File r1889-Fix-for-CVE-2018-5295-Integer-overflow-at... of Package podofo

Overview Repositories Revisions Requests Users Attributes Meta

File r1889-Fix-for-CVE-2018-5295-Integer-overflow-at-PdfXRefStreamParserObject-ParseStream.patch of Package podofo (Revision 2cd84d730fdf67d575e1fb0c216d5d80)

Currently displaying revision 2cd84d730fdf67d575e1fb0c216d5d80 , Show latest

------------------------------------------------------------------------
r1889 | mc-zyx | 2018-02-18 13:02:28 +0100 (dom, 18 feb 2018) | 2 lines

Patch by Matthias Brinke: Fix for CVE-2018-5295 - Integer overflow at PdfXRefStreamParserObject::ParseStream()

Index: src/base/PdfXRefStreamParserObject.cpp
===================================================================
--- src/base/PdfXRefStreamParserObject.cpp	(revision 1888)
+++ src/base/PdfXRefStreamParserObject.cpp	(revision 1889)
@@ -38,7 +38,7 @@
 #include "PdfStream.h"
 #include "PdfVariant.h"
 
-#include <stdio.h>
+#include <limits>
 
 namespace PoDoFo {
 
@@ -122,13 +122,27 @@
 {
     char*        pBuffer;
     pdf_long     lBufferLen;
-    const size_t entryLen  = static_cast<size_t>(nW[0] + nW[1] + nW[2]);
 
-    if( nW[0] + nW[1] + nW[2] < 0 )
+    for(pdf_int64 nLengthSum = 0, i = 0; i < W_ARRAY_SIZE; i++ )
     {
-        PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef, "Invalid entry length in XRef stream" );
+        if ( nW[i] < 0 )
+        {
+            PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+                                    "Negative field length in XRef stream" );
+        }
+        if ( std::numeric_limits<pdf_int64>::max() - nLengthSum < nW[i] )
+        {
+            PODOFO_RAISE_ERROR_INFO( ePdfError_NoXRef,
+                                    "Invalid entry length in XRef stream" );
+        }
+        else
+        {
+            nLengthSum += nW[i];
+        }
     }
 
+    const size_t entryLen  = static_cast<size_t>(nW[0] + nW[1] + nW[2]);
+
     this->GetStream()->GetFilteredCopy( &pBuffer, &lBufferLen );

------------------------------------------------------------------------

Places

File r1889-Fix-for-CVE-2018-5295-Integer-overflow-at-PdfXRefStreamParserObject-ParseStream.patch of Package podofo (Revision 2cd84d730fdf67d575e1fb0c216d5d80)

Places