Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
poppler
poppler-CVE-2009-3608.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File poppler-CVE-2009-3608.patch of Package poppler
From 1082e1671afd8ab91583dabc876304008acb021c Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <aacid@kde.org> Date: Fri, 16 Oct 2009 21:17:22 +0000 Subject: Some "security" fixes based on newly released Xpdf 3.02pl4 --- Index: poppler-0.10.1/poppler/Stream.cc =================================================================== --- poppler-0.10.1.orig/poppler/Stream.cc +++ poppler-0.10.1/poppler/Stream.cc @@ -403,6 +403,10 @@ ImageStream::ImageStream(Stream *strA, i } else { imgLineSize = nVals; } + if (width > INT_MAX / nComps) { + // force a call to gmallocn(-1,...), which will throw an exception + imgLineSize = -1; + } imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); imgIdx = nVals; } Index: poppler-0.10.1/poppler/XRef.cc =================================================================== --- poppler-0.10.1.orig/poppler/XRef.cc +++ poppler-0.10.1/poppler/XRef.cc @@ -76,6 +76,8 @@ public: // generation 0. ObjectStream(XRef *xref, int objStrNumA); + GBool isOk() { return ok; } + ~ObjectStream(); // Return the object number of this object stream. @@ -91,6 +93,7 @@ private: int nObjects; // number of objects in the stream Object *objs; // the objects (length = nObjects) int *objNums; // the object numbers (length = nObjects) + GBool ok; }; ObjectStream::ObjectStream(XRef *xref, int objStrNumA) { @@ -104,6 +107,7 @@ ObjectStream::ObjectStream(XRef *xref, i nObjects = 0; objs = NULL; objNums = NULL; + ok = gFalse; if (!xref->fetch(objStrNum, 0, &objStr)->isStream()) { goto err1; @@ -129,8 +133,11 @@ ObjectStream::ObjectStream(XRef *xref, i goto err1; } - if (nObjects*(int)sizeof(int)/sizeof(int) != nObjects) { - error(-1, "Invalid 'nObjects'"); + // this is an arbitrary limit to avoid integer overflow problems + // in the 'new Object[nObjects]' call (Acrobat apparently limits + // object streams to 100-200 objects) + if (nObjects > 1000000) { + error(-1, "Too many objects in an object stream"); goto err1; } @@ -190,10 +197,10 @@ ObjectStream::ObjectStream(XRef *xref, i } gfree(offsets); + ok = gTrue; err1: objStr.free(); - return; } ObjectStream::~ObjectStream() { @@ -970,6 +977,11 @@ Object *XRef::fetch(int num, int gen, Ob delete objStr; } objStr = new ObjectStream(this, e->offset); + if (!objStr->isOk()) { + delete objStr; + objStr = NULL; + goto err; + } } objStr->getObject(e->gen, num, obj); break; Index: poppler-0.10.1/splash/Splash.cc =================================================================== --- poppler-0.10.1.orig/splash/Splash.cc +++ poppler-0.10.1/splash/Splash.cc @@ -27,6 +27,7 @@ #include <stdlib.h> #include <string.h> +#include <limits.h> #include "goo/gmem.h" #include "SplashErrorCodes.h" #include "SplashMath.h" @@ -2001,7 +2002,10 @@ SplashError Splash::fillImageMask(Splash xq = w % scaledWidth; // allocate pixel buffer - pixBuf = (SplashColorPtr)gmalloc((yp + 1) * w); + if (yp < 0 || yp > INT_MAX - 1) { + return splashErrBadArg; + } + pixBuf = (SplashColorPtr)gmallocn((yp + 1), w); // initialize the pixel pipe pipeInit(&pipe, 0, 0, state->fillPattern, NULL, state->fillAlpha, @@ -2301,7 +2305,10 @@ SplashError Splash::drawImage(SplashImag xq = w % scaledWidth; // allocate pixel buffers - colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); + if (yp < 0 || yp > INT_MAX - 1) { + return splashErrBadArg; + } + colorBuf = (SplashColorPtr)gmallocn3((yp + 1), w, nComps); if (srcAlpha) { alphaBuf = (Guchar *)gmalloc((yp + 1) * w); } else { Index: poppler-0.10.1/splash/SplashBitmap.cc =================================================================== --- poppler-0.10.1.orig/splash/SplashBitmap.cc +++ poppler-0.10.1/splash/SplashBitmap.cc @@ -26,6 +26,7 @@ #endif #include <stdio.h> +#include <limits.h> #include "goo/gmem.h" #include "SplashErrorCodes.h" #include "SplashBitmap.h" @@ -42,26 +43,48 @@ SplashBitmap::SplashBitmap(int widthA, i mode = modeA; switch (mode) { case splashModeMono1: - rowSize = (width + 7) >> 3; + if (width > 0) { + rowSize = (width + 7) >> 3; + } else { + rowSize = -1; + } break; case splashModeMono8: - rowSize = width; + if (width > 0) { + rowSize = width; + } else { + rowSize = -1; + } break; case splashModeRGB8: case splashModeBGR8: - rowSize = width * 3; + if (width > 0 && width <= INT_MAX / 3) { + rowSize = width * 3; + } else { + rowSize = -1; + } break; case splashModeXBGR8: - rowSize = width * 4; + if (width > 0 && width <= INT_MAX / 4) { + rowSize = width * 4; + } else { + rowSize = -1; + } break; #if SPLASH_CMYK case splashModeCMYK8: - rowSize = width * 4; + if (width > 0 && width <= INT_MAX / 4) { + rowSize = width * 4; + } else { + rowSize = -1; + } break; #endif } - rowSize += rowPad - 1; - rowSize -= rowSize % rowPad; + if (rowSize > 0) { + rowSize += rowPad - 1; + rowSize -= rowSize % rowPad; + } data = (SplashColorPtr)gmallocn(rowSize, height); if (!topDown) { data += (height - 1) * rowSize; Index: poppler-0.10.1/splash/SplashErrorCodes.h =================================================================== --- poppler-0.10.1.orig/splash/SplashErrorCodes.h +++ poppler-0.10.1/splash/SplashErrorCodes.h @@ -41,6 +41,8 @@ #define splashErrSingularMatrix 8 // matrix is singular -#define splashErrZeroImage 9 // image of 0x0 +#define splashErrBadArg 9 // bad argument + +#define splashErrZeroImage 254 // image of 0x0 #endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor