Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 43034 Details for
Bug 69662
xpdf,cups,gpdf,pdfkit 64bit security issues
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
xpdf2-underflow.patch
xpdf2-underflow.patch (text/plain), 2.31 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2004-10-31 13:03:35 UTC
(
hide
)
Description:
xpdf2-underflow.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2004-10-31 13:03:35 UTC
Size:
2.31 KB
patch
obsolete
>diff -ru xpdf-2.02pl1/xpdf/XRef.cc xpdf-2.02pl1/xpdf/XRef.cc >--- xpdf-2.02pl1/xpdf/XRef.cc 2004-10-29 15:16:45.790089001 +0200 >+++ xpdf-2.02pl1/xpdf/XRef.cc 2004-10-29 15:11:54.132168025 +0200 >@@ -66,6 +66,8 @@ > start = str->getStart(); > pos = readTrailer(); > >+ entries = NULL; >+ > // if there was a problem with the trailer, > // try to reconstruct the xref table > if (pos == 0) { >@@ -76,7 +78,7 @@ > > // trailer is ok - read the xref table > } else { >- if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) { >+ if ((size < 0) || (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size)) { > error(-1, "Invalid 'size' inside xref table."); > ok = gFalse; > errCode = errDamaged; >@@ -181,7 +183,7 @@ > n = atoi(p); > while ('0' <= *p && *p <= '9') ++p; > while (isspace(*p)) ++p; >- if (p == buf) >+ if ((p == buf) || (n < 0)) /* must make progress */ > return 0; > pos1 += (p - buf) + n * 20; > } >@@ -255,6 +257,10 @@ > } > s[i] = '\0'; > first = atoi(s); >+ if (first < 0) { >+ error(-1, "Invalid 'first'"); >+ goto err2; >+ } > while ((c = str->lookChar()) != EOF && isspace(c)) { > str->getChar(); > } >@@ -266,6 +272,10 @@ > } > s[i] = '\0'; > n = atoi(s); >+ if (n<=0) { >+ error(-1, "Invalid 'n'"); >+ goto err2; >+ } > while ((c = str->lookChar()) != EOF && isspace(c)) { > str->getChar(); > } >@@ -273,7 +283,7 @@ > // table size > if (first + n > size) { > newSize = size + 256; >- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { > error(-1, "Invalid 'newSize'"); > goto err2; > } >@@ -406,6 +416,10 @@ > // look for object > } else if (isdigit(*p)) { > num = atoi(p); >+ if (num < 0) { >+ error(-1, "Invalid 'num' parameters."); >+ return gFalse; >+ } > do { > ++p; > } while (*p && isdigit(*p)); >@@ -425,7 +439,7 @@ > if (!strncmp(p, "obj", 3)) { > if (num >= size) { > newSize = (num + 1 + 255) & ~255; >- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) { >+ if ((newSize < 0) || (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize)) { > error(-1, "Invalid 'obj' parameters."); > return gFalse; > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 69662
:
43033
| 43034