rpms/tetex/FC-4 tetex-3.0-CVE-2005-3193.patch, NONE, 1.1 tetex.spec, 1.65, 1.66
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Dec 7 09:52:25 UTC 2005
Author: jnovy
Update of /cvs/dist/rpms/tetex/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv14655
Modified Files:
tetex.spec
Added Files:
tetex-3.0-CVE-2005-3193.patch
Log Message:
fix CVE-2005-3193 - xpdf buffer overflows
tetex-3.0-CVE-2005-3193.patch:
goo/gmem.c | 22 ++++++++++++++++++++++
goo/gmem.h | 9 +++++++++
xpdf/JPXStream.cc | 11 ++++++++---
xpdf/Stream.cc | 33 ++++++++++++++++++++++++++++++++-
xpdf/Stream.h | 3 +++
5 files changed, 74 insertions(+), 4 deletions(-)
--- NEW FILE tetex-3.0-CVE-2005-3193.patch ---
--- tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/JPXStream.cc 2005-12-06 19:23:10.000000000 +0100
@@ -666,7 +666,7 @@ GBool JPXStream::readCodestream(Guint le
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, comp, nTiles, i, j, r;
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,8 +701,13 @@ GBool JPXStream::readCodestream(Guint le
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
- sizeof(JPXTile));
+ nTiles = img.nXTiles * img.nYTiles;
+ // check for overflow before allocating memory
+ if (nTiles == 0 || nTiles / img.nXTiles != img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles = (JPXTile *)gmallocn(nTiles, sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
sizeof(JPXTileComp));
--- tetex-src-3.0/libs/xpdf/xpdf/Stream.h.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.h 2005-12-06 19:17:09.000000000 +0100
@@ -233,6 +233,8 @@ public:
~StreamPredictor();
+ GBool isOk() { return ok; }
+
int lookChar();
int getChar();
@@ -250,6 +252,7 @@ private:
int rowBytes; // bytes per line
Guchar *predLine; // line buffer
int predIdx; // current index in predLine
+ GBool ok;
};
//------------------------------------------------------------------------
--- tetex-src-3.0/libs/xpdf/xpdf/Stream.cc.CVE-2005-3193 2004-01-22 02:26:45.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/Stream.cc 2005-12-06 19:17:09.000000000 +0100
@@ -407,18 +407,33 @@ void ImageStream::skipLine() {
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
int widthA, int nCompsA, int nBitsA) {
+ int totalBits;
+
str = strA;
predictor = predictorA;
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
nVals = width * nComps;
+ totalBits = nVals * nBits;
+ if (totalBits == 0 ||
+ (totalBits / nBits) / nComps != width ||
+ totalBits + 7 < 0) {
+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+ if (rowBytes < 0) {
+ return;
+ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
+
+ ok = gTrue;
}
StreamPredictor::~StreamPredictor() {
@@ -1012,6 +1027,10 @@ LZWStream::LZWStream(Stream *strA, int p
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
@@ -2897,6 +2916,14 @@ GBool DCTStream::readBaselineSOF() {
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
+ if (numComps <= 0 || numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -3255,6 +3282,10 @@ FlateStream::FlateStream(Stream *strA, i
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
--- tetex-src-3.0/libs/xpdf/goo/gmem.c.orig 2005-11-14 20:02:43.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/goo/gmem.c 2005-11-14 20:04:14.000000000 +0100
@@ -135,6 +135,28 @@
#endif
}
+void *gmallocn(int nObjs, int objSize) {
+ int n;
+
+ n = nObjs * objSize;
+ if (objSize == 0 || n / objSize != nObjs) {
+ fprintf(stderr, "Bogus memory allocation size\n");
+ exit(1);
+ }
+ return gmalloc(n);
+}
+
+void *greallocn(void *p, int nObjs, int objSize) {
+ int n;
+
+ n = nObjs * objSize;
+ if (objSize == 0 || n / objSize != nObjs) {
+ fprintf(stderr, "Bogus memory allocation size\n");
+ exit(1);
+ }
+ return grealloc(p, n);
+}
+
void gfree(void *p) {
#ifdef DEBUG_MEM
int size;
--- tetex-src-3.0/libs/xpdf/goo/gmem.h.orig 2005-11-14 20:05:49.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/goo/gmem.h 2005-11-14 20:05:56.000000000 +0100
@@ -28,6 +28,15 @@
extern void *grealloc(void *p, int size);
/*
+ * These are similar to gmalloc and grealloc, but take an object count
+ * and size. The result is similar to allocating nObjs * objSize
+ * bytes, but there is an additional error check that the total size
+ * doesn't overflow an int.
+ */
+extern void *gmallocn(int nObjs, int objSize);
+extern void *greallocn(void *p, int nObjs, int objSize);
+
+/*
* Same as free, but checks for and ignores NULL pointers.
*/
extern void gfree(void *p);
Index: tetex.spec
===================================================================
RCS file: /cvs/dist/rpms/tetex/FC-4/tetex.spec,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- tetex.spec 19 Sep 2005 14:35:56 -0000 1.65
+++ tetex.spec 7 Dec 2005 09:52:23 -0000 1.66
@@ -10,7 +10,7 @@
Summary: The TeX text formatting system.
Name: tetex
Version: 3.0
-Release: 6.FC4
+Release: 7.FC4
License: distributable
Group: Applications/Publishing
Requires: tmpwatch, dialog, ed
@@ -73,6 +73,7 @@
Patch12: tetex-3.0-badscript.patch
Patch13: tetex-3.0-marvosym-rightarrow.patch
Patch14: tetex-3.0-dcb314.patch
+Patch15: tetex-3.0-CVE-2005-3193.patch
######
# Japanization patches
@@ -286,6 +287,9 @@
# Fix usage of uninitialized variable (bug #149212)
%patch14 -p1 -b .dcb314
+# Fix xpdf overfows CVE-2005-3193 (bug #175110)
+%patch50: -p1 -b .CVE-2005-3193
+
%if %{enable_japanese}
mkdir texmf/ptex-texmf
tar xfj %{SOURCE901} -C texmf/ptex-texmf
@@ -787,6 +791,9 @@
%defattr(-,root,root)
%changelog
+* Wed Dec 7 2005 Jindrich Novy <jnovy at redhat.com> 3.0-7.FC4
+- apply patch from Derek Noonburg to fix CVE-2005-3193 xpdf overflows (#175110)
+
* Mon Sep 19 2005 Jindrich Novy <jnovy at redhat.com> 3.0-6.FC4
- inform user about perl-Tk dependency when using texdoctk (#162441)
- fix texdoctk bindings to fit FC (#162442)
More information about the fedora-cvs-commits
mailing list