Ubuntu
poppler package

  1. Bug #26647
  2. Comment #15

Comment 15 for bug 26647

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 23 Dec 2005 16:50:21 +0100
From: =?iso-8859-1?q?Frank_K=FCster?= <email address hidden>
To: <email address hidden>
Subject: NMU for this bug

--=-=-=
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,=20

since this bug has been open for quite a while, I'm currently preparing
an NMU for this bug, using the attached patch. I'm going to upload it
without a delay.

Regards, Frank
--=20
Frank K=FCster
Inst. f. Biochemie der Univ. Z=FCrich
Debian Developer

--=-=-=
Content-Type: text/x-patch; charset=iso-8859-1
Content-Disposition: inline; filename=poppler.NMU
Content-Transfer-Encoding: quoted-printable

diff -Nur poppler-0.4.2/debian/changelog poppler-0.4.2.new/debian/changelog
--- poppler-0.4.2/debian/changelog 2005-12-23 16:48:41.997756352 +0100
+++ poppler-0.4.2.new/debian/changelog 2005-12-23 16:48:21.697842408 +0100
@@ -1,3 +1,26 @@
+poppler (0.4.2-1.1) unstable; urgency=3Dhigh
+
+ * SECURITY UPDATE: Multiple integer/buffer overflows.
+
+ * NMU to fix RC security bug (closes: #342288)
+ * Add debian/patches/04_CVE-2005-3191_2_3.patch taken from Ubuntu,
+ thanks to Martin Pitt:
+ * poppler/Stream.cc, DCTStream::readBaselineSOF(),
+ DCTStream::readProgressiveSOF(), DCTStream::readScanInfo():
+ - Check numComps for invalid values.
+ - http://www.idefense.com/application/poi/display?id=3D342&type=3Dvuln=
erabilities
+ - CVE-2005-3191
+ * poppler/Stream.cc, StreamPredictor::StreamPredictor():
+ - Check rowBytes for invalid values.
+ - http://www.idefense.com/application/poi/display?id=3D344&type=3Dvuln=
erabilities
+ - CVE-2005-3192
+ * poppler/JPXStream.cc, JPXStream::readCodestream():
+ - Check img.nXTiles * img.nYTiles for integer overflow.
+ - http://www.idefense.com/application/poi/display?id=3D345&type=3Dvul=
nerabilities
+ - CVE-2005-3193
+
+ -- Frank K=FCster <email address hidden> Fri, 23 Dec 2005 16:36:30 +0100
+
 poppler (0.4.2-1) unstable; urgency=3Dlow
=20
   * GNOME Team upload.
diff -Nur poppler-0.4.2/debian/patches/04_CVE-2005-3191_2_3.patch poppler-0=
.4.2.new/debian/patches/04_CVE-2005-3191_2_3.patch
--- poppler-0.4.2/debian/patches/04_CVE-2005-3191_2_3.patch 1970-01-01 01:0=
0:00.000000000 +0100
+++ poppler-0.4.2.new/debian/patches/04_CVE-2005-3191_2_3.patch 2005-12-23 =
16:15:37.000000000 +0100
@@ -0,0 +1,156 @@
+diff -Nur poppler-0.4.2/poppler/JPXStream.cc poppler-0.4.2.new/poppler/JPX=
Stream.cc
+--- poppler-0.4.2/poppler/JPXStream.cc 2005-03-03 20:46:03.000000000 +0100
++++ poppler-0.4.2.new/poppler/JPXStream.cc 2005-12-09 17:41:42.000000000 +=
0100
+@@ -7,6 +7,7 @@
+ //=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
+=20
+ #include <config.h>
++#include <limits.h>
+=20
+ #ifdef USE_GCC_PRAGMAS
+ #pragma implementation
+@@ -666,7 +667,7 @@
+ int segType;
+ GBool haveSIZ, haveCOD, haveQCD, haveSOT;
+ Guint precinctSize, style;
+- Guint segLen, capabilities, comp, i, j, r;
++ Guint segLen, capabilities, nTiles, comp, i, j, r;
+=20
+ //----- main header
+ haveSIZ =3D haveCOD =3D haveQCD =3D haveSOT =3D gFalse;
+@@ -701,8 +702,18 @@
+ / img.xTileSize;
+ img.nYTiles =3D (img.ySize - img.yTileOffset + img.yTileSize - 1)
+ / img.yTileSize;
+- img.tiles =3D (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+- sizeof(JPXTile));
++ // check for overflow before allocating memory
++ if (img.nXTiles <=3D 0 || img.nYTiles <=3D 0 ||
++ img.nXTiles >=3D INT_MAX/img.nYTiles) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ nTiles =3D img.nXTiles * img.nYTiles;
++ if (nTiles >=3D INT_MAX/sizeof(JPXTile)) {
++ error(getPos(), "Bad tile count in JPX SIZ marker segment");
++ return gFalse;
++ }
++ img.tiles =3D (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
+ for (i =3D 0; i < img.nXTiles * img.nYTiles; ++i) {
+ img.tiles[i].tileComps =3D (JPXTileComp *)gmalloc(img.nComps *
+ sizeof(JPXTileComp));
+diff -Nur poppler-0.4.2/poppler/Stream.cc poppler-0.4.2.new/poppler/Stream=
.cc
+--- poppler-0.4.2/poppler/Stream.cc 2005-04-27 22:56:18.000000000 +0200
++++ poppler-0.4.2.new/poppler/Stream.cc 2005-12-09 17:40:53.000000000 +0100
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -420,13 +421,28 @@
+ width =3D widthA;
+ nComps =3D nCompsA;
+ nBits =3D nBitsA;
++ predLine =3D NULL;
++ ok =3D gFalse;
+=20
++ if (width <=3D 0 || nComps <=3D 0 || nBits <=3D 0 ||
++ nComps >=3D INT_MAX/nBits ||
++ width >=3D INT_MAX/nComps/nBits) {
++ return;
++ }
+ nVals =3D width * nComps;
++ if (nVals * nBits + 7 <=3D 0) {
++ return;
++ }
+ pixBytes =3D (nComps * nBits + 7) >> 3;
+ rowBytes =3D ((nVals * nBits + 7) >> 3) + pixBytes;
++ if (rowBytes < 0) {
++ return;
++ }
+ predLine =3D (Guchar *)gmalloc(rowBytes);
+ memset(predLine, 0, rowBytes);
+ predIdx =3D rowBytes;
++
++ ok =3D gTrue;
+ }
+=20
+ StreamPredictor::~StreamPredictor() {
+@@ -1020,6 +1036,10 @@
+ FilterStream(strA) {
+ if (predictor !=3D 1) {
+ pred =3D new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred =3D NULL;
++ }
+ } else {
+ pred =3D NULL;
+ }
+@@ -2907,6 +2927,10 @@
+ height =3D read16();
+ width =3D read16();
+ numComps =3D str->getChar();
++ if (numComps <=3D 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec !=3D 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2933,6 +2957,10 @@
+ height =3D read16();
+ width =3D read16();
+ numComps =3D str->getChar();
++ if (numComps <=3D 0 || numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream", prec);
++ return gFalse;
++ }
+ if (prec !=3D 8) {
+ error(getPos(), "Bad DCT precision %d", prec);
+ return gFalse;
+@@ -2955,6 +2983,10 @@
+=20
+ length =3D read16() - 2;
+ scanInfo.numComps =3D str->getChar();
++ if (scanInfo.numComps <=3D 0 || scanInfo.numComps > 4) {
++ error(getPos(), "Bad number of components in DCT stream");
++ return gFalse;
++ }
+ --length;
+ if (length !=3D 2 * scanInfo.numComps + 3) {
+ error(getPos(), "Bad DCT scan info block");
+@@ -3268,6 +3300,10 @@
+ FilterStream(strA) {
+ if (predictor !=3D 1) {
+ pred =3D new StreamPredictor(this, predictor, columns, colors, bits);
++ if (!pred->isOk()) {
++ delete pred;
++ pred =3D NULL;
++ }
+ } else {
+ pred =3D NULL;
+ }
+diff -Nur poppler-0.4.2/poppler/Stream.h poppler-0.4.2.new/poppler/Stream.h
+--- poppler-0.4.2/poppler/Stream.h 2005-04-27 22:56:18.000000000 +0200
++++ poppler-0.4.2.new/poppler/Stream.h 2005-12-09 17:40:53.000000000 +0100
+@@ -231,6 +231,8 @@
+=20
+ ~StreamPredictor();
+=20
++ GBool isOk() { return ok; }
++
+ int lookChar();
+ int getChar();
+=20
+@@ -248,6 +250,7 @@
+ int rowBytes; // bytes per line
+ Guchar *predLine; // line buffer
+ int predIdx; // current index in predLine
++ GBool ok;
+ };
+=20
+ //------------------------------------------------------------------------

--=-=-=--