Hi all, I'm sorry if that wasn't clear: the caveats about my knowledge I gave in my answer to Mark still apply. I'd also like to know the CVE he has patches for include CVE-2017-6840 and CVE-2017-6842 because I'd like to work on those if not, when I next have time. (Basically, protect the graphics stack from being accessed when empty, throwing an exception then.) What I mentioned about GCC 5.2.1 UBSan is also still true.
Best regards, mabri Matthew Brincke <ma...@mailbox.org> has written on 9 April 2017 at 23:17: > > Hi zyx, hi all, > > I've replaced the asserts with PODOFO_RAISE_ERROR_INFO calls > in if checks and removed the size_t check (replacing it with > a check more to the point and C++-like), so I hope the change > is now ready for inclusion as attached to this e-mail (or maybe > with minor edits still crediting me, please). > I, like Mark, also haven't tested if it actually fixes > CVE-2017-5855, if it wouldn't, please still accept it for fixing > the other two.) > > Best regards, mabri > > zyx <z...@litepdf.cz> has written on 9 April 2017 at 13:33: > > > On Sat, 2017-04-08 at 18:32 +0200, Matthew Brincke wrote: > > > > > * PODOFO_ASSERT( nFirstObject > 0 ); > > > > Hi, > > I do not like asserts, unless being used in unit tests or such places. > > Especially this place is used to parse random data from outside, which > > the library has no control of, then it's not a good idea to abort whole > > application due to the broken/unexpected input. I know PODOFO_ASSERT() > > is sensitive for debug builds, but anyway. > > > > > * PODOFO_ASSERT( sizeof(PdfParser::s_nMaxObjects) <= sizeof(size_t) ); > > > > sizeof() tells you how many bytes the argument holds. Is there a typo > > in this test? > > > > I didn't run either of the proposed patches yet, though I agree with > > Matthew that if the checks can be done without ABI changes, then it'll > > be a better option. > > > > Bye, > > > > zyx > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! > > http://sdm.link/slashdot_______________________________________________ > > Podofo-users mailing list > > Podofo-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/podofo-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
