Package: gpdf Version: 2.8.2-1.2 Tags: patch Let's make a bug in the bts for CAN-2005-0206. It's defined as:
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities.
----- Forwarded message from Moritz Muehlenhoff <[EMAIL PROTECTED]> -----
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
Date: Sat, 9 Apr 2005 23:37:31 +0200
To: [EMAIL PROTECTED]
Subject: CAN-2005-0206 xpdf 64 bit issues
User-Agent: Mutt/1.5.8i
Hi Joey,
I just reviewed all the xpdf incorporating packages wrt the 64 unclean
fixes. All packages beside gpdf are fixed properly, could you NMU with
the attached patch? (maintainer still doesn't have acked the previous)
Instead of casting to int as proposed in the Red Hat Bugzilla I ported
over the MAX_INT patch, as we'll never know how upcoming GCCs will
still not optimize it away (in fact I strongly believe that GCC 4 with
SSA _will_ optimize it away).
Cheers,
Moritz
diff -Naur gpdf-2.8.2.orig/xpdf/Catalog.cc gpdf-2.8.2/xpdf/Catalog.cc
--- gpdf-2.8.2.orig/xpdf/Catalog.cc 2004-11-05 19:43:19.000000000 +0100
+++ gpdf-2.8.2/xpdf/Catalog.cc 2005-04-09 23:30:20.000000000 +0200
@@ -64,10 +64,8 @@
}
pagesSize = numPages0 = (int)obj.getNum();
obj.free();
- // The gcc doesnt optimize this away, so this check is ok,
- // even if it looks like a pagesSize != pagesSize check
- if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
- pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ if (pagesSize >= INT_MAX/sizeof(Page *) ||
+ pagesSize >= INT_MAX/sizeof(Ref)) {
error(-1, "Invalid 'pagesSize'");
ok = gFalse;
return;
@@ -200,8 +198,8 @@
}
if (start >= pagesSize) {
pagesSize += 32;
- if (pagesSize*sizeof(Page *)/sizeof(Page *) != pagesSize ||
- pagesSize*sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ if (pagesSize >= INT_MAX/sizeof(Page *) ||
+ pagesSize >= INT_MAX/sizeof(Ref)) {
error(-1, "Invalid 'pagesSize' parameter.");
goto err3;
}
diff -Naur gpdf-2.8.2.orig/xpdf/XRef.cc gpdf-2.8.2/xpdf/XRef.cc
--- gpdf-2.8.2.orig/xpdf/XRef.cc 2005-04-09 21:50:55.000000000 +0200
+++ gpdf-2.8.2/xpdf/XRef.cc 2005-04-09 23:27:59.000000000 +0200
@@ -393,7 +393,7 @@
if (newSize < 0) {
goto err1;
}
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'obj' parameters'");
goto err1;
}
@@ -503,7 +503,7 @@
goto err1;
}
if (newSize > size) {
- if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'size' parameter.");
return gFalse;
}
@@ -597,7 +597,7 @@
if (newSize < 0) {
return gFalse;
}
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'size' inside xref table.");
return gFalse;
}
@@ -736,7 +736,7 @@
error(-1, "Bad object number");
return gFalse;
}
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ if (newSize >= INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'obj' parameters.");
return gFalse;
}
@@ -763,7 +763,7 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
- if (streamEndsSize*sizeof(int)/sizeof(int) != streamEndsSize) {
+ if (streamEndsSize >= INT_MAX/sizeof(int)) {
error(-1, "Invalid 'endstream' parameter.");
return gFalse;
}
----- End forwarded message -----
--
see shy jo
signature.asc
Description: Digital signature
