[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#278298: woody is still affected

tags 278298 patch
stop

Martin Schulze <joey@infodrom.org> schrieb:

> Frank Küster wrote:
>> # as previously explained, woody is also affected by this.
>> # a patch will follow soon
>
> We've experienced a buildd failure on one architecture which is keeping
> this update to be released.  It will be as soon as the buildd problem
> is fixed.

The patch I first sent you is not complete - it just contains the fixes
in xpdf_3.00-9, not the additional ones in 3.00-10. Here's a complete
patch, backported to woody's tetex-bin.

As explained previously, in the part analogous to xpdf 3.00-9 (and yet
fixed for tetex-bin in unstable), there is one hunk that does not apply
at all to woody - the code is simply not there.

The new patch (3.00-10) applies fine to the sources in woody, but it
uses some error handling routines that are not implemented in xpdf-1 (or
tetex-bin_1*). I simply commented the line "errCode = errDamage".

The patched sources compile fine in a woody pbuilder environment on
i386, but I have not yet set up a woody machine for testing them.

Here's the patch (against 7.1 which is in the archive):


diff -Nur tetex-bin-1.0.7+20011202.orig/debian/changelog tetex-bin-1.0.7+20011202/debian/changelog
--- tetex-bin-1.0.7+20011202.orig/debian/changelog	Thu Nov 21 11:48:30 2002
+++ tetex-bin-1.0.7+20011202/debian/changelog	Tue Nov 23 14:40:38 2004
@@ -1,3 +1,11 @@
+tetex-bin (1.0.7+20011202-7.2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Backported fixes for several integer overflows in the xpdf library
+    included in tetex-bin, thanks to Frank Küster <frank@debian.org>
+
+ -- Frank Küster <frank@debian.org>  Tue, 23 Nov 2004 14:40:38 +0100
+
 tetex-bin (1.0.7+20011202-7.1) stable-security; urgency=high
 
   * Non-maintainer upload by the Security Team
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.c tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.c
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.c	Sat Oct 27 00:07:08 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.c	Mon Nov 22 14:39:18 2004
@@ -52,9 +52,9 @@
 
 #endif /* DEBUG_MEM */
 
-void *gmalloc(int size) {
+void *gmalloc(size_t size) {
 #ifdef DEBUG_MEM
-  int size1;
+  size_t size1;
   char *mem;
   GMemHdr *hdr;
   void *data;
@@ -93,11 +93,11 @@
 #endif
 }
 
-void *grealloc(void *p, int size) {
+void *grealloc(void *p, size_t size) {
 #ifdef DEBUG_MEM
   GMemHdr *hdr;
   void *q;
-  int oldSize;
+  size_t oldSize;
 
   if (size == 0) {
     if (p)
@@ -136,7 +136,7 @@
 
 void gfree(void *p) {
 #ifdef DEBUG_MEM
-  int size;
+  size_t size;
   GMemHdr *hdr;
   GMemHdr *prevHdr, *q;
   int lst;
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.h tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.h
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.h	Sat Oct 27 00:07:08 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.h	Mon Nov 22 14:39:45 2004
@@ -19,13 +19,13 @@
  * Same as malloc, but prints error message and exits if malloc()
  * returns NULL.
  */
-extern void *gmalloc(int size);
+extern void *gmalloc(size_t size);
 
 /*
  * Same as realloc, but prints error message and exits if realloc()
  * returns NULL.  If <p> is NULL, calls malloc instead of realloc().
  */
-extern void *grealloc(void *p, int size);
+extern void *grealloc(void *p, size_t size);
 
 /*
  * Same as free, but checks for and ignores NULL pointers.
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/Catalog.cc tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/Catalog.cc
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/Catalog.cc	Sat Oct 27 00:07:09 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/Catalog.cc	Mon Nov 22 14:29:55 2004
@@ -19,6 +19,7 @@
 #include "Error.h"
 #include "Link.h"
 #include "Catalog.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 // Catalog
@@ -57,6 +58,12 @@
   }
   pagesSize = numPages0 = obj.getInt();
   obj.free();
+  if (pagesSize >= INT_MAX/sizeof(Page *) ||
+      pagesSize >= INT_MAX/sizeof(Ref)) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -147,6 +154,11 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize >= INT_MAX/sizeof(Page *) ||
+            pagesSize >= INT_MAX/sizeof(Ref)) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/XRef.cc tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/XRef.cc
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/XRef.cc	Wed Nov 14 11:15:59 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/XRef.cc	Mon Nov 22 16:50:20 2004
@@ -25,6 +25,7 @@
 #endif
 #include "Error.h"
 #include "XRef.h"
+#include <limits.h>
 
 //------------------------------------------------------------------------
 
@@ -74,6 +75,8 @@
   start = str->getStart();
   pos = readTrailer();
 
+  entries = NULL;
+
   // if there was a problem with the trailer,
   // try to reconstruct the xref table
   if (pos == 0) {
@@ -84,6 +87,12 @@
 
   // trailer is ok - read the xref table
   } else {
+    if (size < 0 || size >= INT_MAX/sizeof(XRefEntry)) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok = gFalse;
+      /*      errCode = errDamaged;  not defined and handled in version 1 */
+      return;
+    }
     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i = 0; i < size; ++i) {
       entries[i].offset = -1;
@@ -181,7 +190,7 @@
     n = atoi(p);
     while ('0' <= *p && *p <= '9') ++p;
     while (isspace(*p)) ++p;
-    if (p == buf)
+    if ((p == buf) || (n < 0)) /* must make progress */
       return 0;
     pos1 += (p - buf) + n * 20;
   }
@@ -248,6 +257,10 @@
       goto err2;
     s[i] = '\0';
     first = atoi(s);
+    if (first < 0) {
+        error(-1, "Invalid 'first'");
+        goto err2;
+    }
     while ((c = str->lookChar()) != EOF && isspace(c))
       str->getChar();
     for (i = 0; (c = str->getChar()) != EOF && isdigit(c) && i < 20; ++i)
@@ -256,6 +269,10 @@
       goto err2;
     s[i] = '\0';
     n = atoi(s);
+    if (n<=0) {
+        error(-1, "Invalid 'n'");
+        goto err2;
+    }
     while ((c = str->lookChar()) != EOF && isspace(c))
       str->getChar();
     for (i = first; i < first + n; ++i) {
@@ -370,6 +387,10 @@
     // look for object
     } else if (isdigit(*p)) {
       num = atoi(p);
+      if (num < 0) {
+	error(-1, "Invalid 'num' parameters.");
+	return gFalse;
+      }
       do {
 	++p;
       } while (*p && isdigit(*p));
@@ -389,6 +410,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
+	        if (newSize < 0 || newSize >= INT_MAX/sizeof(XRefEntry)) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries = (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i = size; i < newSize; ++i) {
@@ -410,6 +435,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+         if (streamEndsSize >=INT_MAX/sizeof(int)) {
+           error(-1, "Invalid 'endstream' parameter.");
+           return gFalse;
+         }
+
 	streamEnds = (int *)grealloc(streamEnds, streamEndsSize * sizeof(int));
       }
       streamEnds[streamEndsLen++] = pos;

Regards, Frank


-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: