cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
184315c53e
openbsd-ports/textproc/gpdf/patches/patch-xpdf_JPXStream_cc
bernd bf60fbb21f Fix several security bugs in the xpdf code of gpdf. 
o iDefense advisories from 2005-12-05
o CAN-2005-3191, CAN-2005-3192, CAN-2005-3193

- JPX Stream Reader Heap Overflow Vulnerability
- DCTStream Baseline Heap Overflow Vulnerability
- DCTStream Progressive Heap Overflow
- StreamPredictor Heap Overflow Vulnerability

Patch provided by xpdf developers.

Remove mbalmer@ from MAINTAINER per his request.
2005-12-07 10:51:40 +00:00

29 lines
1.2 KiB
Plaintext
Raw Blame History

$OpenBSD: patch-xpdf_JPXStream_cc,v 1.1 2005/12/07 10:51:40 bernd Exp $
--- xpdf/JPXStream.cc.orig Tue Dec 6 22:43:08 2005
+++ xpdf/JPXStream.cc Tue Dec 6 22:44:53 2005
@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
- sizeof(JPXTile));
+ nTiles = img.nXTiles * img.nYTiles;
+ // check for overflow before allocating memory
+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles = (JPXTile *)gmalloc(nTiles * sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
sizeof(JPXTileComp));
Reference in New Issue View Git Blame Copy Permalink