----- Forwarded message from Ludwig Nussel
From: Ludwig Nussel
Date: Fri, 13 Jul 2007 14:24:06 +0200 To: "Derek B. Noonburg" Cc: than@redhat.com, var@sgi.com, mike@easysw.com, secalert@redhat.com, security@gentoo.org, security@kde.org, hanthethanh@gmail.com, Fabrice.Popineau@supelec.fr, security@suse.de Subject: Re: Xpdf 3.02 security hole Josh Bressers wrote:
A security hole in Xpdf 3.02 has been reported. I'm attaching the patch file. I'm currently expecting this to be disclosed early next week.
Hi Derek,
Please use CVE-2007-3387 for this flaw. Am I right in assuming that the flaw here is an integer overflow?
IMO the crucial part is the changed check for nComps > gfxColorMaxComps as nComps is used later as upper bound for an offset into Guchar upLeftBuf[gfxColorMaxComps * 2 + 1]; The patch removes the check width >= INT_MAX / nComps / nBits though which should be kept nevertheless IMO:
--- xpdf-3.02.orig/xpdf/Stream.cc +++ xpdf-3.02/xpdf/Stream.cc @@ -410,15 +410,15 @@ StreamPredictor::StreamPredictor(Stream ok = gFalse;
nVals = width * nComps; - if (width <= 0 || nComps <= 0 || nBits <= 0 || - nComps >= INT_MAX / nBits || - width >= INT_MAX / nComps / nBits || - nVals * nBits + 7 < 0) { - return; - } pixBytes = (nComps * nBits + 7) >> 3; rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; - if (rowBytes <= 0) { + if (width <= 0 || nComps <= 0 || nBits <= 0 || + nComps > gfxColorMaxComps || + width >= INT_MAX / nComps / nBits || + nBits > 16 || + nVals <= 0 || + nVals * nBits + 7 <= 0 || + rowBytes <= 0) { return; } predLine = (Guchar *)gmalloc(rowBytes);
cu Ludwig
-- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
----- End forwarded message -----