[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New xpdf vulnerabilities related to CAN-2004-0888

Martin Pitt <martin@piware.de> wrote:

> Hi xpdf/cupsys/tetex-bin maintainers, hi Debian security team!
>
> Markus Meissner discovered even more instances of integer overflows
> (see CAN-2004-0888), see forwarded message below.
>
> Several packages follow the bad habit to include xpdf source code;

Why do you think this is a bad habit? As long as xpdf does not provide a
library which we could use, what other choice is there (except rewriting
it)?

> ----- Forwarded message from Matt Zimmerman <mdz@canonical.com> -----
> From: Marcus Meissner <meissner@suse.de>
> To: vendor-sec@lst.de
> Cc: derekn@foolabs.com
> Subject: [vendor-sec] xpdf .... 64bit fun
> Date: Fri, 29 Oct 2004 15:50:53 +0200
>
> I have identified 2 problems:
>
> - We are using "if (size * sizeof(Foo)/sizeof(Foo) != size)" checks, 
>   which operate on "size_t" which is 64bit unsigned long on 64bit systems.

In the fixes for tetex-bin and pdftohtml in Debian, we used instead

#include <limits.h>
...
if (size >= INT_MAX/sizeof(Foo))

because Martin Schulze feared that the construct cited by you might be
optimized away by the compiler.

Regards, Frank
-- 
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: