-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello.
On 28.07.2011 14:40, David Stroud wrote:
> The above code, when compressed with rle, flate and ahex (singularly or
> stacked), works with no problems (on adobe reader 8). However, as soon as I
> introduce lzw into it, either on it's own or stacked with one or all the
> others, the exploit doesn't trigger. I tried the code without any whitespace
> as well, but no luck there either.
At the moment I am doing a review of the lzw filter and found a bug that
sometimes causes an additional unspecified 0 byte at the end of the
encoded lzw stream (patch attached).
Maybe this caused your problem (I have not reproduced it). Please send
me the corrupt PDF or encoded lzw-buffer so that I can debug the
decoding process with the same input.
Regards,
Georg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk45GCQACgkQ5sLITM1qIaJxSQCeJNuFWC0mmNh9gONp/LsS072m
QWkAn0KH562195x+d0LrtQ6R9V5rtp1k
=SBmU
-----END PGP SIGNATURE-----
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: georg.gottleu...@uni-ulm.de-20110803092132-\
# 8fl0e5itfg4b968r
# target_branch: bzr://bzr.sv.gnu.org/pdf/libgnupdf/trunk/
# testament_sha1: 810eb3f529e2c3a3cb377414b7b68ff11b5c1d6c
# timestamp: 2011-08-03 11:21:56 +0200
# base_revision_id: jema...@gnu.org-20110801200358-qc0dhdf3hs44lljv
#
# Begin patch
=== modified file 'src/base/pdf-stm-f-lzw.c'
--- src/base/pdf-stm-f-lzw.c 2011-05-19 17:21:16 +0000
+++ src/base/pdf-stm-f-lzw.c 2011-08-03 09:21:32 +0000
@@ -442,6 +442,10 @@
lzw_buffer_put_code (&st->buffer, LZW_EOD_CODE);
lzw_buffer_put_code (&st->buffer, 0); /* flush */
+ /* delete 0 byte if buffer was already aligned before flush */
+ if (out->data[out->wp - 1] == 0x0)
+ out->wp--;
+
st->really_finish = PDF_TRUE;
return (pdf_buffer_full_p (out) ?
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWcZRVNoACJZ/gFfxQAB7d///
///fvr////5gDW+O82tmdAHQAA6AyiFdV0ADqgFEgBCUJJHkQepp5JkBtQeoAANA009IAAAAGQ5k
00MgAYjIMgBpggYgGjTQAZA0ADJTZCCaj00npTaANTaNQaAYRkegJgIDCA2oEmpUyFPIymJiafqm
jJkAJsITJgAACYCPUb1NBzJpoZAAxGQZADTBAxANGmgAyBoAEkQTQAmgmCDU0yZNJlT9BMU/RR6n
qeoB6Q9Q0yNG1D9ABAVPVTLWLnJZLYxJKqyM/AYmdWgtOafcGQ+xeM0YVzpSY8SL/uyPLLMyHYhk
efj5Zl2p2KVu0R6neD5h+egVZKoZoeiTJWDJekrNzwao1hWv7gf3QHfU49kZ5WwQM2dCNumcbMRC
rZAsaDJrJNNn0dhArI8TiaKPdJBIPiGQTyvYRjeAJBLiCRsoTsJAyMlkYxZx6mFgWfH6HGMEsx/3
eD4zkXvk2vX/3mW35jy0H+dqbE3ZNomrFjILFBVBSKoT/fPWgMuJx/6rIjQG5MkzHXN2eMeuU+3n
9loPXPuSLSszkMonECYCLOeiumaLBlR5DnoVSChzg5XQ8rZkiQPKcGZ2XLYbUtQxUl+jdaZmh0VU
9Y1NfaXSixNkrZC/TYFVQ00WHclFhZQ01+pHSxpvmqRcYz6cD6RVB5aGVfyRkW4xE/dWWHmuEvxy
OirsQlmEKA37sDGw2qDZC1TQy4VXJhqy4SVkaiSd4SZoE2RdBMulASmrabtcaWQKR2b8dXGIf1dv
f3+Hrh7PYHiS2foze1S/2TUfvNZJmGey3lgbMzpyOsFba4hfgwHwqUooU6bIm8vGio8qx6EWuNHU
0nMG7cqbIJNQQR0Clrb6t0VjIkSJG+np3X4H8STDnrIHWQCwVhYwfrEUEgZMC+oJoDaHgv2ea8v5
egveRKwCUfcWWLzS1DBL0OwQFndS3yPoYYYMRAbKtYgG2IOr3oW9fh+I3tZ/yIpXWjb9vJO7hzJS
OoNOdaEde55MobnAiyDixJkiRV9cIHaUX80EDpB2u4hFaeg1gxYut7vqqSd6BHEqmEUouCawrVna
RmEdUMAgkwM6r4HSLSAcRJCHSRi6GoDqKTAoNjFZFYKOBMCYmUEXjGIRxwIuRX0golxJOcztANeK
lmEEBfBhwvi+DFjEAJ3nmlhUnFo33SGWKiSCxZImUNLPMe2V7b9zQScdkkHUPlVKCoVl9plfO1XP
OdYBJtCNsY2zmUIyuxIAthIKy8xHLnSLZVhfGHiZH2TwkxmitgCFfUbMIO8Cn30xbbaa+caRV2mk
g0SxqMC4ltGHM/swOrjWY7FcHVk4ZErXGi9+LSLUogqSkG1AUPW6BFySqDRb1oaXpV4ADltwK9sY
NcEghTqvnSDkGwCrcVUQHWVWbjqkC/ge5mGYZF+NxUXc95INC7B6XaMW6nY0zreoqjqjSRTF0oIr
T2B6rIAqq2pfxrCuQK8KRrYgva4XjVOEyGCdb7i+bmlxqHqgHRjG5yR2Z4UJFuRcOxraJwNCu49Q
VLT9b9GNxjZMsi5O7lAlKZJIomqoEMX1kq2DbW7NURaw9auC3IpzIFWF/qU9MJwMccQ3cuGyQcED
Y1Fx6AquFQXKMA3QMEai0se2OuZJTmXahSwJGmoGSVhaRpa4blQ4SCk6qYxfBNKT1g1pL5usZmsx
Ta6yzAbI2THsLTZEGBXmvXnm76mr11ZFLTAzkTQDZ0tJ4F1lHuN2GBgfqlhhdOtgVNpQwNRmZCKi
sewxMKyh82hA8NZaXpVlKriq1ytGpi9bYQgETISRDAGuiNDyktTxKHsHXa5ETMd8LNRathRIgMan
L2Kg1E0ty6uQBneYBbB3rhfZhmwawYRWDApka8o6HLXtkbC96yF12+NJEiBi1Q9sS7ustLcByazo
RsLdhuNRfNyzDcazrBdSwBODQzqsWeFs4WvMHAI1OMaHJ6x69pGcgTdVRkiW68rUjaSTgtpeSyK8
Sl8NhBI4uPYVG4pCo3bFM1FC0pMqNAC4LfM+AeCZbenn543mCWQ2thMm4jG2IxBIeRvQ6CHdMikJ
gG/AwhMOAS9qZDrm88gztOS21ivUk14nb9g3loZUVWKpOebc0UEQuCmKJdKQaCZEhD+B9SWcBiK9
/DmL6UwgIgfw+4Qv0PP58ITUymQNRRUQYq8H3hbwRmapTEGIIKMMBkm0eZzK1TQaB+cIWDkz+AgZ
gtxR4mKmqqqqlrNpyAf+Bm3dAHPADFDOM6BmgyxrnT86L7TqcP24HFHJICsQpezRxeQCv/kmQLRj
UkBqmgmiPUT1CDrRG5FYhR0rKkyr1otDsLQ/BW1GgXoUAkXJAUGVhF0NYIVV5UGQhVJAZHWFQWjK
5BzQTusdB9cl/H2zyWenMQ2dYulokJYQmOFYAp6geYQuFOqMc8hJwTravt84CXmJU+GuDe8+82FE
j5Mk4fcfIwRjfLDVx4sVyiAUYCcZOnbqBCbEyBEKibbxCcOGmL6jE3grJpXpb/u1IB/xDID5RKyS
LBcUEHcgOKXEkSCE5O8BUrKQmPSEJB+eikYp0FUmMUnn+J8tQb+hX+Xh3LwHO0idDaQOhEtK5msq
PAmCgFiL9bgsL0SEsBIFcopFLGccxMh+IUYgT+kBCgoB96cXSC7D2B3rLUYGzhv3anW7hsN+JQmQ
if6iMihxGkqI4MYTPHn5Han/wOfqNY57PzG/Ad0QgX0NxkrJly70zDDcOr3nT0I9Z1GBPzG7OsMy
B3BMwEQ4XpGB25GDlRA1WgESRif9/Pw3abi/Eg50PWklpLoQXA/9ZS1i8EvRWFm0iLRMgp6tpLS3
r9veHgNTyJLJkppe6E5/Nqdbu7Cw5pJWpd28Y4mdVfGlRmQUfL1v+2PQtK+IKhceB4EyZ86W9J1i
GTMxsGHzNEmBbersZL2GZuKU8eTbbdDeYHe5uwN2rEs4OfRlsIs2RmKykzXwcvj7CAWLQP9PpXrt
BdwmSP7QmIDTNmGFuYCzrcjATCAcS5gx039kvE8SB+rEzfemEgzMkLglcAQqKw9jMYi/Y3AyPW8F
5wIkDYaDdxzO7mTZzsPd7rStBYNQfJB6QDWE5vDJ1pNWTTZEMQUdk3qqG9Ra6TxXqhG46YBznFTN
oZjneHYlUmBmNbP2DotBwdIRoBNi2XomuIhGG+ckGYyCVBCtWZZsBd3oILiIC0Xb39YOk4gY+QyU
FPanugHvD5yKOIcFTuEAyFrEBJfFLmbZZb+b0Ow+IAxYe8M9EHPnZahGlBOADBUvE1go6VzvKmBM
errOoqJnBCZd1WDfMhY9oJpG3FcbEsuiXNc16AGa8gCa5ngu95hxS7DsAPQOQLE6CtSWoE4EEKA5
uSYTjFdwkQcUOAkFkIsyZCkcRw+K9gIKBcLkSqRGQ4AUIhfbvKXRPIlUICAA9iqRQDx3FoTJBLkc
TjAqQZ9DiGIwCgjA7IaIGEmRtCJG3jpbiTp7dX7YjKpBtEBtGJRCMkBYIGZIsQOKGvw5SWw2Yxgk
oWr5HUHJLsL0lL4EhVRTj/BZjliS45ag5IGEA6PEOkxfkvgrPiG0QHH/77OGype1mzN0vWXDJ0Kk
OVe33dKURcMDAWgGwHGrcAOIWz0yzUNrtgzWDcuDn6IaW5ytwZNFESoICCGoA7nSQsMwXYP30UlJ
m75pQK6E0I2HwOKDWlYEgGSEMgp8OcCKNAli08iPUTCSaYwumqtxzzWQaBvTU2AG49wriVoLZrMX
RrGDRLFCZL3l50ZDMGdQXJ0AxYQ/fyLUL6ImHYyoVmOQycbVswqKBNLenEoTSDRrNXUpk7gCwYA1
CTFYKaaCLwmRvLYoyCuZenEgwmFZrEpYqIKQq+mNI213QSPhisRINsUFhmYCQRc7DabBAaz6hAXn
p9YBsz9RbuzCwPE2n7o6B3K5fz7Co0D1BbuFJC+1KST/EMWHofqxrb5Dcl7vrDD0CsSKHZyN/aOG
nrUSu6J3hetneerkr+ADKYidoN0GcE06/VhSih+xdyRThQkMZRVNoA==
