[NTG-pdftex] Xpdf 3.02 security hole (fwd)

Thanh Han The hanthethanh at gmail.com
Fri Jul 13 14:35:41 CEST 2007


----- Forwarded message from Ludwig Nussel <ludwig.nussel at suse.de> -----

> From: Ludwig Nussel <ludwig.nussel at suse.de>
> Date: Fri, 13 Jul 2007 14:24:06 +0200
> To: "Derek B. Noonburg" <derekn at foolabs.com>
> Cc: than at redhat.com, var at sgi.com, mike at easysw.com, secalert at redhat.com,
> 	security at gentoo.org, security at kde.org, hanthethanh at gmail.com,
> 	Fabrice.Popineau at supelec.fr, security at suse.de
> Subject: Re: Xpdf 3.02 security hole
>
> Josh Bressers wrote:
> > > A security hole in Xpdf 3.02 has been reported.  I'm attaching the patch
> > > file.  I'm currently expecting this to be disclosed early next week.
> > >
> >
> > Hi Derek,
> >
> > Please use CVE-2007-3387 for this flaw.  Am I right in assuming that the
> > flaw here is an integer overflow?
>
> IMO the crucial part is the changed check for nComps > gfxColorMaxComps as
> nComps is used later as upper bound for an offset into
> Guchar upLeftBuf[gfxColorMaxComps * 2 + 1];
> The patch removes the check width >= INT_MAX / nComps / nBits though which
> should be kept nevertheless IMO:
>
> --- xpdf-3.02.orig/xpdf/Stream.cc
> +++ xpdf-3.02/xpdf/Stream.cc
> @@ -410,15 +410,15 @@ StreamPredictor::StreamPredictor(Stream
>    ok = gFalse;
>
>    nVals = width * nComps;
> -  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> -      nComps >= INT_MAX / nBits ||
> -      width >= INT_MAX / nComps / nBits ||
> -      nVals * nBits + 7 < 0) {
> -    return;
> -  }
>    pixBytes = (nComps * nBits + 7) >> 3;
>    rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
> -  if (rowBytes <= 0) {
> +  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
> +      nComps > gfxColorMaxComps ||
> +      width >= INT_MAX / nComps / nBits ||
> +      nBits > 16 ||
> +      nVals <= 0 ||
> +      nVals * nBits + 7 <= 0 ||
> +      rowBytes <= 0) {
>      return;
>    }
>    predLine = (Guchar *)gmalloc(rowBytes);
>
> cu
> Ludwig
>
> --
>  (o_   Ludwig Nussel
>  //\
>  V_/_  http://www.suse.de/
> SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
>

----- End forwarded message -----


More information about the ntg-pdftex mailing list