Bug#278298: woody is still affected
tags 278298 patch
stop
Martin Schulze <joey@infodrom.org> schrieb:
> Frank Küster wrote:
>> # as previously explained, woody is also affected by this.
>> # a patch will follow soon
>
> We've experienced a buildd failure on one architecture which is keeping
> this update to be released. It will be as soon as the buildd problem
> is fixed.
The patch I first sent you is not complete - it just contains the fixes
in xpdf_3.00-9, not the additional ones in 3.00-10. Here's a complete
patch, backported to woody's tetex-bin.
As explained previously, in the part analogous to xpdf 3.00-9 (and yet
fixed for tetex-bin in unstable), there is one hunk that does not apply
at all to woody - the code is simply not there.
The new patch (3.00-10) applies fine to the sources in woody, but it
uses some error handling routines that are not implemented in xpdf-1 (or
tetex-bin_1*). I simply commented the line "errCode = errDamage".
The patched sources compile fine in a woody pbuilder environment on
i386, but I have not yet set up a woody machine for testing them.
Here's the patch (against 7.1 which is in the archive):
diff -Nur tetex-bin-1.0.7+20011202.orig/debian/changelog tetex-bin-1.0.7+20011202/debian/changelog
--- tetex-bin-1.0.7+20011202.orig/debian/changelog Thu Nov 21 11:48:30 2002
+++ tetex-bin-1.0.7+20011202/debian/changelog Tue Nov 23 14:40:38 2004
@@ -1,3 +1,11 @@
+tetex-bin (1.0.7+20011202-7.2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Backported fixes for several integer overflows in the xpdf library
+ included in tetex-bin, thanks to Frank Küster <frank@debian.org>
+
+ -- Frank Küster <frank@debian.org> Tue, 23 Nov 2004 14:40:38 +0100
+
tetex-bin (1.0.7+20011202-7.1) stable-security; urgency=high
* Non-maintainer upload by the Security Team
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.c tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.c
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.c Sat Oct 27 00:07:08 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.c Mon Nov 22 14:39:18 2004
@@ -52,9 +52,9 @@
#endif /* DEBUG_MEM */
-void *gmalloc(int size) {
+void *gmalloc(size_t size) {
#ifdef DEBUG_MEM
- int size1;
+ size_t size1;
char *mem;
GMemHdr *hdr;
void *data;
@@ -93,11 +93,11 @@
#endif
}
-void *grealloc(void *p, int size) {
+void *grealloc(void *p, size_t size) {
#ifdef DEBUG_MEM
GMemHdr *hdr;
void *q;
- int oldSize;
+ size_t oldSize;
if (size == 0) {
if (p)
@@ -136,7 +136,7 @@
void gfree(void *p) {
#ifdef DEBUG_MEM
- int size;
+ size_t size;
GMemHdr *hdr;
GMemHdr *prevHdr, *q;
int lst;
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.h tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.h
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/goo/gmem.h Sat Oct 27 00:07:08 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/goo/gmem.h Mon Nov 22 14:39:45 2004
@@ -19,13 +19,13 @@
* Same as malloc, but prints error message and exits if malloc()
* returns NULL.
*/
-extern void *gmalloc(int size);
+extern void *gmalloc(size_t size);
/*
* Same as realloc, but prints error message and exits if realloc()
* returns NULL. If <p> is NULL, calls malloc instead of realloc().
*/
-extern void *grealloc(void *p, int size);
+extern void *grealloc(void *p, size_t size);
/*
* Same as free, but checks for and ignores NULL pointers.
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/Catalog.cc tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/Catalog.cc
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/Catalog.cc Sat Oct 27 00:07:09 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/Catalog.cc Mon Nov 22 14:29:55 2004
@@ -19,6 +19,7 @@
#include "Error.h"
#include "Link.h"
#include "Catalog.h"
+#include <limits.h>
//------------------------------------------------------------------------
// Catalog
@@ -57,6 +58,12 @@
}
pagesSize = numPages0 = obj.getInt();
obj.free();
+ if (pagesSize >= INT_MAX/sizeof(Page *) ||
+ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i = 0; i < pagesSize; ++i) {
@@ -147,6 +154,11 @@
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize >= INT_MAX/sizeof(Page *) ||
+ pagesSize >= INT_MAX/sizeof(Ref)) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j = pagesSize - 32; j < pagesSize; ++j) {
diff -Nur tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/XRef.cc tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/XRef.cc
--- tetex-bin-1.0.7+20011202.orig/libs/xpdf/xpdf/XRef.cc Wed Nov 14 11:15:59 2001
+++ tetex-bin-1.0.7+20011202/libs/xpdf/xpdf/XRef.cc Mon Nov 22 16:50:20 2004
@@ -25,6 +25,7 @@
#endif
#include "Error.h"
#include "XRef.h"
+#include <limits.h>
//------------------------------------------------------------------------
@@ -74,6 +75,8 @@
start = str->getStart();
pos = readTrailer();
+ entries = NULL;
+
// if there was a problem with the trailer,
// try to reconstruct the xref table
if (pos == 0) {
@@ -84,6 +87,12 @@
// trailer is ok - read the xref table
} else {
+ if (size < 0 || size >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'size' inside xref table.");
+ ok = gFalse;
+ /* errCode = errDamaged; not defined and handled in version 1 */
+ return;
+ }
entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
for (i = 0; i < size; ++i) {
entries[i].offset = -1;
@@ -181,7 +190,7 @@
n = atoi(p);
while ('0' <= *p && *p <= '9') ++p;
while (isspace(*p)) ++p;
- if (p == buf)
+ if ((p == buf) || (n < 0)) /* must make progress */
return 0;
pos1 += (p - buf) + n * 20;
}
@@ -248,6 +257,10 @@
goto err2;
s[i] = '\0';
first = atoi(s);
+ if (first < 0) {
+ error(-1, "Invalid 'first'");
+ goto err2;
+ }
while ((c = str->lookChar()) != EOF && isspace(c))
str->getChar();
for (i = 0; (c = str->getChar()) != EOF && isdigit(c) && i < 20; ++i)
@@ -256,6 +269,10 @@
goto err2;
s[i] = '\0';
n = atoi(s);
+ if (n<=0) {
+ error(-1, "Invalid 'n'");
+ goto err2;
+ }
while ((c = str->lookChar()) != EOF && isspace(c))
str->getChar();
for (i = first; i < first + n; ++i) {
@@ -370,6 +387,10 @@
// look for object
} else if (isdigit(*p)) {
num = atoi(p);
+ if (num < 0) {
+ error(-1, "Invalid 'num' parameters.");
+ return gFalse;
+ }
do {
++p;
} while (*p && isdigit(*p));
@@ -389,6 +410,10 @@
if (!strncmp(p, "obj", 3)) {
if (num >= size) {
newSize = (num + 1 + 255) & ~255;
+ if (newSize < 0 || newSize >= INT_MAX/sizeof(XRefEntry)) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries = (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -410,6 +435,11 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize >=INT_MAX/sizeof(int)) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
+
streamEnds = (int *)grealloc(streamEnds, streamEndsSize * sizeof(int));
}
streamEnds[streamEndsLen++] = pos;
Regards, Frank
--
Frank Küster
Inst. f. Biochemie der Univ. Zürich
Debian Developer
Reply to: