Comment 14 for bug 26650

Revision history for this message
In , Martin Pitt (pitti) wrote : Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

Hi Frank!

Frank Küster [2005-12-08 13:17 +0100]:
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at
>
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0
>
> I'm completely illerate in C++, and would like to make sure this is
> correct.

OK, you can now find the 3.0 debdiff at

  http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff

it might be interesting for you to get the CVE numbers in the
changelog right. (Please do mention the CVE numbers to ease tracking.)

The essential difference is the JPXStream.cc diff, which now looks
like:

--- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc 2004-01-22 02:26:45.000000000 +0100
+++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc 2005-12-08 14:40:19.000000000 +0100
@@ -666,7 +666,8 @@
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
+ Guint allocSize;

   //----- main header
   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +702,15 @@
                    / img.xTileSize;
       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
                    / img.yTileSize;
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
- sizeof(JPXTile));
+ nTiles = img.nXTiles * img.nYTiles;
+ allocSize = nTiles * sizeof(JPXTile);
+ // check for overflow before allocating memory
+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles ||
+ allocSize / sizeof(JPXTile) != nTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles = (JPXTile *)gmalloc(allocSize);
       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
        img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
                                                        sizeof(JPXTileComp));

I added an additional allocSize variable and check it for int
overflow, to get the same effect as gmallocn() in the original xpdf
source.

HTH,

Martin
(who really wishes upstreams would switch to poppler after uploading
22 security update packgages)

--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?