2006-01-10 Kristian Høgsberg <krh@redhat.com>

Security patch from Martin Pitt (#5516). Multiple integer/buffer overflows. * poppler/Stream.cc (CCITTFaxStream::CCITTFaxStream): Check columns for negative or large values (CVE-2005-3624). * poppler/Stream.cc: Reset numComps to 0 since it's a global variable that is used later (CVE-2005-3627). * poppler/Stream.cc (DCTStream::readHuffmanTables): Fix out of bounds array access in Huffman tables (CVE-2005-3627). * poppler/Stream.cc (DCTStream::readMarker): Check for EOF in while loop to prevent endless loops (CVE-2005-3625). * poppler/JBIG2Stream.cc (JBIG2Bitmap::JBIG2Bitmap, JBIG2Bitmap::expand, JBIG2Stream::readHalftoneRegionSeg): Check user supplied width and height against invalid values. Allocate one extra byte to prevent out of bounds access in combine().
author: Kristian Høgsberg <krh@redhat.com> 2006-01-10 19:08:16 +0000
committer: Kristian Høgsberg <krh@redhat.com> 2006-01-10 19:08:16 +0000
commit: 9c3d0ab91e42404cfd215de3739fa5b2bdf71964 (patch)
tree: 1d92a65ffcdfc59fe66c53ffd259917033fd6745
parent: 5d1a2cd62f8e263c6041eaa502e60b188decb9da (diff)
3 files changed, 83 insertions, 9 deletions
diff --git a/ChangeLog b/ChangeLog
index 17283e9d..d31d8e44 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,31 @@
+2006-01-10  Kristian Høgsberg  <krh@redhat.com>
+
+	Security patch from Martin Pitt (#5516).  Multiple integer/buffer
+	overflows.
+
+	* poppler/Stream.cc (CCITTFaxStream::CCITTFaxStream): Check
+	columns for negative or large values (CVE-2005-3624).
+	
+	* poppler/Stream.cc: Reset numComps to 0 since it's a global
+	variable that is used later (CVE-2005-3627).
+	
+	* poppler/Stream.cc (DCTStream::readHuffmanTables): Fix out of
+	bounds array access in Huffman tables (CVE-2005-3627).
+	
+	* poppler/Stream.cc (DCTStream::readMarker): Check for EOF in
+	while loop to prevent endless loops (CVE-2005-3625).
+	
+	* poppler/JBIG2Stream.cc (JBIG2Bitmap::JBIG2Bitmap,
+	JBIG2Bitmap::expand, JBIG2Stream::readHalftoneRegionSeg): Check
+	user supplied width and height against invalid values.  Allocate
+	one extra byte to prevent out of bounds access in combine().
+	
+2006-01-10  Kristian Høgsberg  <krh@redhat.com>
+
+	* poppler/Stream.cc: Fix bug in last security patch (#5514).
+	Also, for the record, the security patch also fixes CVE-2005-3192
+	and CVE-2005-3193.
+
 2005-12-18  Albert Astals Cid  <aacid@kde.org>
 
 	* configure.ac: Better jpeg detection, refer to ml PCbsd problem
diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc
index 685e9e78..495272bb 100644
--- a/poppler/JBIG2Stream.cc
+++ b/poppler/JBIG2Stream.cc
@@ -13,6 +13,7 @@
 #endif
 
 #include <stdlib.h>
+#include <limits.h>
 #include "goo/GooList.h"
 #include "Error.h"
 #include "JArithmeticDecoder.h"
@@ -681,7 +682,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA):
   w = wA;
   h = hA;
   line = (wA + 7) >> 3;
-  data = (Guchar *)gmalloc(h * line);
+
+  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+    error(-1, "invalid width/height");
+    data = NULL;
+    return;
+  }
+
+  // need to allocate one extra guard byte for use in combine()
+  data = (Guchar *)gmalloc(h * line + 1);
+  data[h * line] = 0;
 }
 
 JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -690,8 +700,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
   w = bitmap->w;
   h = bitmap->h;
   line = bitmap->line;
-  data = (Guchar *)gmalloc(h * line);
+
+  if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+    error(-1, "invalid width/height");
+    data = NULL;
+    return;
+  }
+
+  // need to allocate one extra guard byte for use in combine()
+  data = (Guchar *)gmalloc(h * line + 1);
   memcpy(data, bitmap->data, h * line);
+  data[h * line] = 0;
 }
 
 JBIG2Bitmap::~JBIG2Bitmap() {
@@ -716,10 +735,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) {
 }
 
 void JBIG2Bitmap::expand(int newH, Guint pixel) {
-  if (newH <= h) {
+  if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
+    error(-1, "invalid width/height");
+    gfree(data);
+    data = NULL;
     return;
   }
-  data = (Guchar *)grealloc(data, newH * line);
+  // need to allocate one extra guard byte for use in combine()
+  data = (Guchar *)grealloc(data, newH * line + 1);
   if (pixel) {
     memset(data + h * line, 0xff, (newH - h) * line);
   } else {
@@ -2256,6 +2279,15 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum, GBool imm,
     error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
     return;
   }
+  if (gridH == 0 || gridW >= INT_MAX / gridH) {
+    error(getPos(), "Bad size in JBIG2 halftone segment");
+    return;
+  }
+  if (w == 0 || h >= INT_MAX / w) {
+     error(getPos(), "Bad size in JBIG2 bitmap segment");
+    return;
+  }
+
   patternDict = (JBIG2PatternDict *)seg;
   bpp = 0;
   i = 1;
@@ -2887,6 +2919,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h,
   JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
   int x, y, pix;
 
+  if (w < 0 || h <= 0 || w >= INT_MAX / h) {
+    error(-1, "invalid width/height");
+    return NULL;
+  }
+
   bitmap = new JBIG2Bitmap(0, w, h);
   bitmap->clearToZero();
 
diff --git a/poppler/Stream.cc b/poppler/Stream.cc
index fff06eb1..96b18705 100644
--- a/poppler/Stream.cc
+++ b/poppler/Stream.cc
@@ -430,7 +430,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
     return;
   }
   nVals = width * nComps;
-  if (nVals + 7 <= 0) {
+  if (nVals * nBits + 7 <= 0) {
     return;
   }
   pixBytes = (nComps * nBits + 7) >> 3;
@@ -1288,6 +1288,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *strA, int encodingA, GBool endOfLineA,
   endOfLine = endOfLineA;
   byteAlign = byteAlignA;
   columns = columnsA;
+  if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
+    error(-1, "invalid number of columns: %d", columns);
+    exit(1);
+  }
   rows = rowsA;
   endOfBlock = endOfBlockA;
   black = blackA;
@@ -2928,7 +2932,8 @@ GBool DCTStream::readBaselineSOF() {
   width = read16();
   numComps = str->getChar();
   if (numComps <= 0 || numComps > 4) {
-    error(getPos(), "Bad number of components in DCT stream", prec);
+    numComps = 0;
+    error(getPos(), "Bad number of components in DCT stream");
     return gFalse;
   }
   if (prec != 8) {
@@ -2958,7 +2963,8 @@ GBool DCTStream::readProgressiveSOF() {
   width = read16();
   numComps = str->getChar();
   if (numComps <= 0 || numComps > 4) {
-    error(getPos(), "Bad number of components in DCT stream", prec);
+    numComps = 0;
+    error(getPos(), "Bad number of components in DCT stream");
     return gFalse;
   }
   if (prec != 8) {
@@ -2984,6 +2990,7 @@ GBool DCTStream::readScanInfo() {
   length = read16() - 2;
   scanInfo.numComps = str->getChar();
   if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+    scanInfo.numComps = 0;
     error(getPos(), "Bad number of components in DCT stream");
     return gFalse;
   }
@@ -3061,12 +3068,12 @@ GBool DCTStream::readHuffmanTables() {
   while (length > 0) {
     index = str->getChar();
     --length;
-    if ((index & 0x0f) >= 4) {
+    if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
       error(getPos(), "Bad DCT Huffman table");
       return gFalse;
     }
     if (index & 0x10) {
-      index &= 0x0f;
+      index &= 0x03;
       if (index >= numACHuffTables)
 	numACHuffTables = index+1;
       tbl = &acHuffTables[index];
@@ -3184,9 +3191,11 @@ int DCTStream::readMarker() {
   do {
     do {
       c = str->getChar();
+      if(c == EOF) return EOF;
     } while (c != 0xff);
     do {
       c = str->getChar();
+      if(c == EOF) return EOF;
     } while (c == 0xff);
   } while (c == 0x00);
   return c;
author	Kristian Høgsberg <krh@redhat.com>	2006-01-10 19:08:16 +0000
committer	Kristian Høgsberg <krh@redhat.com>	2006-01-10 19:08:16 +0000
commit	9c3d0ab91e42404cfd215de3739fa5b2bdf71964 (patch)
tree	1d92a65ffcdfc59fe66c53ffd259917033fd6745
parent	5d1a2cd62f8e263c6041eaa502e60b188decb9da (diff)