Security holes are fixed. Patch is attached and SF is updated.
Thanks for the report.
Joerg.
On Sun, 17 Apr 2005, Cosimo Alfarano wrote:
> Forwarded from Debian BTS
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305068
>
> feel free to comment directly to BTS writing at [EMAIL PROTECTED]
>
> cheers,
> c.
>
> ----- Forwarded message from Moritz Muehlenhoff <[EMAIL PROTECTED]> -----
>
> > From: Moritz Muehlenhoff <jmm*inutil.org>
> > Date: Sun, 17 Apr 2005 20:41:37 +0200
> > To: Debian Bug Tracking System <submit*bugs.debian.org>
> > Subject: Bug#305068: Integer and heap overflow in gocr
> > X-Mailer: reportbug 3.9
> >
> > Package: gocr
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Two security vulnerabilities have been reported on gocr that may be
> > exploited to execute arbitrary code. For full details please have a
> > look at http://www.overflow.pl/adv/gocr.txt
> >
> > Cheers,
> > Moritz
> >
> > -- System Information:
> > Debian Release: 3.1
> > APT prefers unstable
> > APT policy: (500, 'unstable')
> > Architecture: i386 (i686)
> > Kernel: Linux 2.6.11
> > Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
>
> ----- End forwarded message -----
--- gocr-0.40/src/pnm.c 2005-03-07 15:45:35.000000000 +0100
+++ jocr/src/pnm.c 2005-04-18 23:15:56.421138288 +0200
@@ -1,8 +1,9 @@
-/* (c) Joerg Schulenburg 2000
+/* (c) Joerg Schulenburg 2000-2005
v0.1.0 initial version (stdin added)
v0.2.0 popen added
v0.2.7 review by Bruno Barberi Gnecco
v0.39 autoconf
+ v0.41 fix integer and heap overflow
*/
#include <stdlib.h>
@@ -100,7 +101,6 @@
FILE *fp;
char *pip, magic1, magic2;
int i, j, sample, minv = 0, maxv = 0;
- int ppm_format = 0;
struct pam inpam;
tuple *tuplerow;
@@ -140,9 +140,6 @@
p->x = inpam.width;
p->y = inpam.height;
- if ( !(p->p = (unsigned char *)malloc(p->x*p->y)) )
- F1("Error at malloc: p->p: %d bytes", p->x*p->y);
- tuplerow = pnm_allocpamrow(&inpam);
magic1=(inpam.format >> 8) & 255; /* 'P' for PNM,PAM */
magic2=(inpam.format ) & 255; /* '7' for PAM */
minv=inpam.maxval;
@@ -156,6 +153,11 @@
inpam.depth,
inpam.bytes_per_sample);
}
+ if ( (1.*(p->x*p->y))!=((1.*p->x)*p->y) )
+ F0("Error integer overflow");
+ if ( !(p->p = (unsigned char *)malloc(p->x*p->y)) )
+ F1("Error at malloc: p->p: %d bytes", p->x*p->y);
+ tuplerow = pnm_allocpamrow(&inpam);
for ( i=0; i < inpam.height; i++ ) {
pnm_readpamrow(&inpam, tuplerow);
for ( j = 0; j < inpam.width; j++ ) {
@@ -189,7 +191,6 @@
FILE *f1; unsigned char *pic;
char buf[512];
int lx, ly, dx;
- int value;
int bps=1; /* bytes per sample (0..255..65535...) */
pip=NULL;
@@ -242,6 +243,8 @@
if (nc>>16) bps=3;
if (nc>>24) bps=4;
fflush(stdout);
+ if ( (1.*(nx*ny))!=((1.*nx)*ny) )
+ F0("Error integer overflow");
pic=(unsigned char *)malloc( nx*ny );
if(pic==NULL)F0("memory failed"); // no memory
/* this is a slow but short routine for P1 to P6 formats */
@@ -263,7 +266,7 @@
if( isdigit(c1) ) { pic[i]=((c1=='0')?255:0); i++; }
else if( !isspace(c1) )F0("unexpected char");
}
- if( c2=='3' )for(mod=k=j=i=0;i<nx*ny*3 && !feof(f1);){
+ if( c2=='3' )for(mod=k=j=i=0;i<nx*ny && !feof(f1);){
c1=read_char(f1);
if( !isdigit(c1) ) { if( !isspace(c1) )F0("unexpected char");
if(1&mod) { k+=j; if(mod==5){ pic[i]=k/3; i++; }
