Comment 16 for bug 26650

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 8 Dec 2005 14:55:55 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-1?Q?K=FCster?= <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

--NMuMz9nt05w80d4+
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Frank!

Frank K=FCster [2005-12-08 13:17 +0100]:
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20

OK, you can now find the 3.0 debdiff at=20

  http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff

it might be interesting for you to get the CVE numbers in the
changelog right. (Please do mention the CVE numbers to ease tracking.)

The essential difference is the JPXStream.cc diff, which now looks
like:

--- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc 2004-01-22 02:26:45.0000000=
00 +0100
+++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc 2005-12-08 14:40:19=
=2E000000000 +0100
@@ -666,7 +666,8 @@
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
+ Guint allocSize;

   //----- main header
   haveSIZ =3D haveCOD =3D haveQCD =3D haveSOT =3D gFalse;
@@ -701,8 +702,15 @@
                    / img.xTileSize;
       img.nYTiles =3D (img.ySize - img.yTileOffset + img.yTileSize - 1)
                    / img.yTileSize;
- img.tiles =3D (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
- sizeof(JPXTile));
+ nTiles =3D img.nXTiles * img.nYTiles;
+ allocSize =3D nTiles * sizeof(JPXTile);
+ // check for overflow before allocating memory
+ if (nTiles =3D=3D 0 || nTiles / img.nXTiles !=3D img.nYTiles ||
+ allocSize / sizeof(JPXTile) !=3D nTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles =3D (JPXTile *)gmalloc(allocSize);
       for (i =3D 0; i < img.nXTiles * img.nYTiles; ++i) {
        img.tiles[i].tileComps =3D (JPXTileComp *)gmalloc(img.nComps *
                                                        sizeof(JPXTileComp)=
);

I added an additional allocSize variable and check it for int
overflow, to get the same effect as gmallocn() in the original xpdf
source.

HTH,

Martin
(who really wishes upstreams would switch to poppler after uploading
22 security update packgages)

--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

--NMuMz9nt05w80d4+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmDtrDecnbV4Fd/IRAqj+AKCtYmUTRVsRjhqoB/W/7YF2xkQL9gCgnKuY
wSM9a7fQuleX0olBzlhQrlg=
=9Apt
-----END PGP SIGNATURE-----

--NMuMz9nt05w80d4+--