Re: [Podofo-users] CVE fix proposal

Fri, 21 Apr 2017 11:40:48 -0700 

The revised patch doesn’t compile because it uses:

+            PODOFO_ERROR_INFO( ePdfError_ValueOutOfRange,
+                "xref subsection's given entry numbers together too large" );

instead of

+            PODOFO_RAISE_ERROR_INFO ( ePdfError_ValueOutOfRange,
+                "xref subsection's given entry numbers together too large" );


On 09/04/2017, 22:17, "Matthew Brincke" <ma...@mailbox.org> wrote:

    Hi zyx, hi all,
    
    I've replaced the asserts with PODOFO_RAISE_ERROR_INFO calls
    in if checks and removed the size_t check (replacing it with
    a check more to the point and C++-like), so I hope the change
    is now ready for inclusion as attached to this e-mail (or maybe
    with minor edits still crediting me, please).
    I, like Mark, also haven't tested if it actually fixes
    CVE-2017-5855, if it wouldn't, please still accept it for fixing
    the other two.)
    
    Best regards, mabri
    
    zyx <z...@litepdf.cz> has written on 9 April 2017 at 13:33:
    > 
    > On Sat, 2017-04-08 at 18:32 +0200, Matthew Brincke wrote:
    > 
    > > *   PODOFO_ASSERT( nFirstObject > 0 );
    > 
    > Hi,
    > I do not like asserts, unless being used in unit tests or such places.
    > Especially this place is used to parse random data from outside, which
    > the library has no control of, then it's not a good idea to abort whole
    > application due to the broken/unexpected input. I know PODOFO_ASSERT()
    > is sensitive for debug builds, but anyway.
    > 
    > > *   PODOFO_ASSERT( sizeof(PdfParser::s_nMaxObjects) <= sizeof(size_t) );
    > 
    > sizeof() tells you how many bytes the argument holds. Is there a typo
    > in this test?
    > 
    > I didn't run either of the proposed patches yet, though I agree with
    > Matthew that if the checks can be done without ABI changes, then it'll
    > be a better option.
    > 
    > Bye,
    >  zyx
    >

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users

Reply via email to