diff options
author | Kristian Høgsberg <krh@redhat.com> | 2006-01-10 19:08:16 +0000 |
---|---|---|
committer | Kristian Høgsberg <krh@redhat.com> | 2006-01-10 19:08:16 +0000 |
commit | 9c3d0ab91e42404cfd215de3739fa5b2bdf71964 (patch) | |
tree | 1d92a65ffcdfc59fe66c53ffd259917033fd6745 | |
parent | 5d1a2cd62f8e263c6041eaa502e60b188decb9da (diff) |
2006-01-10 Kristian Høgsberg <krh@redhat.com>
Security patch from Martin Pitt (#5516). Multiple integer/buffer
overflows.
* poppler/Stream.cc (CCITTFaxStream::CCITTFaxStream): Check
columns for negative or large values (CVE-2005-3624).
* poppler/Stream.cc: Reset numComps to 0 since it's a global
variable that is used later (CVE-2005-3627).
* poppler/Stream.cc (DCTStream::readHuffmanTables): Fix out of
bounds array access in Huffman tables (CVE-2005-3627).
* poppler/Stream.cc (DCTStream::readMarker): Check for EOF in
while loop to prevent endless loops (CVE-2005-3625).
* poppler/JBIG2Stream.cc (JBIG2Bitmap::JBIG2Bitmap,
JBIG2Bitmap::expand, JBIG2Stream::readHalftoneRegionSeg): Check
user supplied width and height against invalid values. Allocate
one extra byte to prevent out of bounds access in combine().
-rw-r--r-- | ChangeLog | 28 | ||||
-rw-r--r-- | poppler/JBIG2Stream.cc | 45 | ||||
-rw-r--r-- | poppler/Stream.cc | 19 |
3 files changed, 83 insertions, 9 deletions
@@ -1,3 +1,31 @@ +2006-01-10 Kristian Høgsberg <krh@redhat.com> + + Security patch from Martin Pitt (#5516). Multiple integer/buffer + overflows. + + * poppler/Stream.cc (CCITTFaxStream::CCITTFaxStream): Check + columns for negative or large values (CVE-2005-3624). + + * poppler/Stream.cc: Reset numComps to 0 since it's a global + variable that is used later (CVE-2005-3627). + + * poppler/Stream.cc (DCTStream::readHuffmanTables): Fix out of + bounds array access in Huffman tables (CVE-2005-3627). + + * poppler/Stream.cc (DCTStream::readMarker): Check for EOF in + while loop to prevent endless loops (CVE-2005-3625). + + * poppler/JBIG2Stream.cc (JBIG2Bitmap::JBIG2Bitmap, + JBIG2Bitmap::expand, JBIG2Stream::readHalftoneRegionSeg): Check + user supplied width and height against invalid values. Allocate + one extra byte to prevent out of bounds access in combine(). + +2006-01-10 Kristian Høgsberg <krh@redhat.com> + + * poppler/Stream.cc: Fix bug in last security patch (#5514). + Also, for the record, the security patch also fixes CVE-2005-3192 + and CVE-2005-3193. + 2005-12-18 Albert Astals Cid <aacid@kde.org> * configure.ac: Better jpeg detection, refer to ml PCbsd problem diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 685e9e78..495272bb 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -13,6 +13,7 @@ #endif #include <stdlib.h> +#include <limits.h> #include "goo/GooList.h" #include "Error.h" #include "JArithmeticDecoder.h" @@ -681,7 +682,16 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, int wA, int hA): w = wA; h = hA; line = (wA + 7) >> 3; - data = (Guchar *)gmalloc(h * line); + + if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + error(-1, "invalid width/height"); + data = NULL; + return; + } + + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); + data[h * line] = 0; } JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): @@ -690,8 +700,17 @@ JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap): w = bitmap->w; h = bitmap->h; line = bitmap->line; - data = (Guchar *)gmalloc(h * line); + + if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) { + error(-1, "invalid width/height"); + data = NULL; + return; + } + + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)gmalloc(h * line + 1); memcpy(data, bitmap->data, h * line); + data[h * line] = 0; } JBIG2Bitmap::~JBIG2Bitmap() { @@ -716,10 +735,14 @@ JBIG2Bitmap *JBIG2Bitmap::getSlice(Guint x, Guint y, Guint wA, Guint hA) { } void JBIG2Bitmap::expand(int newH, Guint pixel) { - if (newH <= h) { + if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) { + error(-1, "invalid width/height"); + gfree(data); + data = NULL; return; } - data = (Guchar *)grealloc(data, newH * line); + // need to allocate one extra guard byte for use in combine() + data = (Guchar *)grealloc(data, newH * line + 1); if (pixel) { memset(data + h * line, 0xff, (newH - h) * line); } else { @@ -2256,6 +2279,15 @@ void JBIG2Stream::readHalftoneRegionSeg(Guint segNum, GBool imm, error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment"); return; } + if (gridH == 0 || gridW >= INT_MAX / gridH) { + error(getPos(), "Bad size in JBIG2 halftone segment"); + return; + } + if (w == 0 || h >= INT_MAX / w) { + error(getPos(), "Bad size in JBIG2 bitmap segment"); + return; + } + patternDict = (JBIG2PatternDict *)seg; bpp = 0; i = 1; @@ -2887,6 +2919,11 @@ JBIG2Bitmap *JBIG2Stream::readGenericRefinementRegion(int w, int h, JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2; int x, y, pix; + if (w < 0 || h <= 0 || w >= INT_MAX / h) { + error(-1, "invalid width/height"); + return NULL; + } + bitmap = new JBIG2Bitmap(0, w, h); bitmap->clearToZero(); diff --git a/poppler/Stream.cc b/poppler/Stream.cc index fff06eb1..96b18705 100644 --- a/poppler/Stream.cc +++ b/poppler/Stream.cc @@ -430,7 +430,7 @@ StreamPredictor::StreamPredictor(Stream *strA, int predictorA, return; } nVals = width * nComps; - if (nVals + 7 <= 0) { + if (nVals * nBits + 7 <= 0) { return; } pixBytes = (nComps * nBits + 7) >> 3; @@ -1288,6 +1288,10 @@ CCITTFaxStream::CCITTFaxStream(Stream *strA, int encodingA, GBool endOfLineA, endOfLine = endOfLineA; byteAlign = byteAlignA; columns = columnsA; + if (columns < 1 || columns >= INT_MAX / sizeof(short)) { + error(-1, "invalid number of columns: %d", columns); + exit(1); + } rows = rowsA; endOfBlock = endOfBlockA; black = blackA; @@ -2928,7 +2932,8 @@ GBool DCTStream::readBaselineSOF() { width = read16(); numComps = str->getChar(); if (numComps <= 0 || numComps > 4) { - error(getPos(), "Bad number of components in DCT stream", prec); + numComps = 0; + error(getPos(), "Bad number of components in DCT stream"); return gFalse; } if (prec != 8) { @@ -2958,7 +2963,8 @@ GBool DCTStream::readProgressiveSOF() { width = read16(); numComps = str->getChar(); if (numComps <= 0 || numComps > 4) { - error(getPos(), "Bad number of components in DCT stream", prec); + numComps = 0; + error(getPos(), "Bad number of components in DCT stream"); return gFalse; } if (prec != 8) { @@ -2984,6 +2990,7 @@ GBool DCTStream::readScanInfo() { length = read16() - 2; scanInfo.numComps = str->getChar(); if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) { + scanInfo.numComps = 0; error(getPos(), "Bad number of components in DCT stream"); return gFalse; } @@ -3061,12 +3068,12 @@ GBool DCTStream::readHuffmanTables() { while (length > 0) { index = str->getChar(); --length; - if ((index & 0x0f) >= 4) { + if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) { error(getPos(), "Bad DCT Huffman table"); return gFalse; } if (index & 0x10) { - index &= 0x0f; + index &= 0x03; if (index >= numACHuffTables) numACHuffTables = index+1; tbl = &acHuffTables[index]; @@ -3184,9 +3191,11 @@ int DCTStream::readMarker() { do { do { c = str->getChar(); + if(c == EOF) return EOF; } while (c != 0xff); do { c = str->getChar(); + if(c == EOF) return EOF; } while (c == 0xff); } while (c == 0x00); return c; |