File r1842-Fix-CVE-2017-7379-encoding-array-too-shor... of Package podofo

Overview Repositories Revisions Requests Users Attributes Meta

File r1842-Fix-CVE-2017-7379-encoding-array-too-short.patch of Package podofo

------------------------------------------------------------------------
r1842 | aja_ | 2017-04-28 18:49:01 +0200 (vie, 28 abr 2017) | 2 lines

Patch by Mark Rogers: Fix CVE-2017-7379: encoding array too short to encode/decode code point 0xffff

Index: src/base/PdfEncoding.cpp
===================================================================
--- src/base/PdfEncoding.cpp	(revision 1841)
+++ src/base/PdfEncoding.cpp	(revision 1842)
@@ -45,6 +45,7 @@
# #include <stack>
# #include <stdlib.h>
# #include <string.h>
 
 #include <stdlib.h>
 #include <string.h>
+#include <limits>
# #include <sstream>
# #include "PdfArray.h"
# #include "doc/PdfDifferenceEncoding.h"
 #include <sstream>
 
 namespace PoDoFo {
@@ -362,7 +363,9 @@
 void PdfSimpleEncoding::InitEncodingTable() 
 {
     Util::PdfMutexWrapper wrapper( *m_mutex );
-    const long         lTableLength     = 0xffff;
+	// CVE-2017-7379 - previously lTableLength was 0xffff, but pdf_utf16be characters can be in range 0..0xffff so this
+	// caused out-by-one heap overflow when character 0xffff was encoded
+    const long         lTableLength     = std::numeric_limits<pdf_utf16be>::max() + 1;
     const pdf_utf16be* cpUnicodeTable   = this->GetToUnicodeTable();
 
     if( !m_pEncodingTable ) // double check

------------------------------------------------------------------------

Places

File r1842-Fix-CVE-2017-7379-encoding-array-too-short.patch of Package podofo

Places