Commit 326e460c authored by Pino Toscano's avatar Pino Toscano

fix CVE-2010-4653

parent dbaefba7
......@@ -3,6 +3,7 @@ poppler (0.12.4-1.2+squeeze1) UNRELEASED; urgency=low
* Non-maintainer upload.
* Fix CVE-2010-0206.
* Fix CVE-2010-0207; patch adapted to be API-/ABI-compatible.
* Fix CVE-2010-4653.
-- Pino Toscano <pino@debian.org> Wed, 27 Jun 2012 18:36:18 +0200
......
From cad66a7d25abdb6aa15f3aa94a35737b119b2659 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 2 Nov 2010 19:14:34 +0000
Subject: [PATCH] Fix crash in broken documents
mapLen = (code + 256) & ~255; can wrap and you end up with mapLen < code
that is not what you wanted
---
poppler/CharCodeToUnicode.cc | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/poppler/CharCodeToUnicode.cc b/poppler/CharCodeToUnicode.cc
index 1835ddd..3cfa402 100644
--- a/poppler/CharCodeToUnicode.cc
+++ b/poppler/CharCodeToUnicode.cc
@@ -13,7 +13,7 @@
// All changes made under the Poppler project to this file are licensed
// under GPL version 2 or later
//
-// Copyright (C) 2006, 2008, 2009 Albert Astals Cid <aacid@kde.org>
+// Copyright (C) 2006, 2008-2010 Albert Astals Cid <aacid@kde.org>
// Copyright (C) 2007 Julien Rebetez <julienr@svn.gnome.org>
// Copyright (C) 2007 Koji Otani <sho@bbr.jp>
// Copyright (C) 2008 Michael Vrable <mvrable@cs.ucsd.edu>
@@ -36,6 +36,7 @@
#include <string.h>
#include "goo/gmem.h"
#include "goo/gfile.h"
+#include "goo/GooLikely.h"
#include "goo/GooString.h"
#include "Error.h"
#include "GlobalParams.h"
@@ -366,10 +367,15 @@ void CharCodeToUnicode::addMapping(CharCode code, char *uStr, int n,
if (code >= mapLen) {
oldLen = mapLen;
mapLen = (code + 256) & ~255;
- map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
- for (i = oldLen; i < mapLen; ++i) {
- map[i] = 0;
- }
+ if (unlikely(code >= mapLen)) {
+ error(-1, "Illegal code value in CharCodeToUnicode::addMapping");
+ return;
+ } else {
+ map = (Unicode *)greallocn(map, mapLen, sizeof(Unicode));
+ for (i = oldLen; i < mapLen; ++i) {
+ map[i] = 0;
+ }
+ }
}
if (n <= 4) {
if (sscanf(uStr, "%x", &u) != 1) {
--
1.7.10
......@@ -4,3 +4,4 @@
04_security.patch
05_CVE-2010-0206.patch
06_CVE-2010-0207.patch
07_CVE-2010-4653.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment