rpms/poppler/FC-4 poppler-0.4.3-CVE-2005-3191.patch,NONE,1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 16 21:32:15 UTC 2005
Author: krh
Update of /cvs/dist/rpms/poppler/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv4854
Added Files:
poppler-0.4.3-CVE-2005-3191.patch
Log Message:
Add actual patch.
poppler-0.4.3-CVE-2005-3191.patch:
0 files changed
--- NEW FILE poppler-0.4.3-CVE-2005-3191.patch ---
--- poppler/JBIG2Stream.cc (revision 488119)
+++ poppler/JBIG2Stream.cc (working copy)
@@ -7,6 +7,7 @@
//========================================================================
#include <config.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -681,7 +682,14 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = wA;
h = hA;
line = (wA + 7) >> 3;
- data = (Guchar *)gmalloc(h * line);
+
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ data = NULL;
+ }
+ else {
+ data = (Guchar *)gmalloc(h * line);
+ data[h * line] = 0;
+ }
}
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -692,5 +699,11 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ data = NULL;
+ return;
+ }
+
data = (Guchar *)gmalloc(h * line);
memcpy(data, bitmap->data, h * line);
@@ -720,7 +733,7 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
return;
}
data = (Guchar *)grealloc(data, newH * line);
@@ -2305,6 +2318,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad size in JBIG2 halftone segment");
+ return;
+ }
+ if (w == 0 || h >= INT_MAX / w) {
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
+ return;
+ }
+
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
@@ -2936,6 +2958,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
int x, y, pix;
+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ return NULL;
+
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();
--- poppler/Stream.cc (revision 488119)
+++ poppler/Stream.cc (working copy)
@@ -1277,4 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
+ if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
+ columns = 1;
+ }
rows = rowsA;
@@ -3066,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
while (length > 0) {
index = str->getChar();
--length;
- if ((index & 0x0f) >= 4) {
+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
error(getPos(), "Bad DCT Huffman table");
return gFalse;
}
if (index & 0x10) {
- index &= 0x0f;
+ index &= 0x03;
if (index >= numACHuffTables)
numACHuffTables = index+1;
tbl = &acHuffTables[index];
More information about the fedora-cvs-commits
mailing list