Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?

To: Frank Küster <frank@debian.org>
Cc: 342292@bugs.debian.org
Subject: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
From: Martin Pitt <mpitt@debian.org>
Date: Thu, 8 Dec 2005 14:55:55 +0100
Message-id: <[🔎] 20051208135555.GB4471@piware.de>
Reply-to: Martin Pitt <mpitt@debian.org>, 342292@bugs.debian.org
In-reply-to: <[🔎] 86wtif940h.fsf@alhambra.kuesterei.ch>
References: <[🔎] 20051208112157.GF5010@piware.de> <[🔎] 86wtif940h.fsf@alhambra.kuesterei.ch>

Hi Frank!

Frank Küster [2005-12-08 13:17 +0100]:
> We have the same flaw in our upload.  Would you be so kind and check the
> updated patch at 
> 
> http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0
> 
> I'm completely illerate in C++, and would like to make sure this is
> correct.  

OK, you can now find the 3.0 debdiff at 

  http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff

it might be interesting for you to get the CVE numbers in the
changelog right. (Please do mention the CVE numbers to ease tracking.)

The essential difference is the JPXStream.cc diff, which now looks
like:

--- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc   2004-01-22 02:26:45.000000000 +0100
+++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc       2005-12-08 14:40:19.000000000 +0100
@@ -666,7 +666,8 @@
   int segType;
   GBool haveSIZ, haveCOD, haveQCD, haveSOT;
   Guint precinctSize, style;
-  Guint segLen, capabilities, comp, i, j, r;
+  Guint segLen, capabilities, nTiles, comp, i, j, r;
+  Guint allocSize;

   //----- main header
   haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +702,15 @@
                    / img.xTileSize;
       img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
                    / img.yTileSize;
-      img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
-                                    sizeof(JPXTile));
+      nTiles = img.nXTiles * img.nYTiles;
+      allocSize = nTiles * sizeof(JPXTile);
+      // check for overflow before allocating memory
+      if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles ||
+          allocSize / sizeof(JPXTile) != nTiles) {
+       error(getPos(), "Bad tile count in JPX SIZ marker segment");
+       return gFalse;
+      }
+      img.tiles = (JPXTile *)gmalloc(allocSize);
       for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
        img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
                                                        sizeof(JPXTileComp));


I added an additional allocSize variable and check it for int
overflow, to get the same effect as gmallocn() in the original xpdf
source.

HTH,

Martin
(who really wishes upstreams would switch to poppler after uploading
22 security update packgages)

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
  - From: Rogério Brito <rbrito@ime.usp.br>
- Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
  - From: Frank Küster <frank@debian.org>

References:
- Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
  - From: Martin Pitt <martin.pitt@canonical.com>
- Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
  - From: Frank Küster <frank@debian.org>

Prev by Date: SVN tetex commit: r385 - in tetex-base/trunk/debian: . patches rules.d
Next by Date: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Previous by thread: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Next by thread: Bug#342292: Fwd: Re: [vendor-sec] xpdf update - patch wrong?
Index(es):
- Date
- Thread