Hi Here’s a patch for CVE-2018-20797.
The problem occurs in the PdfPredictorDecoder constructor which calls
podofo_calloc to allocate a buffer based on values in the pDecodeParms
dictionary, which are multiplied together to produce a buffer size passed to
podofo_calloc
m_nRows = (m_nColumns * m_nColors * m_nBPC) >> 3;
If any of these values are negative, then m_nRows is negative and turns into a
large positive value when passed as unsigned size_t to podofo_calloc.
A related problem is caused when large positive values in pDecodeParms overflow
when multiplied together so produce the wrong buffer size (e.g. if nColumns=1,
m_nBPC=2 and m_nColors=SIZE_MAX/2+1).
This has been tested in production for a few months on Mac 64-bit / Windows
32-bit.
Best Regards
Mark
Mark Rogers - mark.rog...@powermapper.com
PowerMapper Software Ltd - www.powermapper.com
Registered in Scotland No 362274 Quartermile 2 Edinburgh EH3 9GL
patch-CVE-2018-20797.diff
Description: patch-CVE-2018-20797.diff
_______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
