[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#300182: tetex-bin still vulnerable to CAN-2004-0888 (CAN-2005-0206)

Package: tetex-bin
Version: 2.0.2-26
Severity: critical
Tags: security

Hi all,

As recently discovered the patch, which fixed CAN-2004-0888, seems to
be broken on all 64bit platforms (tested only on ia64 though).[1]

Attched are two patches, which should fix that. They are simply
stolen from the RedHat BTS.[2]

H.

[1] e.g.: http://www.auscert.org.au/render.html?it=4887
[2] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135393
-- 
sigmentation fault

@@ -186,6 +192,11 @@
       }
       if (start >= pagesSize) {
        pagesSize += 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+            pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }

--- XRef.cc.orig	2004-09-17 23:54:38.000000000 -0700
+++ XRef.cc	2004-09-25 17:59:36.000000000 -0700
@@ -76,6 +76,12 @@
 
   // trailer is ok - read the xref table
   } else {
+    if (size*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != size) {
+      error(-1, "Invalid 'size' inside xref table.");
+      ok = gFalse;
+      errCode = errDamaged;
+      return;
+    }
     entries = (XRefEntry *)gmalloc(size * sizeof(XRefEntry));
     for (i = 0; i < size; ++i) {
       entries[i].offset = 0xffffffff;
@@ -267,6 +273,10 @@
     // table size
     if (first + n > size) {
       newSize = size + 256;
+      if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+        error(-1, "Invalid 'newSize'");
+        goto err2;
+      }
       entries = (XRefEntry *)grealloc(entries, newSize * sizeof(XRefEntry));
       for (i = size; i < newSize; ++i) {
 	entries[i].offset = 0xffffffff;
@@ -410,6 +420,10 @@
 	    if (!strncmp(p, "obj", 3)) {
 	      if (num >= size) {
 		newSize = (num + 1 + 255) & ~255;
+	        if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+	          error(-1, "Invalid 'obj' parameters.");
+	          return gFalse;
+	        }
 		entries = (XRefEntry *)
 		            grealloc(entries, newSize * sizeof(XRefEntry));
 		for (i = size; i < newSize; ++i) {
@@ -431,6 +445,11 @@
     } else if (!strncmp(p, "endstream", 9)) {
       if (streamEndsLen == streamEndsSize) {
 	streamEndsSize += 64;
+        if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
+          error(-1, "Invalid 'endstream' parameter.");
+          return gFalse;
+        }
+
 	streamEnds = (Guint *)grealloc(streamEnds,
 				       streamEndsSize * sizeof(int));
       }
--- Catalog.cc.orig	2004-09-18 00:14:15.000000000 -0700
+++ Catalog.cc	2004-09-25 18:19:55.000000000 -0700
@@ -63,6 +63,12 @@
   }
   pagesSize = numPages0 = obj.getInt();
   obj.free();
+  if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+      pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+    error(-1, "Invalid 'pagesSize'");
+    ok = gFalse;
+    return;
+  }
   pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
   pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
   for (i = 0; i < pagesSize; ++i) {
@@ -190,6 +196,10 @@
       }
       if (start >= pagesSize) {
 	pagesSize += 32;
+        if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize) {
+          error(-1, "Invalid 'pagesSize' parameter.");
+          goto err3;
+        }
 	pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
 	pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
 	for (j = pagesSize - 32; j < pagesSize; ++j) {

Attachment: pgp3s5Hh7EBaV.pgp
Description: PGP signature

Reply to: