[ grammar fix in quoted text ] Hello Dominik, hello all,
Dominik Seichter <domseich...@googlemail.com> wrote on 27 January 2018, 13:23: > > > Hi Matthew et al., > > > On Fri, Jan 26, 2018 at 11:35 PM, Matthew Brincke <ma...@mailbox.org> wrote: > >> [ Left Dominik in To to help him follow this thread, fixed text typos ] >> >> Hello Dominik, hello all, >> >>> Dominik Seichter via Podofo-users has written on 26 January 2018 at 17:37: >>> >>> >>> Hi Mattia, >>> >>> Thanks for the good summary! Let me comment on the open issues. >>> >>> Unfixed security issues: >> ... snip ... >>> >>> https://security-tracker.debian.org/tracker/CVE-2017-8053 >>> -> Please see proposed patch in attachment. Can somebody test/review? >>> >> >> In line 13 of the patch, there are typos, it should be "already visited", >> line 14 doesn't really fit (which object?), and in general, shouldn't >> there be a maximum recursion depth which is checked for, to prevent a >> stack overflow? AFAICS there is no standard function/method to check >> available stack space ;-( ... > > Yes, typos fixed and line 14 removed. Also agreed, that a maximum check > might be nice. Still, the patch should address the main issue of being > vulnerable to certain PDF files. AIUI without a check for a maximum recursion depth files can be crafted, maximally some MiB large, which cause so deep recursion that the (default) stack size is exhausted and, therefore, a stack overflow occurs. For that reason, Dominik, please include the check in your fix for CVE-2017-8053. > > Best regards, > Dominik Best regards, mabri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users
