Re: xpdf vulnerability?
On 2005-03-18 09:53:49 -0500 Frank Küster <frank@debian.org> wrote:
> So the question is whether our changed patch is vulnerable to this:
>
> + if (size < 0 || size >= INT_MAX/sizeof(XRefEntry)) {
>
> The value of INT_MAX, as defined in /usr/include/limits.h, does not
> depend on the architecture (just compared the values on my i386
> against merulo (ia64)). Therefore this will *always* check whether
> size times sizeof(XRefEntry) fits into a (32bit) int, as needed for
> gmalloc, and all is well.
Well, INT_MAX is defined as the maximum value that can fit in a signed
int, so if a compiler decides that a signed int is 64 bits, this will
not work. However, I think gcc is pretty consistent in saying that
an int is 32 bits. (Someone please confirm this.)
BTW, I just checked on two Alpha machines, and INT_MAX is defined to be
the same value as on i386.
So I guess it depends on how safe you want to play. If you're assuming
that it's just going to be compiled under gcc, I guess you're fine. If
you want to be completely compatible with every weird (within reason)
compiler, it would be better to define a new constant. You can also use
INT32_MAX from stdint.h (which, if you're using from C++ code, you'll
have to #define __STDC_LIMIT_MACROS before you include stdint.h).
--
Hubert Chan <hubert@uhoreg.ca> - http://www.uhoreg.ca/
PGP/GnuPG key: 1024D/124B61FA
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
Key available at wwwkeys.pgp.net. Encrypted e-mail preferred.
Reply to: