On Tue, 2017-04-25 at 00:10 +0200, Matthias Brinke wrote:
> I've run-tested a hopefully-final version of my patch fixing
> CVE-2017-5853 (tested with the original reproducer PDF file
> using the test program whose source is also attached)
Hi,
I wasn't able to reproduce the CVE-2017-5853, and yes, my PoDoFo loads
libusan too, thus I cannot tell for sure whether that change fixes
anything real. I see a difference in behaviour between Matthias' and
Mark's proposed patches. While Matthias' patch ends with "Object not
found, catalog not found", Mark's patch ends with "Value out of range".
Those are two very different behaviours, Matthias' change seems to be
more forgiving. It also fixes CVE-2017-6844, but it doesn't help with
CVE-2017-5855, thus I removed that comment and changed that test
slightly, I hope for good. The change is committed as revision 1840:
https://sourceforge.net/p/podofo/code/1840
Bye,
zyx
--
http://www.litePDF.cz i...@litepdf.cz
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Podofo-users mailing list
Podofo-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/podofo-users
