290470: 209335