Hello Thomas,
while upgrading srpm package for the new teTeX-3.0 I noticed that fixes
for CAN-2004-0064 and CAN-2004-0888 aren't applied in the xpdf sources
present in teTeX-3.0. These are mostly unchecked overflows that could be
caused by some malicious PDFs and may lead to arbitrary code execution.
I ported these patches to teTeX-3.0 and they are attached. Maybe they'll
be helpful to you.
Thanks,
Jindrich
--
Jindrich Novy <[EMAIL PROTECTED]>, http://people.redhat.com/jnovy/
--- tetex-src-3.0/libs/xpdf/xpdf/Catalog.cc.CAN-2004-0888 2004-01-22 02:26:45.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/Catalog.cc 2005-02-08 09:53:47.921263552 +0100
@@ -64,6 +64,12 @@ Catalog::Catalog(XRef *xrefA) {
}
pagesSize = numPages0 = (int)obj.getNum();
obj.free();
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize'");
+ ok = gFalse;
+ return;
+ }
pages = (Page **)gmalloc(pagesSize * sizeof(Page *));
pageRefs = (Ref *)gmalloc(pagesSize * sizeof(Ref));
for (i = 0; i < pagesSize; ++i) {
@@ -191,6 +197,11 @@ int Catalog::readPageTree(Dict *pagesDic
}
if (start >= pagesSize) {
pagesSize += 32;
+ if (pagesSize*(int)sizeof(Page *)/sizeof(Page *) != pagesSize ||
+ pagesSize*(int)sizeof(Ref)/sizeof(Ref) != pagesSize) {
+ error(-1, "Invalid 'pagesSize' parameter.");
+ goto err3;
+ }
pages = (Page **)grealloc(pages, pagesSize * sizeof(Page *));
pageRefs = (Ref *)grealloc(pageRefs, pagesSize * sizeof(Ref));
for (j = pagesSize - 32; j < pagesSize; ++j) {
--- tetex-src-3.0/libs/xpdf/xpdf/XRef.cc.CAN-2004-0888 2005-01-19 13:09:57.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/XRef.cc 2005-02-08 09:42:59.942771256 +0100
@@ -718,6 +718,10 @@ GBool XRef::constructXRef() {
error(-1, "Bad object number");
return gFalse;
}
+ if (newSize*(int)sizeof(XRefEntry)/sizeof(XRefEntry) != newSize) {
+ error(-1, "Invalid 'obj' parameters.");
+ return gFalse;
+ }
entries = (XRefEntry *)
grealloc(entries, newSize * sizeof(XRefEntry));
for (i = size; i < newSize; ++i) {
@@ -741,6 +745,10 @@ GBool XRef::constructXRef() {
} else if (!strncmp(p, "endstream", 9)) {
if (streamEndsLen == streamEndsSize) {
streamEndsSize += 64;
+ if (streamEndsSize*(int)sizeof(int)/sizeof(int) != streamEndsSize) {
+ error(-1, "Invalid 'endstream' parameter.");
+ return gFalse;
+ }
streamEnds = (Guint *)grealloc(streamEnds,
streamEndsSize * sizeof(int));
}
--- tetex-src-3.0/libs/xpdf/xpdf/Decrypt.cc.CAN-2005-0064 2004-01-22 02:26:45.000000000 +0100
+++ tetex-src-3.0/libs/xpdf/xpdf/Decrypt.cc 2005-02-08 10:09:10.899949464 +0100
@@ -135,6 +135,9 @@ GBool Decrypt::makeFileKey2(int encVersi
int len, i, j;
GBool ok;
+ // truncate keyLength when it won't fit tmpKey
+ keyLength = keyLength > sizeof(tmpKey) ? sizeof(tmpKey) : keyLength;
+
// generate file key
buf = (Guchar *)gmalloc(68 + fileID->getLength());
if (userPassword) {
