File r1840-Fix-CVE-2017-5853-and-CVE-2017-6844.patch of Package podofo.8856

Overview Repositories Revisions Requests Users Attributes Meta

File r1840-Fix-CVE-2017-5853-and-CVE-2017-6844.patch of Package podofo.8856

------------------------------------------------------------------------
r1840 | aja_ | 2017-04-28 17:19:14 +0200 (vie, 28 abr 2017) | 2 lines

Patch by Matthias Brinke: Fix CVE-2017-5853 (signed integer overflow) and CVE-2017-6844 (buffer overflow)

Index: src/base/PdfParser.cpp
===================================================================
--- src/base/PdfParser.cpp	(revision 1839)
+++ src/base/PdfParser.cpp	(revision 1840)
@@ -745,22 +745,40 @@
 
# void PdfParser::ReadXRefSubsection( pdf_int64 & nFirstObject, pdf_int64 & nNumObjects )
 void PdfParser::ReadXRefSubsection( long long & nFirstObject, long long & nNumObjects )
 {
-    int count = 0;
+    pdf_int64 count = 0;
 
 #ifdef PODOFO_VERBOSE_DEBUG
#     PdfError::DebugMessage("Reading XRef Section: %" PDF_FORMAT_INT64 " with %" PDF_FORMAT_INT64 " Objects.\n", nFirstObject, nNumObjects );
     PdfError::DebugMessage("Reading XRef Section: %lli with %lli Objects.\n", nFirstObject, nNumObjects );
 #endif // PODOFO_VERBOSE_DEBUG 
 
-    if ( nFirstObject + nNumObjects > m_nNumObjects )
+    if ( nFirstObject < 0 )
+        PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange, "ReadXRefSubsection: nFirstObject is negative" );
+    if ( nNumObjects < 0 )
+        PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange, "ReadXRefSubsection: nNumObjects is negative" );
+
+    const pdf_int64 maxNum
+      = static_cast<pdf_int64>(PdfParser::s_nMaxObjects);
+
+    // overflow guard, fixes CVE-2017-5853 (signed integer overflow)
+    // also fixes CVE-2017-6844 (buffer overflow) together with below size check
+    if( (maxNum >= nNumObjects) && (nFirstObject <= maxNum - nNumObjects) )
     {
-        // Total number of xref entries to read is greater than the /Size
-        // specified in the trailer if any. That's an error unless we're trying
-        // to recover from a missing /Size entry.
-		PdfError::LogMessage( eLogSeverity_Warning,
#-			      "There are more objects (%" PDF_FORMAT_INT64 ") in this XRef table than "
#-			      "specified in the size key of the trailer directory (%" PDF_FORMAT_INT64 ")!\n",
#-			      nFirstObject + nNumObjects, m_nNumObjects );
-			      "There are more objects (%lli) in this XRef table than "
-			      "specified in the size key of the trailer directory (%lli)!\n",
-			      nFirstObject + nNumObjects, m_nNumObjects );
+        if( nFirstObject + nNumObjects > m_nNumObjects )
+        {
+            // Total number of xref entries to read is greater than the /Size
+            // specified in the trailer if any. That's an error unless we're
+            // trying to recover from a missing /Size entry.
+            PdfError::LogMessage( eLogSeverity_Warning,
+              "There are more objects (%" PDF_FORMAT_INT64 ") in this XRef "
+              "table than specified in the size key of the trailer directory "
+              "(%" PDF_FORMAT_INT64 ")!\n", nFirstObject + nNumObjects,
+              static_cast<pdf_int64>( m_nNumObjects ));
+        }
 
+        if ( static_cast<pdf_uint64>( nFirstObject ) + static_cast<pdf_uint64>( nNumObjects ) > static_cast<pdf_uint64>( std::numeric_limits<size_t>::max() ) )
+            PODOFO_RAISE_ERROR_INFO( ePdfError_ValueOutOfRange,
+                "xref subsection's given entry numbers together too large" );
+    
 #ifdef _WIN32
 		m_nNumObjects = static_cast<long>(nFirstObject + nNumObjects);
 		m_offsets.resize(static_cast<long>(nFirstObject+nNumObjects));
@@ -768,8 +786,17 @@
 		m_nNumObjects = nFirstObject + nNumObjects;
 		m_offsets.resize(nFirstObject+nNumObjects);
 #endif // _WIN32
-	}
 
+    }
+    else
+    {
+        PdfError::LogMessage( eLogSeverity_Error, "There are more objects (%" PDF_FORMAT_INT64
+            " + %" PDF_FORMAT_INT64 " seemingly) in this XRef"
+            " table than supported by standard PDF, or it's inconsistent.\n",
+            nFirstObject, nNumObjects);
+        PODOFO_RAISE_ERROR( ePdfError_InvalidXRef );
+    }
+
     // consume all whitespaces
     int charcode;
     while( this->IsWhitespace((charcode = m_device.Device()->Look())) )

------------------------------------------------------------------------

Places

File r1840-Fix-CVE-2017-5853-and-CVE-2017-6844.patch of Package podofo.8856

Places