commit podofo for openSUSE:Factory

Wed, 22 May 2019 06:41:38 -0700 

Hello community,

here is the log from the commit of package podofo for openSUSE:Factory checked 
in at 2019-05-22 15:40:31
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/podofo (Old)
 and      /work/SRC/openSUSE:Factory/.podofo.new.5148 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "podofo"

Wed May 22 15:40:31 2019 rev:30 rq:704674 version:0.9.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/podofo/podofo.changes    2019-02-25 
18:01:00.594099460 +0100
+++ /work/SRC/openSUSE:Factory/.podofo.new.5148/podofo.changes  2019-05-22 
15:41:10.766428679 +0200
@@ -1,0 +2,6 @@
+Wed May 15 06:47:07 UTC 2019 - qzheng <[email protected]>
+
+- Add r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch
+  (boo#1129290, CVE-2019-9687).
+
+-------------------------------------------------------------------

New:
----
  r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ podofo.spec ++++++
--- /var/tmp/diff_new_pack.hEVnaf/_old  2019-05-22 15:41:15.570427264 +0200
+++ /var/tmp/diff_new_pack.hEVnaf/_new  2019-05-22 15:41:15.574427264 +0200
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via https://bugs.opensuse.org/
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
 
@@ -55,6 +55,8 @@
 Patch13:        
r1961-EncryptTest-Fix-buffer-overflow-in-decrypted-out-buffer-in-TestEncrypt.patch
 # PATCH-FIX-UPSTREAM
 Patch14:        
r1963-Fix-heap-based-buffer-overflow-vulnerability-in-PoDoFo-PdfVariant-DelayedLoad.patch
+# PATCH-FIX-UPSTREAM
+Patch15:        r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch
 BuildRequires:  cmake >= 2.5
 BuildRequires:  doxygen
 BuildRequires:  fdupes

++++++ r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch ++++++
diff --git src/base/PdfString.cpp src/base/PdfString.cpp
index fd87c7e..e5555e8 100644
--- src/base/PdfString.cpp
+++ src/base/PdfString.cpp
@@ -627,7 +627,19 @@ void PdfString::InitUtf8()
                                                     this->GetUnicodeLength(), 
                                                     
reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient 
);
 
-        pBuffer[lUtf8-1] = '\0';
+        if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination 
here vs. 1 byte there
+        {
+            pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 ) 
);
+            if( !pBuffer )
+            {
+                PODOFO_RAISE_ERROR( ePdfError_OutOfMemory );
+            }
+            if (lUtf8 - 1 > lBufferLen)
+                lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const 
pdf_utf16be*>(m_buffer.GetBuffer()),
+                                                       
this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1);
+        }
+
+        pBuffer[lUtf8 - 1] = '\0';
         pBuffer[lUtf8] = '\0';
         m_sUtf8 = pBuffer;
         podofo_free( pBuffer );
@@ -811,6 +823,7 @@ pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* 
pszUtf16, pdf_utf8* p
     return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 );
 }
 
+// returns used, or if not enough memory passed in, needed length incl. 1 byte 
termination
 pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long 
lLenUtf16, 
                                     pdf_utf8* pszUtf8, pdf_long lLenUtf8, 
                                     EPdfStringConversion eConversion  )
@@ -828,12 +841,21 @@ pdf_long PdfString::ConvertUTF16toUTF8( const 
pdf_utf16be* pszUtf16, pdf_long lL
     size_t sLength = lLenUtf16;
     size_t resultBufLength = lLenUtf8;
 
-    u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength);
+    uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength 
);
+    if (pReturnBuf != pResultBuf)
+    {
+        free(pReturnBuf); // allocated by libunistring, so don't use 
podofo_free()
+        PdfError::LogMessage( eLogSeverity_Warning, "Output string size too 
little to hold it\n" );
+        return resultBufLength + 1;
+    }
 
     pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength + 
1), lLenUtf8 );
 
-    // Make sure buffer is 0 termnated
-    pszUtf8[resultBufLength] = 0; 
+    // Make sure buffer is 0 terminated
+    if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 )
+        pszUtf8[resultBufLength] = 0;
+    else
+        return resultBufLength + 1; // means: check for this in the caller to 
detect non-termination
     
     return lBufferLen;
 }

Reply via email to