> It also seems that there are some buffer overflows in 3.00 that do not
> have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
> been applied. Or is such a check
>
> if (newSize < 0) {
> goto err1;
> }
>
> enough to detect an integer overflow, because newSize is signed?
Message-ID: <email address hidden> 1?Q?K=FCster? = <email address hidden>
Date: Thu, 08 Dec 2005 22:03:19 +0100
From: Florian Weimer <email address hidden>
To: Frank =?iso-8859-
Cc: <email address hidden>, Martin Pitt <email address hidden>
Subject: Re: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
* Frank K=FCster:
> It also seems that there are some buffer overflows in 3.00 that do not
> have any tests, e.g. in XRef.cc, line 391 after patch-CAN-2004-0888 has
> been applied. Or is such a check
>
> if (newSize < 0) {
> goto err1;
> }
>
> enough to detect an integer overflow, because newSize is signed?
No, it's not, see:
<http:// cert.uni- stuttgart. de/advisories/ c-integer- overflow. php>
I should retry with GCC 4.1; it might actually perform the
optimization.