xpdf bugs in koffice

To: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Cc: Debian Security Team <team@security.debian.org>
Subject: xpdf bugs in koffice
From: Martin Schulze <joey@infodrom.org>
Date: Wed, 11 Jan 2006 20:40:03 +0100
Message-id: <[🔎] 20060111194003.GF18875@finlandia.infodrom.north.de>

Hi,

"infamous41md" discovered several heap based buffer overflows in xpdf,
the Portable Document Format (PDF) suite, which is also present in
koffice, the KDE Office Suite, and which can lead to a denial of
service by crashing the application or possibly to the execution of
arbitrary code.

CVE IDs        : CVE-2005-3191 CVE-2005-3193 CVE-2005-3624 CVE-2005-3625
                 CVE-2005-3626 CVE-2005-3627 CVE-2005-3628

I'm attachning the patch we're going to use for the update in sarge.

Please
 . update the package in sid
 . mention the CVE id from above in the changelog
 . tell me the version number of the fixed package
 . use urgency=high

Regards,

	Joey

-- 
Never trust an operating system you don't have source for!

diff -u koffice-1.3.5/debian/changelog koffice-1.3.5/debian/changelog
--- koffice-1.3.5/debian/changelog
+++ koffice-1.3.5/debian/changelog
@@ -1,3 +1,15 @@
+koffice (1:1.3.5-4.sarge.2) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team
+  * Applied patches by Derek Noonberg, Martin Pitt, Dirk Müller and
+    Ludwig Nussel to fix buffer overflows in the xpdf filter
+    [filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc,
+    filters/kword/pdf/xpdf/xpdf/Stream.cc,
+    filters/kword/pdf/xpdf/xpdf/Stream.h, CVE-2005-3191, CVE-2005-3193,
+    ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.01pl1.patch]
+
+ -- Martin Schulze <joey@infodrom.org>  Wed, 21 Dec 2005 10:30:53 +0100
+
 koffice (1:1.3.5-4.sarge.1) stable-security; urgency=high
 
   * Security upload.
only in patch2:
unchanged:
--- koffice-1.3.5.orig/debian/patches/security_CVE-2005-3191.diff
+++ koffice-1.3.5/debian/patches/security_CVE-2005-3191.diff
@@ -0,0 +1,244 @@
+diff -u -p -Nr --exclude CVS koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc
+--- koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc	2003-01-13 15:51:17.000000000 +0100
++++ koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/JBIG2Stream.cc	2005-12-21 10:22:50.000000000 +0100
+@@ -13,6 +13,7 @@
+ #endif
+ 
+ #include <stdlib.h>
++#include <limits.h>
+ #include "GList.h"
+ #include "Error.h"
+ #include "JBIG2Stream.h"
+@@ -977,7 +978,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
+   w = wA;
+   h = hA;
+   line = (wA + 7) >> 3;
+-  data = (Guchar *)gmalloc(h * line);
++
++  if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line)
++    data = NULL;
++  else {
++    // need to allocate one extra guard byte for use in combine()
++    data = (Guchar *)gmalloc(h * line + 1);
++    data[h * line] = 0;
++  }
+ }
+ 
+ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
+@@ -986,8 +994,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, 
+   w = bitmap->w;
+   h = bitmap->h;
+   line = bitmap->line;
+-  data = (Guchar *)gmalloc(h * line);
++
++  if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) {
++    data = NULL;
++    return;
++  }
++
++  data = (Guchar *)gmalloc(h * line + 1);
+   memcpy(data, bitmap->data, h * line);
++  data[h * line] = 0;
+ }
+ 
+ JBIG2Bitmap::~JBIG2Bitmap() {
+@@ -1012,10 +1027,10 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
+ }
+ 
+ void JBIG2Bitmap::expand(int newH, Guint pixel) {
+-  if (newH <= h) {
++  if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) {
+     return;
+   }
+-  data = (Guchar *)grealloc(data, newH * line);
++  data = (Guchar *)grealloc(data, newH * line + 1);
+   if (pixel) {
+     memset(data + h * line, 0xff, (newH - h) * line);
+   } else {
+@@ -2505,6 +2520,16 @@ void JBIG2Stream::readHalftoneRegionSeg(
+     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
+     return;
+   }
++
++  if (gridH == 0 || gridW >= INT_MAX / gridH) {
++    error(getPos(), "Bad size in JBIG2 halftone segment");
++    return;
++  }
++  if (w == 0 || h >= INT_MAX / w) {
++    error(getPos(), "Bad size in JBIG2 bitmap segment");
++    return;
++  }
++
+   patternDict = (JBIG2PatternDict *)seg;
+   bpp = 0;
+   i = 1;
+@@ -3078,6 +3103,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
+   Guint ltpCX, cx, cx0, cx2, cx3, cx4, tpgrCX0, tpgrCX1, tpgrCX2;
+   int x, y, pix;
+ 
++  if (w < 0 || h <= 0 || w >= INT_MAX / h)
++    return NULL;
++
+   bitmap = new JBIG2Bitmap(0, w, h);
+   bitmap->clearToZero();
+ 
+diff -u -p -Nr --exclude CVS koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.cc
+--- koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.cc	2003-01-13 15:51:17.000000000 +0100
++++ koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.cc	2005-12-21 10:23:03.000000000 +0100
+@@ -15,6 +15,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <stddef.h>
++#include <limits.h>
+ #ifndef WIN32
+ #include <unistd.h>
+ #endif
+@@ -404,18 +405,41 @@ void ImageStream::skipLine() {
+ 
+ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
+ 				 int widthA, int nCompsA, int nBitsA) {
++  int totalBits;
++
+   str = strA;
+   predictor = predictorA;
+   width = widthA;
+   nComps = nCompsA;
+   nBits = nBitsA;
++  predLine = NULL;
++  ok = gFalse;
+ 
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps >= INT_MAX/nBits ||
++      width >= INT_MAX/nComps/nBits) {
++    return;
++  }
+   nVals = width * nComps;
++  if (nVals + 7 <= 0) {
++    return;
++  }
++  totalBits = nVals * nBits;
++  if (totalBits == 0 ||
++      (totalBits / nBits) / nComps != width ||
++      totalBits + 7 < 0) {
++    return;
++  }
+   pixBytes = (nComps * nBits + 7) >> 3;
+-  rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
++  rowBytes = ((totalBits + 7) >> 3) + pixBytes;
++  if (rowBytes < 0) {
++    return;
++  }
+   predLine = (Guchar *)gmalloc(rowBytes);
+   memset(predLine, 0, rowBytes);
+   predIdx = rowBytes;
++
++  ok = gTrue;
+ }
+ 
+ StreamPredictor::~StreamPredictor() {
+@@ -982,6 +1006,10 @@ LZWStream::LZWStream(Stream *strA, int p
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+@@ -1227,6 +1255,12 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
+   endOfLine = endOfLineA;
+   byteAlign = byteAlignA;
+   columns = columnsA;
++
++  if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) {
++    error(getPos(), "Bad number of columns in CCITTFaxStream");
++    exit(1);
++  }
++
+   rows = rowsA;
+   endOfBlock = endOfBlockA;
+   black = blackA;
+@@ -2861,6 +2895,11 @@ GBool DCTStream::readBaselineSOF() {
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    numComps = 0;
++    error(getPos(), "Bad number of components in DCT stream", prec);
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2887,6 +2926,11 @@ GBool DCTStream::readProgressiveSOF() {
+   height = read16();
+   width = read16();
+   numComps = str->getChar();
++  if (numComps <= 0 || numComps > 4) {
++    numComps = 0;
++    error(getPos(), "Bad number of components in DCT stream");
++    return gFalse;
++  }
+   if (prec != 8) {
+     error(getPos(), "Bad DCT precision %d", prec);
+     return gFalse;
+@@ -2909,6 +2953,11 @@ GBool DCTStream::readScanInfo() {
+ 
+   length = read16() - 2;
+   scanInfo.numComps = str->getChar();
++  if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
++    scanInfo.numComps = 0;
++    error(getPos(), "Bad number of components in DCT stream");
++    return gFalse;
++  }
+   --length;
+   if (length != 2 * scanInfo.numComps + 3) {
+     error(getPos(), "Bad DCT scan info block");
+@@ -2976,12 +3025,12 @@ GBool DCTStream::readHuffmanTables() {
+   while (length > 0) {
+     index = str->getChar();
+     --length;
+-    if ((index & 0x0f) >= 4) {
++    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
+       error(getPos(), "Bad DCT Huffman table");
+       return gFalse;
+     }
+     if (index & 0x10) {
+-      index &= 0x0f;
++      index &= 0x03;
+       if (index >= numACHuffTables)
+ 	numACHuffTables = index+1;
+       tbl = &acHuffTables[index];
+@@ -3179,6 +3228,10 @@ FlateStream::FlateStream(Stream *strA, i
+     FilterStream(strA) {
+   if (predictor != 1) {
+     pred = new StreamPredictor(this, predictor, columns, colors, bits);
++    if (!pred->isOk()) {
++      delete pred;
++      pred = NULL;
++    }
+   } else {
+     pred = NULL;
+   }
+diff -u -p -Nr --exclude CVS koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.h koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.h
+--- koffice-1.3.5.orig/filters/kword/pdf/xpdf/xpdf/Stream.h	2003-07-01 00:13:04.000000000 +0200
++++ koffice-1.3.5/filters/kword/pdf/xpdf/xpdf/Stream.h	2005-12-21 10:23:03.000000000 +0100
+@@ -225,6 +225,8 @@ public:
+ 
+   ~StreamPredictor();
+ 
++  GBool isOk() { return ok; }
++
+   int lookChar();
+   int getChar();
+ 
+@@ -242,6 +244,7 @@ private:
+   int rowBytes;			// bytes per line
+   Guchar *predLine;		// line buffer
+   int predIdx;			// current index in predLine
++  GBool ok;
+ };
+ 
+ //------------------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: xpdf bugs in koffice
  - From: Isaac Clerencia <isaac@debian.org>

Prev by Date: Bug#347694: kivio will not upgrade to 1.4.2-5+b1 because kivio-data is not present
Next by Date: Bug#327359: pkg-config generates invalid -L<path> linker Option
Previous by thread: Bug#347694: marked as done (kivio will not upgrade to 1.4.2-5+b1 because kivio-data is not present)
Next by thread: Re: xpdf bugs in koffice
Index(es):
- Date
- Thread