Frank K=FCster [2005-12-08 13:17 +0100]:
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch=
-CVE-2005-3191+2+3?op=3Dfile&rev=3D0&sc=3D0
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20
Message-ID: <email address hidden> 1?Q?K=FCster? = <email address hidden>
Date: Thu, 8 Dec 2005 14:55:55 +0100
From: Martin Pitt <email address hidden>
To: Frank =?iso-8859-
Cc: <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
--NMuMz9nt05w80d4+ Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Hi Frank!
Frank K=FCster [2005-12-08 13:17 +0100]: svn.debian. org/wsvn/ pkg-tetex/ tetex-bin/ trunk/debian/ patches/ patch= 3191+2+ 3?op=3Dfile& rev=3D0& sc=3D0
> We have the same flaw in our upload. Would you be so kind and check the
> updated patch at=20
>=20
> http://
-CVE-2005-
>=20
> I'm completely illerate in C++, and would like to make sure this is
> correct. =20
OK, you can now find the 3.0 debdiff at=20
http:// patches. ubuntu. com/patches/ tetex-bin. CVE-2005- 3191_2_ 3.diff
it might be interesting for you to get the CVE numbers in the
changelog right. (Please do mention the CVE numbers to ease tracking.)
The essential difference is the JPXStream.cc diff, which now looks
like:
--- tetex-bin- 3.0/libs/ xpdf/xpdf/ JPXStream. cc 2004-01-22 02:26:45.0000000= 3.0.new/ libs/xpdf/ xpdf/JPXStream. cc 2005-12-08 14:40:19=
00 +0100
+++ tetex-bin-
=2E000000000 +0100
@@ -666,7 +666,8 @@
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
+ Guint allocSize;
//----- main header
/ img.xTileSize;
/ img.yTileSize; img.nXTiles * img.nYTiles * allocSize) ;
img.tiles[ i].tileComps =3D (JPXTileComp *)gmalloc( img.nComps *
sizeof( JPXTileComp) =
haveSIZ =3D haveCOD =3D haveQCD =3D haveSOT =3D gFalse;
@@ -701,8 +702,15 @@
img.nYTiles =3D (img.ySize - img.yTileOffset + img.yTileSize - 1)
- img.tiles =3D (JPXTile *)gmalloc(
- sizeof(JPXTile));
+ nTiles =3D img.nXTiles * img.nYTiles;
+ allocSize =3D nTiles * sizeof(JPXTile);
+ // check for overflow before allocating memory
+ if (nTiles =3D=3D 0 || nTiles / img.nXTiles !=3D img.nYTiles ||
+ allocSize / sizeof(JPXTile) !=3D nTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles =3D (JPXTile *)gmalloc(
for (i =3D 0; i < img.nXTiles * img.nYTiles; ++i) {
);
I added an additional allocSize variable and check it for int
overflow, to get the same effect as gmallocn() in the original xpdf
source.
HTH,
Martin
(who really wishes upstreams would switch to poppler after uploading
22 security update packgages)
--=20 www.piware. de www.ubuntu. com www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian Developer http://
In a world without walls and fences, who needs Windows and Gates?
--NMuMz9nt05w80d4+ pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAqj+AKCtYmUTR VsRjhqoB/ W/7YF2xkQL9gCgn KuY BzlhQrlg=
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDmDtrDec
wSM9a7fQuleX0ol
=9Apt
-----END PGP SIGNATURE-----
--NMuMz9nt05w80 d4+--