Hi Frank! Frank Küster [2005-12-08 13:17 +0100]: > Martin Pitt <[EMAIL PROTECTED]> wrote: > > > Hi! > > > > I'm currently preparing Ubuntu security updates for these issues, and > > I noticed that the upstream provided patch is wrong. I sent the mail > > below to upstream (and some others). > > > > Can you please check that you indeed fixed (tetex-bin)/will fix > > (poppler) DCTStream::readProgressiveSOF(), too? > [...] > > It seems that the patch linked from these advisories [1] is a little > > bit flawed: it checks numComps twice in DCTStream::readBaselineSOF(), > > but does not check it in DCTStream::readProgressiveSOF(). > > We have the same flaw in our upload. Would you be so kind and check the > updated patch at > > http://svn.debian.org/wsvn/pkg-tetex/tetex-bin/trunk/debian/patches/patch-CVE-2005-3191+2+3?op=file&rev=0&sc=0 > > I'm completely illerate in C++, and would like to make sure this is > correct.
Bad news. A further review of Streams.cc revealed a third place where
numComps goes unchecked (I checked the whole file now, it's really the
last one). So you additionally need this hunk:
@@ -2947,6 +2974,10 @@ GBool DCTStream::readScanInfo() {
length = read16() - 2;
scanInfo.numComps = str->getChar();
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
signature.asc
Description: Digital signature

