----- Forwarded message from "Derek B. Noonburg" -----

From: "Derek B. Noonburg" Date: Thu, 12 Jul 2007 16:19:10 -0700 (PDT) To: than@redhat.com, var@sgi.com, mike@easysw.com, secalert@redhat.com, security@gentoo.org, security@kde.org, ludwig.nussel@suse.de, hanthethanh@gmail.com, Fabrice.Popineau@supelec.fr cc: derekn@foolabs.com Subject: Xpdf 3.02 security hole

A security hole in Xpdf 3.02 has been reported. I'm attaching the patch file. I'm currently expecting this to be disclosed early next week.

- Derek

*** xpdf-3.02-orig/xpdf/Stream.cc Tue Feb 27 14:05:52 2007 --- xpdf-3.02/xpdf/Stream.cc Thu Jul 12 15:55:49 2007 *************** *** 410,424 **** ok = gFalse;

nVals = width * nComps; - if (width <= 0 || nComps <= 0 || nBits <= 0 || - nComps >= INT_MAX / nBits || - width >= INT_MAX / nComps / nBits || - nVals * nBits + 7 < 0) { - return; - } pixBytes = (nComps * nBits + 7) >> 3; rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ! if (rowBytes <= 0) { return; } predLine = (Guchar *)gmalloc(rowBytes); --- 410,423 ---- ok = gFalse;

nVals = width * nComps; pixBytes = (nComps * nBits + 7) >> 3; rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes; ! if (width <= 0 || nComps <= 0 || nBits <= 0 || ! nComps > gfxColorMaxComps || ! nBits > 16 || ! nVals <= 0 || ! nVals * nBits + 7 <= 0 || ! rowBytes <= 0) { return; } predLine = (Guchar *)gmalloc(rowBytes);

----- End forwarded message -----