Your message dated Tue, 12 Apr 2005 09:01:40 +0200
with message-id <[EMAIL PROTECTED]>
and subject line This is correctly fixed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 11 Apr 2005 19:14:56 +0000
>From [EMAIL PROTECTED] Mon Apr 11 12:14:56 2005
Return-path: <[EMAIL PROTECTED]>
Received: from kitenet.net [64.62.161.42] (postfix)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DL4N6-0004yj-00; Mon, 11 Apr 2005 12:14:56 -0700
Received: from dragon.kitenet.net (unknown [66.168.94.177])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Joey Hess", Issuer "Joey Hess" (verified OK))
by kitenet.net (Postfix) with ESMTP id 4599D17FE3
for <[EMAIL PROTECTED]>; Mon, 11 Apr 2005 19:14:54 +0000 (GMT)
Received: by dragon.kitenet.net (Postfix, from userid 1000)
id 0C1EF6E10F; Mon, 11 Apr 2005 15:17:42 -0400 (EDT)
Date: Mon, 11 Apr 2005 15:17:36 -0400
From: Joey Hess <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: FWD: CAN-2005-0206 xpdf 64 bit issues
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj"
Content-Disposition: inline
User-Agent: Mutt/1.5.8i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: gpdf
Version: 2.8.2-1.2
Tags: patch
Let's make a bug in the bts for CAN-2005-0206. It's defined as:
The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0
(CAN-2004-0888) is incomplete for 64-bit architectures on certain Linux
distributions such as Red Hat, which could leave Xpdf users exposed to the
original vulnerabilities.
----- Forwarded message from Moritz Muehlenhoff <[EMAIL PROTECTED]> -----
=46rom: Moritz Muehlenhoff <[EMAIL PROTECTED]>
Date: Sat, 9 Apr 2005 23:37:31 +0200
To: [EMAIL PROTECTED]
Subject: CAN-2005-0206 xpdf 64 bit issues
User-Agent: Mutt/1.5.8i
Hi Joey,
I just reviewed all the xpdf incorporating packages wrt the 64 unclean
fixes. All packages beside gpdf are fixed properly, could you NMU with
the attached patch? (maintainer still doesn't have acked the previous)
Instead of casting to int as proposed in the Red Hat Bugzilla I ported
over the MAX_INT patch, as we'll never know how upcoming GCCs will
still not optimize it away (in fact I strongly believe that GCC 4 with
SSA _will_ optimize it away).
Cheers,
Moritz
diff -Naur gpdf-2.8.2.orig/xpdf/Catalog.cc gpdf-2.8.2/xpdf/Catalog.cc
--- gpdf-2.8.2.orig/xpdf/Catalog.cc 2004-11-05 19:43:19.000000000 +0100
+++ gpdf-2.8.2/xpdf/Catalog.cc 2005-04-09 23:30:20.000000000 +0200
@@ -64,10 +64,8 @@
}
pagesSize =3D numPages0 =3D (int)obj.getNum();
obj.free();
- // The gcc doesnt optimize this away, so this check is ok,
- // even if it looks like a pagesSize !=3D pagesSize check
- if (pagesSize*sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
- pagesSize*sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {
+ if (pagesSize >=3D INT_MAX/sizeof(Page *) ||
+ pagesSize >=3D INT_MAX/sizeof(Ref)) {
error(-1, "Invalid 'pagesSize'");
ok =3D gFalse;
return;
@@ -200,8 +198,8 @@
}
if (start >=3D pagesSize) {
pagesSize +=3D 32;
- if (pagesSize*sizeof(Page *)/sizeof(Page *) !=3D pagesSize ||
- pagesSize*sizeof(Ref)/sizeof(Ref) !=3D pagesSize) {
+ if (pagesSize >=3D INT_MAX/sizeof(Page *) ||
+ pagesSize >=3D INT_MAX/sizeof(Ref)) {
error(-1, "Invalid 'pagesSize' parameter.");
goto err3;
}
diff -Naur gpdf-2.8.2.orig/xpdf/XRef.cc gpdf-2.8.2/xpdf/XRef.cc
--- gpdf-2.8.2.orig/xpdf/XRef.cc 2005-04-09 21:50:55.000000000 +0200
+++ gpdf-2.8.2/xpdf/XRef.cc 2005-04-09 23:27:59.000000000 +0200
@@ -393,7 +393,7 @@
if (newSize < 0) {
goto err1;
}
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+ if (newSize >=3D INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'obj' parameters'");
goto err1;
}
@@ -503,7 +503,7 @@
goto err1;
}
if (newSize > size) {
- if (newSize * sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+ if (newSize >=3D INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'size' parameter.");
return gFalse;
}
@@ -597,7 +597,7 @@
if (newSize < 0) {
return gFalse;
}
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) !=3D newSize) {
+ if (newSize >=3D INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'size' inside xref table.");
return gFalse;
}
@@ -736,7 +736,7 @@
error(-1, "Bad object number");
return gFalse;
}
- if (newSize*sizeof(XRefEntry)/sizeof(XRefEntry) !=3D new=
Size) {
+ if (newSize >=3D INT_MAX/sizeof(XRefEntry)) {
error(-1, "Invalid 'obj' parameters.");
return gFalse;
}
@@ -763,7 +763,7 @@
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen =3D=3D streamEndsSize) {
streamEndsSize +=3D 64;
- if (streamEndsSize*sizeof(int)/sizeof(int) !=3D streamEndsSize) {
+ if (streamEndsSize >=3D INT_MAX/sizeof(int)) {
error(-1, "Invalid 'endstream' parameter.");
return gFalse;
}
----- End forwarded message -----
--=20
see shy jo
--9amGYk9869ThD9tj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCWs1Nd8HHehbQuO8RArVpAJ45cfZycsuUxa7aRbq7+6pTivysMACdHLtL
/sPNQl0pggIgzhj9JujdHbA=
=YrKx
-----END PGP SIGNATURE-----
--9amGYk9869ThD9tj--
---------------------------------------
Received: (at 304221-done) by bugs.debian.org; 12 Apr 2005 07:01:41 +0000
>From [EMAIL PROTECTED] Tue Apr 12 00:01:41 2005
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org (vserver151.vserver151.serverflex.de)
[193.22.164.111]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DLFP3-0007FR-00; Tue, 12 Apr 2005 00:01:41 -0700
Received: from jmm by vserver151.vserver151.serverflex.de with local (Exim 4.50)
id 1DLFP2-0001fc-2X
for [EMAIL PROTECTED]; Tue, 12 Apr 2005 09:01:40 +0200
Date: Tue, 12 Apr 2005 09:01:40 +0200
To: [EMAIL PROTECTED]
Subject: This is correctly fixed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Hi,
sorry for the noise; I made the analysis against the code without the patches
applied, which I overlooked for some reason. The patch as it is applied is
correct.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
