Bug#443903: CVE-2007-5049 stack based buffer overflow

Wed, 26 Sep 2007 12:57:16 -0700 

Hi,
I intend to NMU this bug.
The attached patch fixes this issue.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/poppler-0.5.4-6.1_0.5.4-6.2.patch

Kind regards
Nico

-- 
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u poppler-0.5.4/debian/changelog poppler-0.5.4/debian/changelog
--- poppler-0.5.4/debian/changelog
+++ poppler-0.5.4/debian/changelog
@@ -1,3 +1,12 @@
+poppler (0.5.4-6.2) unstable; urgency=high
+
+  * Non-maintainer upload by testing security team.
+  * Renamed CVE-2007-3387.patch to CVE-2007-3387_2007-5049.patch
+    and fix a buffer overflow in StreamPredictor::getNextLine
+    as well (CVE-2007-5049) (Closes: #443903).
+
+ -- Nico Golde <[EMAIL PROTECTED]>  Wed, 26 Sep 2007 18:40:41 +0200
+
 poppler (0.5.4-6.1) unstable; urgency=high
 
   * Non-maintainer upload
reverted:
--- poppler-0.5.4/debian/patches/CVE-2007-3387.patch
+++ poppler-0.5.4.orig/debian/patches/CVE-2007-3387.patch
@@ -1,15 +0,0 @@
---- Stream.cc.orig	2007-08-05 11:05:42.000000000 +0000
-+++ poppler-0.5.4/poppler/Stream.cc	2007-08-05 11:07:12.000000000 +0000
-@@ -423,9 +423,9 @@
- 
-   nVals = width * nComps;
-   if (width <= 0 || nComps <= 0 || nBits <= 0 ||
--      nComps >= INT_MAX/nBits ||
--      width >= INT_MAX/nComps/nBits ||
--      nVals * nBits + 7 < 0) {
-+      nComps > gfxColorMaxComps || nBits > 16 ||
-+      width >= INT_MAX / nComps ||
-+      nVals >= (INT_MAX - 7) / nBits) {
-     return;
-   }
-   totalBits = nVals * nBits;
only in patch2:
unchanged:
--- poppler-0.5.4.orig/debian/patches/CVE-2007-3387_2007-5049.patch
+++ poppler-0.5.4/debian/patches/CVE-2007-3387_2007-5049.patch
@@ -0,0 +1,28 @@
+--- poppler-0.5.4.orig/poppler/Stream.cc	2006-07-28 20:07:41.000000000 +0200
++++ poppler-0.5.4/poppler/Stream.cc	2007-09-26 18:39:20.000000000 +0200
+@@ -422,12 +422,6 @@
+   ok = gFalse;
+ 
+   nVals = width * nComps;
+-  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+-      nComps >= INT_MAX/nBits ||
+-      width >= INT_MAX/nComps/nBits ||
+-      nVals * nBits + 7 < 0) {
+-    return;
+-  }
+   totalBits = nVals * nBits;
+   if (totalBits == 0 ||
+       (totalBits / nBits) / nComps != width ||
+@@ -436,7 +430,11 @@
+   }
+   pixBytes = (nComps * nBits + 7) >> 3;
+   rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+-  if (rowBytes < 0) {
++  if (width <= 0 || nComps <= 0 || nBits <= 0 ||
++      nComps > gfxColorMaxComps ||
++      nBits > 16 ||
++      width >= INT_MAX / nComps ||      // check for overflow in nVals
++      nVals >= (INT_MAX - 7) / nBits) { // check for overflow in rowBytes
+     return;
+   }
+   predLine = (Guchar *)gmalloc(rowBytes);

Attachment: pgpfLc3TGcXhV.pgp
Description: PGP signature

Reply via email to