Fix several security bugs in the xpdf code.
o iDefense advisories from 2005-12-05 o CAN-2005-3191, CAN-2005-3192, CAN-2005-3193 - JPX Stream Reader Heap Overflow Vulnerability - DCTStream Baseline Heap Overflow Vulnerability - DCTStream Progressive Heap Overflow - StreamPredictor Heap Overflow Vulnerability Patch provided by xpdf developers.
This commit is contained in:
parent
4cb8562597
commit
73df9cb65e
@ -1,8 +1,9 @@
|
||||
# $OpenBSD: Makefile,v 1.50 2005/09/09 17:34:53 brad Exp $
|
||||
# $OpenBSD: Makefile,v 1.51 2005/12/07 09:22:14 bernd Exp $
|
||||
|
||||
COMMENT= "PDF viewer for X"
|
||||
|
||||
DISTNAME= xpdf-3.01
|
||||
PKGNAME= ${DISTNAME}p0
|
||||
CATEGORIES= textproc x11
|
||||
|
||||
MASTER_SITES= ftp://ftp.foolabs.com/pub/xpdf/
|
||||
|
28
textproc/xpdf/patches/patch-xpdf_JPXStream_cc
Normal file
28
textproc/xpdf/patches/patch-xpdf_JPXStream_cc
Normal file
@ -0,0 +1,28 @@
|
||||
$OpenBSD: patch-xpdf_JPXStream_cc,v 1.1 2005/12/07 09:22:15 bernd Exp $
|
||||
--- xpdf/JPXStream.cc.orig Wed Aug 17 07:34:31 2005
|
||||
+++ xpdf/JPXStream.cc Tue Dec 6 21:13:44 2005
|
||||
@@ -783,7 +783,7 @@ GBool JPXStream::readCodestream(Guint le
|
||||
int segType;
|
||||
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
|
||||
Guint precinctSize, style;
|
||||
- Guint segLen, capabilities, comp, i, j, r;
|
||||
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
|
||||
|
||||
//----- main header
|
||||
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
|
||||
@@ -818,8 +818,13 @@ GBool JPXStream::readCodestream(Guint le
|
||||
/ img.xTileSize;
|
||||
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
|
||||
/ img.yTileSize;
|
||||
- img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
|
||||
- sizeof(JPXTile));
|
||||
+ nTiles = img.nXTiles * img.nYTiles;
|
||||
+ // check for overflow before allocating memory
|
||||
+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
|
||||
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
|
||||
+ return gFalse;
|
||||
+ }
|
||||
+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
|
||||
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
|
||||
img.tiles[i].tileComps = (JPXTileComp *)gmallocn(img.nComps,
|
||||
sizeof(JPXTileComp));
|
75
textproc/xpdf/patches/patch-xpdf_Stream_cc
Normal file
75
textproc/xpdf/patches/patch-xpdf_Stream_cc
Normal file
@ -0,0 +1,75 @@
|
||||
$OpenBSD: patch-xpdf_Stream_cc,v 1.1 2005/12/07 09:22:15 bernd Exp $
|
||||
--- xpdf/Stream.cc.orig Wed Aug 17 07:34:31 2005
|
||||
+++ xpdf/Stream.cc Tue Dec 6 21:13:44 2005
|
||||
@@ -401,18 +401,33 @@ void ImageStream::skipLine() {
|
||||
|
||||
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
|
||||
int widthA, int nCompsA, int nBitsA) {
|
||||
+ int totalBits;
|
||||
+
|
||||
str = strA;
|
||||
predictor = predictorA;
|
||||
width = widthA;
|
||||
nComps = nCompsA;
|
||||
nBits = nBitsA;
|
||||
+ predLine = NULL;
|
||||
+ ok = gFalse;
|
||||
|
||||
nVals = width * nComps;
|
||||
+ totalBits = nVals * nBits;
|
||||
+ if (totalBits == 0 ||
|
||||
+ (totalBits / nBits) / nComps != width ||
|
||||
+ totalBits + 7 < 0) {
|
||||
+ return;
|
||||
+ }
|
||||
pixBytes = (nComps * nBits + 7) >> 3;
|
||||
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
|
||||
+ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
|
||||
+ if (rowBytes < 0) {
|
||||
+ return;
|
||||
+ }
|
||||
predLine = (Guchar *)gmalloc(rowBytes);
|
||||
memset(predLine, 0, rowBytes);
|
||||
predIdx = rowBytes;
|
||||
+
|
||||
+ ok = gTrue;
|
||||
}
|
||||
|
||||
StreamPredictor::~StreamPredictor() {
|
||||
@@ -1004,6 +1019,10 @@ LZWStream::LZWStream(Stream *strA, int p
|
||||
FilterStream(strA) {
|
||||
if (predictor != 1) {
|
||||
pred = new StreamPredictor(this, predictor, columns, colors, bits);
|
||||
+ if (!pred->isOk()) {
|
||||
+ delete pred;
|
||||
+ pred = NULL;
|
||||
+ }
|
||||
} else {
|
||||
pred = NULL;
|
||||
}
|
||||
@@ -2899,6 +2918,14 @@ GBool DCTStream::readBaselineSOF() {
|
||||
height = read16();
|
||||
width = read16();
|
||||
numComps = str->getChar();
|
||||
+ if (numComps <= 0 || numComps > 4) {
|
||||
+ error(getPos(), "Bad number of components in DCT stream", prec);
|
||||
+ return gFalse;
|
||||
+ }
|
||||
+ if (numComps <= 0 || numComps > 4) {
|
||||
+ error(getPos(), "Bad number of components in DCT stream", prec);
|
||||
+ return gFalse;
|
||||
+ }
|
||||
if (prec != 8) {
|
||||
error(getPos(), "Bad DCT precision %d", prec);
|
||||
return gFalse;
|
||||
@@ -3827,6 +3854,10 @@ FlateStream::FlateStream(Stream *strA, i
|
||||
FilterStream(strA) {
|
||||
if (predictor != 1) {
|
||||
pred = new StreamPredictor(this, predictor, columns, colors, bits);
|
||||
+ if (!pred->isOk()) {
|
||||
+ delete pred;
|
||||
+ pred = NULL;
|
||||
+ }
|
||||
} else {
|
||||
pred = NULL;
|
||||
}
|
20
textproc/xpdf/patches/patch-xpdf_Stream_h
Normal file
20
textproc/xpdf/patches/patch-xpdf_Stream_h
Normal file
@ -0,0 +1,20 @@
|
||||
$OpenBSD: patch-xpdf_Stream_h,v 1.1 2005/12/07 09:22:15 bernd Exp $
|
||||
--- xpdf/Stream.h.orig Wed Aug 17 07:34:31 2005
|
||||
+++ xpdf/Stream.h Tue Dec 6 21:13:44 2005
|
||||
@@ -232,6 +232,8 @@ public:
|
||||
|
||||
~StreamPredictor();
|
||||
|
||||
+ GBool isOk() { return ok; }
|
||||
+
|
||||
int lookChar();
|
||||
int getChar();
|
||||
|
||||
@@ -249,6 +251,7 @@ private:
|
||||
int rowBytes; // bytes per line
|
||||
Guchar *predLine; // line buffer
|
||||
int predIdx; // current index in predLine
|
||||
+ GBool ok;
|
||||
};
|
||||
|
||||
//------------------------------------------------------------------------
|
Loading…
Reference in New Issue
Block a user