New koffice upload to t-p-u
Hi,
Since the recent security upload of koffice to t-p-u, the security team
has suggested a more robust method of testing for overflow. I therefore
have another t-p-u upload coming. The full diff is below.
Ben.
diff -u koffice-1.3.2/debian/changelog koffice-1.3.2/debian/changelog
--- koffice-1.3.2/debian/changelog
+++ koffice-1.3.2/debian/changelog
@@ -1,3 +1,12 @@
+koffice (1:1.3.2-1.sarge.3) testing-proposed-updates; urgency=high
+
+ * Security upload to testing-proposed-updates.
+ * Modified the xpdf security fixes from 1:1.3.2-1.sarge.2 to use a more
+ robust style of testing that does not depend upon the level of compiler
+ optimisation (thanks to Martin Schulze).
+
+ -- Ben Burton <bab@debian.org> Thu, 28 Oct 2004 19:03:02 +1000
+
koffice (1:1.3.2-1.sarge.2) testing-proposed-updates; urgency=critical
* Security upload to testing-proposed-updates.
diff -u koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/Catalog.cc koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/Catalog.cc
--- koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/Catalog.cc
+++ koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/Catalog.cc
@@ -12,6 +12,7 @@
#pragma implementation
#endif
+#include <limits.h>
#include <stddef.h>
#include "gmem.h"
#include "Object.h"
@@ -63,8 +64,8 @@
}
pagesSize = numPages0 = obj.getInt();
obj.free();
- if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
- pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
+ (pagesSize >= INT_MAX / sizeof(Ref))) {
error(-1, "Invalid 'pagesSize'");
ok = gFalse;
return;
@@ -196,8 +197,8 @@
}
if (start >= pagesSize) {
pagesSize += 32;
- if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
- pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ if ((pagesSize >= INT_MAX / sizeof(Page *)) ||
+ (pagesSize >= INT_MAX / sizeof(Ref))) {
error(-1, "Invalid 'pagesSize' parameter.");
goto err3;
}
diff -u koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/XRef.cc koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/XRef.cc
--- koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/XRef.cc
+++ koffice-1.3.2/filters/kword/pdf/xpdf/xpdf/XRef.cc
@@ -12,6 +12,7 @@
#pragma implementation
#endif
+#include <limits.h>
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
@@ -76,7 +77,7 @@
// trailer is ok - read the xref table
} else {
- if (size*sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+ if (size >= INT_MAX / sizeof(XRefEntry)) {
error(-1, "Invalid 'size' inside xref table.");
ok = gFalse;
errCode = errDamaged;
@@ -273,7 +274,7 @@
// table size
if (first + n > size) {
newSize = size + 256;
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ if (newSize >= INT_MAX / sizeof(XRefEntry)) {
error(-1, "Invalid 'newSize'");
goto err2;
}
@@ -420,7 +421,7 @@
if (!strncmp(p, "obj", 3)) {
if (num >= size) {
newSize = (num + 1 + 255) & ~255;
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ if (newSize >= INT_MAX / sizeof(XRefEntry)) {
error(-1, "Invalid 'obj' parameters.");
return gFalse;
}
@@ -445,7 +446,7 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
- if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+ if (streamEndsSize >= INT_MAX / sizeof(int)) {
error(-1, "Invalid 'endstream' parameter.");
return gFalse;
}
Reply to: