Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 42170 Details for
Bug 68058
app-text/xpdf: Integer overflows (CAN-2004-0888, CAN-2004-0889)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
xpdf-CESA-2004-002-xpdf3-newer.diff
xpdf-CESA-2004-002-xpdf3-newer.diff (text/plain), 7.87 KB, created by
solar (RETIRED)
on 2004-10-19 08:10:00 UTC
(
hide
)
Description:
xpdf-CESA-2004-002-xpdf3-newer.diff
Filename:
MIME Type:
Creator:
solar (RETIRED)
Created:
2004-10-19 08:10:00 UTC
Size:
7.87 KB
patch
obsolete
>--- Catalog.cc.orig 2004-10-18 16:51:35.824126848 +0200 >+++ Catalog.cc 2004-10-18 16:53:06.634620045 +0200 >@@ -64,6 +64,15 @@ > } > pagesSize = numPages0 = (int)obj.getNum(); > obj.free(); >+ // The gcc doesnt optimize this away, so this check is ok, >+ // even if it looks like a pagesSize != pagesSize check >+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || >+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { >+ error(-1, "Invalid 'pagesSize'"); >+ ok = gFalse; >+ return; >+ } >+ > pages = (Page **)gmalloc(pagesSize * sizeof(Page *)); > pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref)); > for (i = 0; i < pagesSize; ++i) { >@@ -191,6 +200,11 @@ > } > if (start >= pagesSize) { > pagesSize += 32; >+ if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize || >+ pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) { >+ error(-1, "Invalid 'pagesSize' parameter."); >+ goto err3; >+ } > pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *)); > pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref)); > for (j = pagesSize - 32; j < pagesSize; ++j) { >--- XRef.cc.orig 2004-10-11 15:51:14.000000000 +0200 >+++ XRef.cc 2004-10-11 15:56:48.000000000 +0200 >@@ -96,7 +96,7 @@ > } > nObjects = obj1.getInt(); > obj1.free(); >- if (nObjects == 0) { >+ if (nObjects <= 0) { > goto err1; > } > >@@ -106,7 +106,15 @@ > } > first = obj1.getInt(); > obj1.free(); >+ if (first < 0) { >+ goto err1; >+ } > >+ if (nObjects*sizeof(int)/sizeof(int) != nObjects) { >+ error(-1, "Invalid 'nObjects'"); >+ goto err1; >+ } >+ > objs = new Object[nObjects]; > objNums = (int *)gmalloc(nObjects * sizeof(int)); > offsets = (int *)gmalloc(nObjects * sizeof(int)); >@@ -130,6 +138,12 @@ > offsets[i] = obj2.getInt(); > obj1.free(); > obj2.free(); >+ if (objNums[i] < 0 || offsets[i] < 0 || >+ (i > 0 && offsets[i] < offsets[i-1])) { >+ delete parser; >+ gfree(offsets); >+ goto err1; >+ } > } > while (str->getChar() != EOF) ; > delete parser; >@@ -369,10 +383,21 @@ > } > n = obj.getInt(); > obj.free(); >+ if (first < 0 || n < 0 || first + n < 0) { >+ goto err1; >+ } > if (first + n > size) { > for (newSize = size ? 2 * size : 1024; >- first + n > newSize; >+ first + n > newSize && newSize > 0; > newSize <<= 1) ; >+ if (newSize < 0) { >+ goto err1; >+ } >+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ error(-1, "Invalid 'obj' parameters'"); >+ goto err1; >+ } >+ > entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); > for (i = size; i < newSize; ++i) { > entries[i].offset = 0xffffffff; >@@ -443,7 +468,7 @@ > > // check for an 'XRefStm' key > if (obj.getDict()->lookup("XRefStm", &obj2)->isInt()) { >- pos2 = obj2.getInt(); >+ pos2 = (Guint)obj2.getInt(); > readXRef(&pos2); > if (!ok) { > goto err1; >@@ -474,7 +499,14 @@ > } > newSize = obj.getInt(); > obj.free(); >+ if (newSize < 0) { >+ goto err1; >+ } > if (newSize > size) { >+ if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ error(-1, "Invalid 'size' parameter."); >+ return gFalse; >+ } > entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); > for (i = size; i < newSize; ++i) { > entries[i].offset = 0xffffffff; >@@ -494,6 +526,9 @@ > } > w[i] = obj2.getInt(); > obj2.free(); >+ if (w[i] < 0 || w[i] > 4) { >+ goto err1; >+ } > } > obj.free(); > >@@ -513,13 +548,14 @@ > } > n = obj.getInt(); > obj.free(); >- if (!readXRefStreamSection(xrefStr, w, first, n)) { >+ if (first < 0 || n < 0 || >+ !readXRefStreamSection(xrefStr, w, first, n)) { > idx.free(); > goto err0; > } > } > } else { >- if (!readXRefStreamSection(xrefStr, w, 0, size)) { >+ if (!readXRefStreamSection(xrefStr, w, 0, newSize)) { > idx.free(); > goto err0; > } >@@ -551,10 +587,20 @@ > Guint offset; > int type, gen, c, newSize, i, j; > >+ if (first + n < 0) { >+ return gFalse; >+ } > if (first + n > size) { > for (newSize = size ? 2 * size : 1024; >- first + n > newSize; >+ first + n > newSize && newSize > 0; > newSize <<= 1) ; >+ if (newSize < 0) { >+ return gFalse; >+ } >+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ error(-1, "Invalid 'size' inside xref table."); >+ return gFalse; >+ } > entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry)); > for (i = size; i < newSize; ++i) { > entries[i].offset = 0xffffffff; >@@ -585,24 +631,26 @@ > } > gen = (gen << 8) + c; > } >- switch (type) { >- case 0: >- entries[i].offset = offset; >- entries[i].gen = gen; >- entries[i].type = xrefEntryFree; >- break; >- case 1: >- entries[i].offset = offset; >- entries[i].gen = gen; >- entries[i].type = xrefEntryUncompressed; >- break; >- case 2: >- entries[i].offset = offset; >- entries[i].gen = gen; >- entries[i].type = xrefEntryCompressed; >- break; >- default: >- return gFalse; >+ if (entries[i].offset == 0xffffffff) { >+ switch (type) { >+ case 0: >+ entries[i].offset = offset; >+ entries[i].gen = gen; >+ entries[i].type = xrefEntryFree; >+ break; >+ case 1: >+ entries[i].offset = offset; >+ entries[i].gen = gen; >+ entries[i].type = xrefEntryUncompressed; >+ break; >+ case 2: >+ entries[i].offset = offset; >+ entries[i].gen = gen; >+ entries[i].type = xrefEntryCompressed; >+ break; >+ default: >+ return gFalse; >+ } > } > } > >@@ -664,38 +712,48 @@ > // look for object > } else if (isdigit(*p)) { > num = atoi(p); >- do { >- ++p; >- } while (*p && isdigit(*p)); >- if (isspace(*p)) { >+ if (num > 0) { > do { > ++p; >- } while (*p && isspace(*p)); >- if (isdigit(*p)) { >- gen = atoi(p); >+ } while (*p && isdigit(*p)); >+ if (isspace(*p)) { > do { > ++p; >- } while (*p && isdigit(*p)); >- if (isspace(*p)) { >+ } while (*p && isspace(*p)); >+ if (isdigit(*p)) { >+ gen = atoi(p); > do { > ++p; >- } while (*p && isspace(*p)); >- if (!strncmp(p, "obj", 3)) { >- if (num >= size) { >- newSize = (num + 1 + 255) & ~255; >- entries = (XRefEntry *) >- grealloc(entries, newSize * sizeof(XRefEntry)); >- for (i = size; i < newSize; ++i) { >- entries[i].offset = 0xffffffff; >- entries[i].type = xrefEntryFree; >+ } while (*p && isdigit(*p)); >+ if (isspace(*p)) { >+ do { >+ ++p; >+ } while (*p && isspace(*p)); >+ if (!strncmp(p, "obj", 3)) { >+ if (num >= size) { >+ newSize = (num + 1 + 255) & ~255; >+ if (newSize < 0) { >+ error(-1, "Bad object number"); >+ return gFalse; >+ } >+ if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ error(-1, "Invalid 'obj' parameters."); >+ return gFalse; >+ } >+ entries = (XRefEntry *) >+ grealloc(entries, newSize * sizeof(XRefEntry)); >+ for (i = size; i < newSize; ++i) { >+ entries[i].offset = 0xffffffff; >+ entries[i].type = xrefEntryFree; >+ } >+ size = newSize; >+ } >+ if (entries[num].type == xrefEntryFree || >+ gen >= entries[num].gen) { >+ entries[num].offset = pos - start; >+ entries[num].gen = gen; >+ entries[num].type = xrefEntryUncompressed; > } >- size = newSize; >- } >- if (entries[num].type == xrefEntryFree || >- gen >= entries[num].gen) { >- entries[num].offset = pos - start; >- entries[num].gen = gen; >- entries[num].type = xrefEntryUncompressed; > } > } > } >@@ -705,6 +763,10 @@ > } else if (!strncmp(p, "endstream", 9)) { > if (streamEndsLen == streamEndsSize) { > streamEndsSize += 64; >+ if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) { >+ error(-1, "Invalid 'endstream' parameter."); >+ return gFalse; >+ } > streamEnds = (Guint *)grealloc(streamEnds, > streamEndsSize * sizeof(int)); > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=42170">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 68058
:
42122
|
42123
|
42169
| 42170 |
42242
