[NTG-pdftex] Xpdf 3.02 security hole (fwd)

Thanh Han The hanthethanh at gmail.com
Fri Jul 13 08:29:25 CEST 2007


----- Forwarded message from "Derek B. Noonburg" <derekn at foolabs.com> -----

> From: "Derek B. Noonburg" <derekn at foolabs.com>
> Date: Thu, 12 Jul 2007 16:19:10 -0700 (PDT)
> To: than at redhat.com, var at sgi.com, mike at easysw.com, secalert at redhat.com,
> 	security at gentoo.org, security at kde.org, ludwig.nussel at suse.de,
> 	hanthethanh at gmail.com, Fabrice.Popineau at supelec.fr
> cc: derekn at foolabs.com
> Subject: Xpdf 3.02 security hole
>
> A security hole in Xpdf 3.02 has been reported.  I'm attaching the patch
> file.  I'm currently expecting this to be disclosed early next week.
>
> - Derek

> *** xpdf-3.02-orig/xpdf/Stream.cc	Tue Feb 27 14:05:52 2007
> --- xpdf-3.02/xpdf/Stream.cc	Thu Jul 12 15:55:49 2007
> ***************
> *** 410,424 ****
>     ok = gFalse;
>
>     nVals = width * nComps;
> -   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> -       nComps >= INT_MAX / nBits ||
> -       width >= INT_MAX / nComps / nBits ||
> -       nVals * nBits + 7 < 0) {
> -     return;
> -   }
>     pixBytes = (nComps * nBits + 7) >> 3;
>     rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
> !   if (rowBytes <= 0) {
>       return;
>     }
>     predLine = (Guchar *)gmalloc(rowBytes);
> --- 410,423 ----
>     ok = gFalse;
>
>     nVals = width * nComps;
>     pixBytes = (nComps * nBits + 7) >> 3;
>     rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
> !   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> !       nComps > gfxColorMaxComps ||
> !       nBits > 16 ||
> !       nVals <= 0 ||
> !       nVals * nBits + 7 <= 0 ||
> !       rowBytes <= 0) {
>       return;
>     }
>     predLine = (Guchar *)gmalloc(rowBytes);


----- End forwarded message -----


More information about the ntg-pdftex mailing list