rpms/xpdf/devel xpdf-3.01-CAN-2005-3193.patch, NONE, 1.1 xpdf-3.01-CVE-2005-3191.patch, NONE, 1.1 xpdf.spec, 1.65, 1.66
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jan 10 13:12:32 UTC 2006
Author: karsten
Update of /cvs/dist/rpms/xpdf/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv23786
Modified Files:
xpdf.spec
Added Files:
xpdf-3.01-CAN-2005-3193.patch xpdf-3.01-CVE-2005-3191.patch
Log Message:
- add patches to fix CVE-2005-3191 and CAN-2005-3193
xpdf-3.01-CAN-2005-3193.patch:
goo/gmem.c | 5 +++--
xpdf/JBIG2Stream.cc | 6 ++++++
xpdf/Stream.cc | 13 ++++++++++---
3 files changed, 19 insertions(+), 5 deletions(-)
--- NEW FILE xpdf-3.01-CAN-2005-3193.patch ---
diff -urN xpdf-3.01_old/goo/gmem.c xpdf-3.01_new/goo/gmem.c
--- xpdf-3.01_old/goo/gmem.c 2006-01-10 12:56:54.000000000 +0100
+++ xpdf-3.01_new/goo/gmem.c 2006-01-10 13:01:13.000000000 +0100
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
+#include <limits.h>
#include "gmem.h"
#ifdef DEBUG_MEM
@@ -141,7 +142,7 @@
int n;
n = nObjs * objSize;
- if (objSize == 0 || n / objSize != nObjs) {
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
@@ -152,7 +153,7 @@
int n;
n = nObjs * objSize;
- if (objSize == 0 || n / objSize != nObjs) {
+ if (objSize <= 0 || nObjs < 0 || nObjs >= INT_MAX / objSize) {
fprintf(stderr, "Bogus memory allocation size\n");
exit(1);
}
diff -urN xpdf-3.01_old/xpdf/JBIG2Stream.cc xpdf-3.01_new/xpdf/JBIG2Stream.cc
--- xpdf-3.01_old/xpdf/JBIG2Stream.cc 2006-01-10 12:56:54.000000000 +0100
+++ xpdf-3.01_new/xpdf/JBIG2Stream.cc 2006-01-10 13:08:26.000000000 +0100
@@ -684,6 +684,7 @@
line = (wA + 7) >> 3;
if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ error(-1, "invalid width/height");
data = NULL;
}
else {
@@ -701,6 +702,7 @@
line = bitmap->line;
if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ error(-1, "invalid width/height");
data = NULL;
return;
}
@@ -734,6 +736,9 @@
void JBIG2Bitmap::expand(int newH, Guint pixel) {
if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
+ error(-1, "invalid width/height");
+ gfree(data);
+ data = NULL;
return;
}
// need to allocate one extra guard byte for use in combine()
@@ -2959,6 +2964,7 @@
int x, y, pix;
if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ error(-1, "invalid width/height");
return NULL;
bitmap = new JBIG2Bitmap(0, w, h);
diff -urN xpdf-3.01_old/xpdf/Stream.cc xpdf-3.01_new/xpdf/Stream.cc
--- xpdf-3.01_old/xpdf/Stream.cc 2006-01-10 12:56:54.000000000 +0100
+++ xpdf-3.01_new/xpdf/Stream.cc 2006-01-10 13:22:48.000000000 +0100
@@ -1276,8 +1276,10 @@
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
- if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
- columns = 1;
+ if (columns < 1 || columns + 2 < 0 || columns + 3 < 0 ||
+ (columns + 2) >= INT_MAX / sizeof(short) || (columns + 3) >= INT_MAX / sizeof(short)) {
+ error(-1, "invalid number of columns");
+ exit(1);
}
rows = rowsA;
endOfBlock = endOfBlockA;
@@ -2920,6 +2922,7 @@
width = read16();
numComps = str->getChar();
if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
error(getPos(), "Bad number of components in DCT stream", prec);
return gFalse;
}
@@ -2950,6 +2953,7 @@
width = read16();
numComps = str->getChar();
if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
error(getPos(), "Bad number of components in DCT stream", prec);
return gFalse;
}
@@ -2976,6 +2980,7 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ scanInfo.numComps = 0;
error(getPos(), "Bad number of components in DCT stream");
return gFalse;
}
@@ -3186,9 +3191,11 @@
do {
do {
c = str->getChar();
- } while (c != 0xff && c != EOF);
+ if(c == EOF) return EOF;
+ } while (c != 0xff);
do {
c = str->getChar();
+ if(c == EOF) return EOF;
} while (c == 0xff);
} while (c == 0x00);
return c;
xpdf-3.01-CVE-2005-3191.patch:
JPXStream.cc | 14 ++++++++---
Stream.cc | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++------
Stream.h | 3 ++
3 files changed, 82 insertions(+), 10 deletions(-)
--- NEW FILE xpdf-3.01-CVE-2005-3191.patch ---
--- xpdf-3.00.orig/xpdf/JPXStream.cc
+++ xpdf-3.00/xpdf/JPXStream.cc
@@ -7,6 +7,7 @@
//========================================================================
#include <aconf.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -666,7 +667,7 @@
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +702,15 @@
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
- img.tiles = (JPXTile *)gmallocn(img.nXTiles * img.nYTiles,
- sizeof(JPXTile));
+ // check for overflow before allocating memory
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
+ img.nXTiles >= INT_MAX/img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ nTiles = img.nXTiles * img.nYTiles;
+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
+
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
sizeof(JPXTileComp));
only in patch2:
unchanged:
--- xpdf-3.00.orig/xpdf/Stream.h
+++ xpdf-3.00/xpdf/Stream.h
@@ -233,6 +233,8 @@
~StreamPredictor();
+ GBool isOk() { return ok; }
+
int lookChar();
int getChar();
@@ -250,6 +252,7 @@
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
+ GBool ok;
};
//------------------------------------------------------------------------
only in patch2:
unchanged:
--- xpdf-3.00.orig/xpdf/Stream.cc
+++ xpdf-3.00/xpdf/Stream.cc
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+#include <limits.h>
#ifndef WIN32
#include <unistd.h>
#endif
@@ -412,13 +413,28 @@
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX/nBits ||
+ width >= INT_MAX/nComps/nBits) {
+ return;
+ }
nVals = width * nComps;
+ if (nVals * nBits + 7 <= 0) {
+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ if (rowBytes < 0) {
+ return;
+ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
+
+ ok = gTrue;
}
StreamPredictor::~StreamPredictor() {
@@ -1012,6 +1028,10 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
@@ -2897,6 +2917,10 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2923,6 +2947,10 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2945,6 +2973,10 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
@@ -3255,6 +3287,10 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
--- xpdf-3.00/xpdf/JBIG2Stream.cc (revision 488119)
+++ xpdf-3.00/xpdf/JBIG2Stream.cc (working copy)
@@ -7,6 +7,7 @@
//========================================================================
#include <aconf.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -681,9 +682,15 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = wA;
h = hA;
line = (wA + 7) >> 3;
- // need to allocate one extra guard byte for use in combine()
- data = (Guchar *)gmalloc(h * line + 1);
- data[h * line] = 0;
+
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ data = NULL;
+ }
+ else {
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+ data[h * line] = 0;
+ }
}
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -692,6 +699,12 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA,
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
+
+ if (h < 0 || line <= 0 || h >= INT_MAX / line) {
+ data = NULL;
+ return;
+ }
+
// need to allocate one extra guard byte for use in combine()
data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
@@ -720,7 +733,7 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
+ if (newH <= h || line <= 0 || newH >= INT_MAX / line) {
return;
}
// need to allocate one extra guard byte for use in combine()
@@ -2305,6 +2318,15 @@ void JBIG2Stream::readHalftoneRegionSeg(
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad size in JBIG2 halftone segment");
+ return;
+ }
+ if (w == 0 || h >= INT_MAX / w) {
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
+ return;
+ }
+
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
@@ -2936,6 +2958,9 @@ JBIG2Bitmap *JBIG2Stream::readGenericRef
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
int x, y, pix;
+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ return NULL;
+
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();
--- xpdf-3.00/xpdf/Stream.cc (revision 488119)
+++ xpdf-3.00/xpdf/Stream.cc (working copy)
@@ -1277,7 +1277,7 @@ CCITTFaxStream::CCITTFaxStream(Stream *s
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
- if (columns < 1) {
+ if (columns + 3 < 1 || columns + 4 < 1 || columns < 1) {
columns = 1;
}
rows = rowsA;
@@ -3066,12 +3066,12 @@ GBool DCTStream::readHuffmanTables() {
while (length > 0) {
index = str->getChar();
--length;
- if ((index & 0x0f) >= 4) {
+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
error(getPos(), "Bad DCT Huffman table");
return gFalse;
}
if (index & 0x10) {
- index &= 0x0f;
+ index &= 0x03;
if (index >= numACHuffTables)
numACHuffTables = index+1;
tbl = &acHuffTables[index];
Index: xpdf.spec
===================================================================
RCS file: /cvs/dist/rpms/xpdf/devel/xpdf.spec,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- xpdf.spec 12 Dec 2005 11:19:03 -0000 1.65
+++ xpdf.spec 10 Jan 2006 13:12:29 -0000 1.66
@@ -7,7 +7,7 @@
Summary: A PDF file viewer for the X Window System.
Name: xpdf
Version: 3.01
-Release: 6
+Release: 7
License: GPL
Epoch: 1
Url: http://www.foolabs.com/xpdf/
@@ -34,6 +34,8 @@
Patch12: xpdf-3.00-64bit.patch
Patch13: xpdf-3.01-resize.patch
Patch14: xpdf-3.01-freetype-internals.patch
+Patch15: xpdf-3.01-CVE-2005-3191.patch
+Patch16: xpdf-3.01-CAN-2005-3193.patch
Requires: urw-fonts
Requires: htmlview
@@ -118,6 +120,8 @@
%patch12 -p1 -b .alloc
%patch13 -p1 -b .resize
%patch14 -p1 -b .freetype-internals
+%patch15 -p1 -b .CVE-2005-3191.patch
+%patch16 -p1 -b .CAN-2005-3193.patch
%build
find -name "*orig" | xargs rm -f
@@ -217,6 +221,9 @@
%lang(ko) %{_datadir}/xpdf/korean
%changelog
+* Tue Jan 10 2006 Karsten Hopp <karsten at redhat.de> 3.01-7
+- add patches to fix CVE-2005-3191 and CAN-2005-3193
+
* Mon Dec 12 2005 Than Ngo <than at redhat.com> 3.01-6
- rebuilt against new openmotif-2.3
More information about the fedora-cvs-commits
mailing list