Hi Frank! Frank Küster [2005-12-08 13:17 +0100]: > Martin Pitt <martin.pitt@canonical.com> wrote: > > > Hi! > > > > I'm currently preparing Ubuntu security updates for these issues, and > > I noticed that the upstream provided patch is wrong. I sent the mail > > below to upstream (and some others). > > > > Can you please check that you indeed fixed (tetex-bin)/will fix > > (poppler) DCTStream::readProgressiveSOF(), too? > [...] > > It seems that the patch linked from these advisories [1] is a little > > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(), > > but does not check it in DCTStream::readProgressiveSOF(). > > We have the same flaw in our upload. Would you be so kind and check the > updated patch at > > http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0 The DCTStream::readProgressiveSOF() seems to be correct now, however, there is still a flaw in - img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * - sizeof(JPXTile)); + nTiles = img.nXTiles * img.nYTiles; + // check for overflow before allocating memory + if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) { + error(getPos(), "Bad tile count in JPX SIZ marker segment"); + return gFalse; + } + img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile)); gmalloc does a multiplication which is not checked for integer overflows. xpdf uses gmallocn() which does that check. I'll send you an updated patch very soon, I just finished patching tetex-bin 2.0.2, cupsys, xpdf, poppler, etc. Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
Attachment:
signature.asc
Description: Digital signature