Re: [NTG-pdftex] Xpdf 3.02 security hole (fwd)

13 Jul 2007

----- Forwarded message from Ludwig Nussel  -----
...
From: Ludwig Nussel 
Date: Fri, 13 Jul 2007 14:24:06 +0200
To: "Derek B. Noonburg" 
Cc: than@redhat.com, var@sgi.com, mike@easysw.com, secalert@redhat.com,
  security@gentoo.org, security@kde.org, hanthethanh@gmail.com,
  Fabrice.Popineau@supelec.fr, security@suse.de
Subject: Re: Xpdf 3.02 security hole
Josh Bressers wrote:
...
...
A security hole in Xpdf 3.02 has been reported.  I'm attaching the patch
file.  I'm currently expecting this to be disclosed early next week.
Hi Derek,
Please use CVE-2007-3387 for this flaw.  Am I right in assuming that the
flaw here is an integer overflow?
IMO the crucial part is the changed check for nComps > gfxColorMaxComps as
nComps is used later as upper bound for an offset into
Guchar upLeftBuf[gfxColorMaxComps * 2 + 1];
The patch removes the check width >= INT_MAX / nComps / nBits though which
should be kept nevertheless IMO:

--- xpdf-3.02.orig/xpdf/Stream.cc
+++ xpdf-3.02/xpdf/Stream.cc
@@ -410,15 +410,15 @@ StreamPredictor::StreamPredictor(Stream
   ok = gFalse;
nVals = width * nComps;
-  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
-      nComps >= INT_MAX / nBits ||
-      width >= INT_MAX / nComps / nBits ||
-      nVals * nBits + 7 < 0) {
-    return;
-  }
   pixBytes = (nComps * nBits + 7) >> 3;
   rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
-  if (rowBytes <= 0) {
+  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+      nComps > gfxColorMaxComps ||
+      width >= INT_MAX / nComps / nBits ||
+      nBits > 16 ||
+      nVals <= 0 ||
+      nVals * nBits + 7 <= 0 ||
+      rowBytes <= 0) {
     return;
   }
   predLine = (Guchar *)gmalloc(rowBytes);
cu
Ludwig
--
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
----- End forwarded message -----

    

Thanh Han The

tags

participants (1)