[poppler] poppler/poppler: JBIG2Stream.cc, 1.1.1.1,
1.1.1.1.2.1 Stream.cc, 1.3.2.1, 1.3.2.2
Kristian Høgsberg
krh at freedesktop.org
Tue Jan 10 11:08:18 PST 2006
Update of /cvs/poppler/poppler/poppler
In directory gabe:/tmp/cvs-serv19948/poppler
Modified Files:
Tag: POPPLER_0_4_X
JBIG2Stream.cc Stream.cc
Log Message:
2006-01-10 Kristian Høgsberg <krh at redhat.com>
Security patch from Martin Pitt (#5516). Multiple integer/buffer
overflows.
* poppler/Stream.cc (CCITTFaxStream::CCITTFaxStream): Check
columns for negative or large values (CVE-2005-3624).
* poppler/Stream.cc: Reset numComps to 0 since it's a global
variable that is used later (CVE-2005-3627).
* poppler/Stream.cc (DCTStream::readHuffmanTables): Fix out of
bounds array access in Huffman tables (CVE-2005-3627).
* poppler/Stream.cc (DCTStream::readMarker): Check for EOF in
while loop to prevent endless loops (CVE-2005-3625).
* poppler/JBIG2Stream.cc (JBIG2Bitmap::JBIG2Bitmap,
JBIG2Bitmap::expand, JBIG2Stream::readHalftoneRegionSeg): Check
user supplied width and height against invalid values. Allocate
one extra byte to prevent out of bounds access in combine().
Index: JBIG2Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/JBIG2Stream.cc,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -d -r1.1.1.1 -r1.1.1.1.2.1
--- JBIG2Stream.cc 3 Mar 2005 19:46:03 -0000 1.1.1.1
+++ JBIG2Stream.cc 10 Jan 2006 19:08:16 -0000 1.1.1.1.2.1
@@ -13,6 +13,7 @@
#endif
#include <stdlib.h>
+#include <limits.h>
#include "goo/GooList.h"
#include "Error.h"
#include "JArithmeticDecoder.h"
@@ -681,7 +682,16 @@
w = wA;
h = hA;
line = (wA + 7) >> 3;
- data = (Guchar *)gmalloc(h * line);
+
+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ error(-1, "invalid width/height");
+ data = NULL;
+ return;
+ }
+
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+ data[h * line] = 0;
}
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -690,8 +700,17 @@
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
- data = (Guchar *)gmalloc(h * line);
+
+ if (h < 0 || line <= 0 || h >= (INT_MAX - 1) / line) {
+ error(-1, "invalid width/height");
+ data = NULL;
+ return;
+ }
+
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
+ data[h * line] = 0;
}
JBIG2Bitmap::~JBIG2Bitmap() {
@@ -716,10 +735,14 @@
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
+ if (newH <= h || line <= 0 || newH >= (INT_MAX - 1) / line) {
+ error(-1, "invalid width/height");
+ gfree(data);
+ data = NULL;
return;
}
- data = (Guchar *)grealloc(data, newH * line);
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)grealloc(data, newH * line + 1);
if (pixel) {
memset(data + h * line, 0xff, (newH - h) * line);
} else {
@@ -2256,6 +2279,15 @@
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad size in JBIG2 halftone segment");
+ return;
+ }
+ if (w == 0 || h >= INT_MAX / w) {
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
+ return;
+ }
+
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
@@ -2887,6 +2919,11 @@
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
int x, y, pix;
+ if (w < 0 || h <= 0 || w >= INT_MAX / h) {
+ error(-1, "invalid width/height");
+ return NULL;
+ }
+
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();
Index: Stream.cc
===================================================================
RCS file: /cvs/poppler/poppler/poppler/Stream.cc,v
retrieving revision 1.3.2.1
retrieving revision 1.3.2.2
diff -u -d -r1.3.2.1 -r1.3.2.2
--- Stream.cc 12 Dec 2005 22:43:27 -0000 1.3.2.1
+++ Stream.cc 10 Jan 2006 19:08:16 -0000 1.3.2.2
@@ -430,7 +430,7 @@
return;
}
nVals = width * nComps;
- if (nVals + 7 <= 0) {
+ if (nVals * nBits + 7 <= 0) {
return;
}
pixBytes = (nComps * nBits + 7) >> 3;
@@ -1288,6 +1288,10 @@
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
+ if (columns < 1 || columns >= INT_MAX / sizeof(short)) {
+ error(-1, "invalid number of columns: %d", columns);
+ exit(1);
+ }
rows = rowsA;
endOfBlock = endOfBlockA;
black = blackA;
@@ -2928,7 +2932,8 @@
width = read16();
numComps = str->getChar();
if (numComps <= 0 || numComps > 4) {
- error(getPos(), "Bad number of components in DCT stream", prec);
+ numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
return gFalse;
}
if (prec != 8) {
@@ -2958,7 +2963,8 @@
width = read16();
numComps = str->getChar();
if (numComps <= 0 || numComps > 4) {
- error(getPos(), "Bad number of components in DCT stream", prec);
+ numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
return gFalse;
}
if (prec != 8) {
@@ -2984,6 +2990,7 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ scanInfo.numComps = 0;
error(getPos(), "Bad number of components in DCT stream");
return gFalse;
}
@@ -3061,12 +3068,12 @@
while (length > 0) {
index = str->getChar();
--length;
- if ((index & 0x0f) >= 4) {
+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
error(getPos(), "Bad DCT Huffman table");
return gFalse;
}
if (index & 0x10) {
- index &= 0x0f;
+ index &= 0x03;
if (index >= numACHuffTables)
numACHuffTables = index+1;
tbl = &acHuffTables[index];
@@ -3184,9 +3191,11 @@
do {
do {
c = str->getChar();
+ if(c == EOF) return EOF;
} while (c != 0xff);
do {
c = str->getChar();
+ if(c == EOF) return EOF;
} while (c == 0xff);
} while (c == 0x00);
return c;
More information about the poppler
mailing list