Hi Frank! Frank Küster [2005-12-08 13:17 +0100]: > We have the same flaw in our upload. Would you be so kind and check the > updated patch at > > http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0 > > I'm completely illerate in C++, and would like to make sure this is > correct.
OK, you can now find the 3.0 debdiff at http://patches.ubuntu.com/patches/tetex-bin.CVE-2005-3191_2_3.diff it might be interesting for you to get the CVE numbers in the changelog right. (Please do mention the CVE numbers to ease tracking.) The essential difference is the JPXStream.cc diff, which now looks like: --- tetex-bin-3.0/libs/xpdf/xpdf/JPXStream.cc 2004-01-22 02:26:45.000000000 +0100 +++ tetex-bin-3.0.new/libs/xpdf/xpdf/JPXStream.cc 2005-12-08 14:40:19.000000000 +0100 @@ -666,7 +666,8 @@ int segType; GBool haveSIZ, haveCOD, haveQCD, haveSOT; Guint precinctSize, style; - Guint segLen, capabilities, comp, i, j, r; + Guint segLen, capabilities, nTiles, comp, i, j, r; + Guint allocSize; //----- main header haveSIZ = haveCOD = haveQCD = haveSOT = gFalse; @@ -701,8 +702,15 @@ / img.xTileSize; img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1) / img.yTileSize; - img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles * - sizeof(JPXTile)); + nTiles = img.nXTiles * img.nYTiles; + allocSize = nTiles * sizeof(JPXTile); + // check for overflow before allocating memory + if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles || + allocSize / sizeof(JPXTile) != nTiles) { + error(getPos(), "Bad tile count in JPX SIZ marker segment"); + return gFalse; + } + img.tiles = (JPXTile *)gmalloc(allocSize); for (i = 0; i < img.nXTiles * img.nYTiles; ++i) { img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps * sizeof(JPXTileComp)); I added an additional allocSize variable and check it for int overflow, to get the same effect as gmallocn() in the original xpdf source. HTH, Martin (who really wishes upstreams would switch to poppler after uploading 22 security update packgages) -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntu.com Debian Developer http://www.debian.org In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature