[NTG-pdftex] Xpdf 3.02 security hole (fwd)
Thanh Han The
hanthethanh at gmail.com
Fri Jul 13 08:29:25 CEST 2007
----- Forwarded message from "Derek B. Noonburg" <derekn at foolabs.com> -----
> From: "Derek B. Noonburg" <derekn at foolabs.com>
> Date: Thu, 12 Jul 2007 16:19:10 -0700 (PDT)
> To: than at redhat.com, var at sgi.com, mike at easysw.com, secalert at redhat.com,
> security at gentoo.org, security at kde.org, ludwig.nussel at suse.de,
> hanthethanh at gmail.com, Fabrice.Popineau at supelec.fr
> cc: derekn at foolabs.com
> Subject: Xpdf 3.02 security hole
>
> A security hole in Xpdf 3.02 has been reported. I'm attaching the patch
> file. I'm currently expecting this to be disclosed early next week.
>
> - Derek
> *** xpdf-3.02-orig/xpdf/Stream.cc Tue Feb 27 14:05:52 2007
> --- xpdf-3.02/xpdf/Stream.cc Thu Jul 12 15:55:49 2007
> ***************
> *** 410,424 ****
> ok = gFalse;
>
> nVals = width * nComps;
> - if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> - nComps >= INT_MAX / nBits ||
> - width >= INT_MAX / nComps / nBits ||
> - nVals * nBits + 7 < 0) {
> - return;
> - }
> pixBytes = (nComps * nBits + 7) >> 3;
> rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
> ! if (rowBytes <= 0) {
> return;
> }
> predLine = (Guchar *)gmalloc(rowBytes);
> --- 410,423 ----
> ok = gFalse;
>
> nVals = width * nComps;
> pixBytes = (nComps * nBits + 7) >> 3;
> rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
> ! if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> ! nComps > gfxColorMaxComps ||
> ! nBits > 16 ||
> ! nVals <= 0 ||
> ! nVals * nBits + 7 <= 0 ||
> ! rowBytes <= 0) {
> return;
> }
> predLine = (Guchar *)gmalloc(rowBytes);
----- End forwarded message -----
More information about the ntg-pdftex
mailing list