Fix denial of service vulnerability.

Check sanity of the TrueType "loca" table. Specially crafted broken tables caused disk space exhaustion due to very large generated glyph descriptions when attempting to fix the table. CAN-2005-2097. from Ubuntu Linux; ok brad@
2005-08-11 14:18:47 +00:00 · 2005-08-11 14:18:47 +00:00 · 9c8738ab34
commit 9c8738ab34
parent 2076dcf323
3 changed files with 61 additions and 2 deletions
--- a/textproc/xpdf/Makefile
+++ b/textproc/xpdf/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.47 2005/01/19 16:23:16 naddy Exp $
+# $OpenBSD: Makefile,v 1.48 2005/08/11 14:18:47 naddy Exp $

 COMMENT=	"PDF viewer for X"

 DISTNAME=	xpdf-3.00
-PKGNAME=	${DISTNAME}p3
+PKGNAME=	${DISTNAME}p4
 CATEGORIES=	textproc x11

 MASTER_SITES=	ftp://ftp.foolabs.com/pub/xpdf/
--- a/textproc/xpdf/patches/patch-fofi_FoFiTrueType_cc
+++ b/textproc/xpdf/patches/patch-fofi_FoFiTrueType_cc
@ -0,0 +1,31 @@
+$OpenBSD: patch-fofi_FoFiTrueType_cc,v 1.1 2005/08/11 14:18:47 naddy Exp $
+--- fofi/FoFiTrueType.cc.orig	Thu Jan 22 02:26:44 2004
+++ fofi/FoFiTrueType.cc	Wed Aug 10 22:25:23 2005
+@@ -1343,6 +1343,27 @@ void FoFiTrueType::parse() {
+     return;
+   }
+ 
+  // make sure the loca table is sane (correct length and entries are
+  // in bounds)
+  i = seekTable("loca");
+  if (tables[i].len < (nGlyphs + 1) * (locaFmt ? 4 : 2)) {
+    parsedOk = gFalse;
+    return;
+  }
+  for (j = 0; j <= nGlyphs; ++j) {
+    if (locaFmt) {
+      pos = (int)getU32BE(tables[i].offset + j*4, &parsedOk);
+    } else {
+      pos = getU16BE(tables[i].offset + j*2, &parsedOk);
+    }
+    if (pos < 0 || pos > len) {
+      parsedOk = gFalse;
+    }
+  }
+  if (!parsedOk) {
+    return;
+  }
+
+   // read the post table
+   readPostTable();
+   if (!parsedOk) {
--- a/textproc/xpdf/patches/patch-xpdf_SplashOutputDev_cc
+++ b/textproc/xpdf/patches/patch-xpdf_SplashOutputDev_cc
@ -0,0 +1,28 @@
+$OpenBSD: patch-xpdf_SplashOutputDev_cc,v 1.1 2005/08/11 14:18:47 naddy Exp $
+--- xpdf/SplashOutputDev.cc.orig	Thu Jan 22 02:26:45 2004
+++ xpdf/SplashOutputDev.cc	Wed Aug 10 22:25:23 2005
+@@ -621,16 +621,19 @@ void SplashOutputDev::updateFont(GfxStat
+       }
+       break;
+     case fontTrueType:
+-      if (!(ff = FoFiTrueType::load(fileName->getCString()))) {
+-	goto err2;
+      if ((ff = FoFiTrueType::load(fileName->getCString()))) {
+	codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+	n = 256;
+	delete ff;
+      } else {
+	codeToGID = NULL;
+	n = 0;
+       }
+-      codeToGID = ((Gfx8BitFont *)gfxFont)->getCodeToGIDMap(ff);
+-      delete ff;
+       if (!(fontFile = fontEngine->loadTrueTypeFont(
+ 			   id,
+ 			   fileName->getCString(),
+ 			   fileName == tmpFileName,
+-			   codeToGID, 256))) {
+			   codeToGID, n))) {
+ 	error(-1, "Couldn't create a font for '%s'",
+ 	      gfxFont->getName() ? gfxFont->getName()->getCString()
+ 	                         : "(unnamed)");