[VIM] *pdf - new issues or old?
Steven M. Christey
coley at linus.mitre.org
Wed Mar 15 13:11:39 EST 2006
I've done some followup work on this. See below. In brief, I agree with
the BID/OSVDB decisions to create a new item for "unspecified" vulns,
although it's not 100% sure whether there are really new vulns or not.
- Steve
=============================
OK,
Due to a serious, temporary lack of judgment, I decided to do some
diff digging for DEBIAN:DSA-979 to see if the pdfkit.framework/xpdf
patches include anything beyond what's already been covered in xpdf.
I used this:
http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge3.diff.gz
Below are all the relevant diffs, minus all the extra cruft like
makefile changes, etc.
My notes start with "[*** SMC"
This is an informal, diff-only analysis with a bit of guesswork. That
said, these diffs do appear to include some security-relevant changes
that do not have associated CVEs, but:
- some could be defensive in nature (e.g. gmem.c changes)
- the developer might have fixed some issues simultaneously with a
particular CVE, although only one particular issue might have been
mentioned (CVE-2005-3192 is an example)
- some code might not be user-triggerable
Finally: if you want to do some followup analysis, the diff's for gpdf
(DSA-982) were more closely labeled with CVE or CAN numbers, which
might help resolve some of the open questions I have below. At the
moment I'm out of time to do more.
- Steve
==================================================================
==================================================================
Name: CVE-2006-1244
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1244
Reference: DEBIAN:DSA-979
Reference: URL:http://www.debian.org/security/2006/dsa-979
Reference: MISC:http://security.debian.org/pool/updates/main/p/pdfkit.framework/pdfkit.framework_0.8-2sarge3.diff.gz
Reference: DEBIAN:DSA-982
Reference: URL:http://www.debian.org/security/2006/dsa-982
Reference: DEBIAN:DSA-983
Reference: URL:http://www.debian.org/security/2006/dsa-983
Reference: DEBIAN:DSA-984
Reference: URL:http://www.debian.org/security/2006/dsa-984
Reference: BID:16748
Reference: URL:http://www.securityfocus.com/bid/16748
Reference: OSVDB:23834
Reference: URL:http://www.osvdb.org/23834
Unspecified vulnerability in certain versions of xpdf after 3.00, as
used in various products including (a) pdfkit.framework, (b) gpdf, (c)
pdftohtml, has unknown impact and user-complicit attack vectors,
possibly involving errors in (1) gmem.c, (2) SplashXPathScanner.cc,
(3) JBIG2Stream.cc, (4) JPXStream.cc, and/or (5) Stream.cc. NOTE:
this description is based on Debian advisory DSA 979, which is based
on changes that were made after other vulnerabilities such as
CVE-2006-0301 and CVE-2005-3624 through CVE-2005-3628 were fixed.
Some of these newer fixes appear to be security-relevant, although it
is not clear if they fix specific issues or are defensive in nature.
==================================================================
==================================================================
Diffs
==================================================================
==================================================================
--- pdfkit.framework-0.8.orig/xpdf/xpdf-3.00/goo/gmem.c
+++ pdfkit.framework-0.8/xpdf/xpdf-3.00/goo/gmem.c
@@ -11,6 +11,7 @@
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
+#include <limits.h>
#include "gmem.h"
#ifdef DEBUG_MEM
@@ -62,7 +63,7 @@
int lst;
unsigned long *trl, *p;
- if (size == 0)
[*** SMC. smells like signedness errors, but maybe it's just a
defensive measure? ***]
+ if (size <= 0)
return NULL;
size1 = gMemDataSize(size);
if (!(mem = (char *)malloc(size1 + gMemHdrSize + gMemTrlSize))) {
@@ -84,7 +85,7 @@
#else
void *p;
- if (size == 0)
+ if (size <= 0)
return NULL;
if (!(p = malloc(size))) {
fprintf(stderr, "Out of memory\n");
@@ -100,7 +101,7 @@
void *q;
int oldSize;
- if (size == 0) {
+ if (size <= 0) {
if (p)
gfree(p);
return NULL;
@@ -118,7 +119,7 @@
#else
void *q;
- if (size == 0) {
+ if (size <= 0) {
if (p)
free(p);
return NULL;
--- pdfkit.framework-0.8.orig/xpdf/xpdf-3.00/splash/Splash.cc
+++ pdfkit.framework-0.8/xpdf/xpdf-3.00/splash/Splash.cc
@@ -734,6 +734,10 @@
SplashMono1P *mono1;
SplashBGR8P *bgr8;
[*** SMC. Likely CVE-2006-0301 ***]
+ if ( (unsigned) x >= (unsigned) bitmap->getWidth() ||
+ (unsigned) y >= (unsigned) bitmap->getHeight())
+ return;
+
if (noClip || state->clip->test(x, y)) {
color = pattern->getColor(x, y);
switch (bitmap->mode) {
@@ -771,6 +775,11 @@
SplashMono1 mask1;
int i, j, n;
+ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() ||
+ (unsigned) x1 >= (unsigned) bitmap->getWidth() ||
+ (unsigned) y >= (unsigned) bitmap->getHeight())
+ return;
+
n = x1 - x0 + 1;
switch (bitmap->mode) {
@@ -858,6 +867,11 @@
n = x1 - x0 + 1;
+ if ((unsigned) x0 >= (unsigned) bitmap->getWidth() ||
+ (unsigned) x1 >= (unsigned) bitmap->getWidth() ||
+ (unsigned) y >= (unsigned) bitmap->getHeight())
+ return;
+
switch (bitmap->mode) {
case splashModeMono1:
mono1 = &bitmap->data.mono8[y * bitmap->rowSize + (x0 >> 3)];
--- pdfkit.framework-0.8.orig/xpdf/xpdf-3.00/splash/SplashXPathScanner.cc
+++ pdfkit.framework-0.8/xpdf/xpdf-3.00/splash/SplashXPathScanner.cc
@@ -182,7 +182,7 @@
}
[*** SMC. I didn't look closely at this patch to determine if there
is any security relevance. need more context. ***]
void SplashXPathScanner::computeIntersections(int y) {
- SplashCoord ySegMin, ySegMax, xx0, xx1;
+ SplashCoord xSegMin, xSegMax, ySegMin, ySegMax, xx0, xx1;
SplashXPathSeg *seg;
int i, j;
@@ -232,19 +232,27 @@
} else if (seg->flags & splashXPathVert) {
xx0 = xx1 = seg->x0;
} else {
- if (ySegMin <= y) {
- // intersection with top edge
- xx0 = seg->x0 + (y - seg->y0) * seg->dxdy;
+ if (seg->x0 < seg->x1) {
+ xSegMin = seg->x0;
+ xSegMax = seg->x1;
} else {
- // x coord of segment endpoint with min y coord
- xx0 = (seg->flags & splashXPathFlip) ? seg->x1 : seg->x0;
+ xSegMin = seg->x1;
+ xSegMax = seg->x0;
}
- if (ySegMax >= y + 1) {
- // intersection with bottom edge
- xx1 = seg->x0 + (y + 1 - seg->y0) * seg->dxdy;
- } else {
- // x coord of segment endpoint with max y coord
- xx1 = (seg->flags & splashXPathFlip) ? seg->x0 : seg->x1;
+ // intersection with top edge
+ xx0 = seg->x0 + ((SplashCoord)y - seg->y0) * seg->dxdy;
+ // intersection with bottom edge
+ xx1 = seg->x0 + ((SplashCoord)y + 1 - seg->y0) * seg->dxdy;
+ // the segment may not actually extend to the top and/or bottom edges
+ if (xx0 < xSegMin) {
+ xx0 = xSegMin;
+ } else if (xx0 > xSegMax) {
+ xx0 = xSegMax;
+ }
+ if (xx1 < xSegMin) {
+ xx1 = xSegMin;
+ } else if (xx1 > xSegMax) {
+ xx1 = xSegMax;
}
}
if (xx0 < xx1) {
--- pdfkit.framework-0.8.orig/xpdf/xpdf-3.00/xpdf/JBIG2Stream.cc
+++ pdfkit.framework-0.8/xpdf/xpdf-3.00/xpdf/JBIG2Stream.cc
@@ -13,6 +13,7 @@
#endif
#include <stdlib.h>
+#include <limits.h>
#include "GList.h"
#include "Error.h"
#include "JArithmeticDecoder.h"
@@ -681,7 +682,14 @@
w = wA;
h = hA;
line = (wA + 7) >> 3;
[*** SMC. might have been fixed simultaneously with JBIG2Bitmap (see
below). ***]
- data = (Guchar *)gmalloc(h * line);
+
+ if (w <= 0 || h <= 0 || line <= 0 || h >= (INT_MAX - 1) / line)
+ data = NULL;
+ else {
+ // need to allocate one extra guard byte for use in combine()
+ data = (Guchar *)gmalloc(h * line + 1);
+ data[h * line] = 0;
+ }
}
JBIG2Bitmap::JBIG2Bitmap(Guint segNumA, JBIG2Bitmap *bitmap):
@@ -690,8 +698,15 @@
w = bitmap->w;
h = bitmap->h;
line = bitmap->line;
- data = (Guchar *)gmalloc(h * line);
[*** SMC. Possibly CVE-2005-3628 ***]
+
+ if (h < 0 || line <= 0 || h >= (INT_MAX-1) / line) {
+ data = NULL;
+ return;
+ }
+
+ data = (Guchar *)gmalloc(h * line + 1);
memcpy(data, bitmap->data, h * line);
+ data[h * line] = 0;
}
JBIG2Bitmap::~JBIG2Bitmap() {
@@ -716,10 +731,10 @@
}
void JBIG2Bitmap::expand(int newH, Guint pixel) {
- if (newH <= h) {
+ if (newH <= h || line <= 0 || newH >= (INT_MAX-1) / line) {
return;
}
[*** SMC. off-by-one overflow? or maybe this is really where
CVE-2005-3628 belongs? ***]
- data = (Guchar *)grealloc(data, newH * line);
+ data = (Guchar *)grealloc(data, newH * line + 1);
if (pixel) {
memset(data + h * line, 0xff, (newH - h) * line);
} else {
@@ -2246,6 +2261,15 @@
goto eofError;
}
[*** SMC. sanity checking for integer overflow? rolled together with
CVE-2005-3628 ? ***]
+ if (w == 0 || h == 0 || w >= INT_MAX / h) {
+ error(getPos(), "Bad bitmap size in JBIG2 halftone segment");
+ return;
+ }
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad grid size in JBIG2 halftone segment");
+ return;
+ }
+
// get pattern dictionary
if (nRefSegs != 1) {
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
@@ -2256,6 +2280,16 @@
error(getPos(), "Bad symbol dictionary reference in JBIG2 halftone segment");
return;
}
+
+ if (gridH == 0 || gridW >= INT_MAX / gridH) {
+ error(getPos(), "Bad size in JBIG2 halftone segment");
+ return;
+ }
+ if (w == 0 || h >= INT_MAX / w) {
+ error(getPos(), "Bad size in JBIG2 bitmap segment");
+ return;
+ }
+
patternDict = (JBIG2PatternDict *)seg;
bpp = 0;
i = 1;
@@ -2887,6 +2921,9 @@
JBIG2BitmapPtr tpgrCXPtr0, tpgrCXPtr1, tpgrCXPtr2;
int x, y, pix;
+ if (w < 0 || h <= 0 || w >= INT_MAX / h)
+ return NULL;
+
bitmap = new JBIG2Bitmap(0, w, h);
bitmap->clearToZero();
--- pdfkit.framework-0.8.orig/xpdf/xpdf-3.00/xpdf/JPXStream.cc
+++ pdfkit.framework-0.8/xpdf/xpdf-3.00/xpdf/JPXStream.cc
@@ -7,6 +7,7 @@
//========================================================================
#include <aconf.h>
+#include <limits.h>
#ifdef USE_GCC_PRAGMAS
#pragma implementation
@@ -666,7 +667,7 @@
int segType;
GBool haveSIZ, haveCOD, haveQCD, haveSOT;
Guint precinctSize, style;
- Guint segLen, capabilities, comp, i, j, r;
+ Guint segLen, capabilities, nTiles, comp, i, j, r;
//----- main header
haveSIZ = haveCOD = haveQCD = haveSOT = gFalse;
@@ -701,7 +702,19 @@
/ img.xTileSize;
img.nYTiles = (img.ySize - img.yTileOffset + img.yTileSize - 1)
/ img.yTileSize;
[*** SMC. smells like CVE-2005-3193 ***]
- img.tiles = (JPXTile *)gmalloc(img.nXTiles * img.nYTiles *
+ // check for overflow before allocating memory
+ if (img.nXTiles <= 0 || img.nYTiles <= 0 ||
+ img.nXTiles >= INT_MAX/img.nYTiles) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ nTiles = img.nXTiles * img.nYTiles;
+ // check for overflow before allocating memory
+ if (nTiles == 0 || nTiles >= INT_MAX/sizeof(JPXTile)) {
+ error(getPos(), "Bad tile count in JPX SIZ marker segment");
+ return gFalse;
+ }
+ img.tiles = (JPXTile *)gmalloc(nTiles *
sizeof(JPXTile));
for (i = 0; i < img.nXTiles * img.nYTiles; ++i) {
img.tiles[i].tileComps = (JPXTileComp *)gmalloc(img.nComps *
--- pdfkit.framework-0.8.orig/xpdf/xpdf-3.00/xpdf/Stream.cc
+++ pdfkit.framework-0.8/xpdf/xpdf-3.00/xpdf/Stream.cc
@@ -15,6 +15,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
+#include <limits.h>
#ifndef WIN32
#include <unistd.h>
#endif
@@ -407,18 +408,41 @@
StreamPredictor::StreamPredictor(Stream *strA, int predictorA,
int widthA, int nCompsA, int nBitsA) {
+ int totalBits;
+
str = strA;
predictor = predictorA;
width = widthA;
nComps = nCompsA;
nBits = nBitsA;
+ predLine = NULL;
+ ok = gFalse;
[*** SMC. possibly CVE-2005-3192, but I thought that was for a
"numComps" issue (see below). Possible analysis error in
CVE-2005-3192. or maybe this is CVE-2005-3627 item (1) ***]
+ if (width <= 0 || nComps <= 0 || nBits <= 0 ||
+ nComps >= INT_MAX/nBits ||
+ width >= INT_MAX/nComps/nBits) {
+ return;
+ }
nVals = width * nComps;
+ if (nVals + 7 <= 0) {
+ return;
+ }
+ totalBits = nVals * nBits;
+ if (totalBits == 0 ||
+ (totalBits / nBits) / nComps != width ||
+ totalBits + 7 < 0) {
+ return;
+ }
pixBytes = (nComps * nBits + 7) >> 3;
- rowBytes = ((nVals * nBits + 7) >> 3) + pixBytes;
+ rowBytes = ((totalBits + 7) >> 3) + pixBytes;
+ if (rowBytes < 0) {
+ return;
+ }
predLine = (Guchar *)gmalloc(rowBytes);
memset(predLine, 0, rowBytes);
predIdx = rowBytes;
+
+ ok = gTrue;
}
StreamPredictor::~StreamPredictor() {
@@ -1012,6 +1036,10 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
@@ -1260,6 +1288,12 @@
endOfLine = endOfLineA;
byteAlign = byteAlignA;
columns = columnsA;
+
+ if (columns + 4 < 1 || (columns + 4) >= INT_MAX / sizeof(short)) {
+ error(getPos(), "Bad number of columns in CCITTFaxStream");
+ exit(1);
+ }
+
rows = rowsA;
endOfBlock = endOfBlockA;
black = blackA;
@@ -2897,6 +2931,11 @@
height = read16();
width = read16();
numComps = str->getChar();
[*** SMC. possibly CVE-2005-3627 item (1), or maybe CVE-2005-3192 ***]
+ if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream", prec);
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2923,6 +2962,11 @@
height = read16();
width = read16();
numComps = str->getChar();
+ if (numComps <= 0 || numComps > 4) {
+ numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
if (prec != 8) {
error(getPos(), "Bad DCT precision %d", prec);
return gFalse;
@@ -2945,6 +2989,11 @@
length = read16() - 2;
scanInfo.numComps = str->getChar();
[*** SMC. possibly CVE-2005-3627 item (3) ***]
+ if (scanInfo.numComps <= 0 || scanInfo.numComps > 4) {
+ scanInfo.numComps = 0;
+ error(getPos(), "Bad number of components in DCT stream");
+ return gFalse;
+ }
--length;
if (length != 2 * scanInfo.numComps + 3) {
error(getPos(), "Bad DCT scan info block");
@@ -3019,12 +3068,12 @@
while (length > 0) {
index = str->getChar();
--length;
[*** SMC. possibly CVE-2005-3627 item (2) ***]
- if ((index & 0x0f) >= 4) {
+ if ((index & ~0x10) >= 4 || (index & ~0x10) < 0) {
error(getPos(), "Bad DCT Huffman table");
return gFalse;
}
if (index & 0x10) {
- index &= 0x0f;
+ index &= 0x03;
if (index >= numACHuffTables)
numACHuffTables = index+1;
tbl = &acHuffTables[index];
@@ -3255,6 +3304,10 @@
FilterStream(strA) {
if (predictor != 1) {
pred = new StreamPredictor(this, predictor, columns, colors, bits);
+ if (!pred->isOk()) {
+ delete pred;
+ pred = NULL;
+ }
} else {
pred = NULL;
}
--- pdfkit.framework-0.8.orig/debian/changelog
+++ pdfkit.framework-0.8/debian/changelog
@@ -0,0 +1,97 @@
+pdfkit.framework (0.8-2sarge3) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Backported upstream patch by Derek Noonburg to fix several
+ vulnerabilities [xpdf/xpdf-3.00/splash/SplashXPathScanner.cc,
+ xpdf/xpdf-3.00/xpdf/JBIG2Stream.cc, xpdf/xpdf-3.00/xpdf/Stream.h,
+ xpdf/xpdf-3.00/goo/gmem.c]
+
+ -- Martin Schulze <joey at infodrom.org> Wed, 15 Feb 2006 08:33:56 +0100
+
+pdfkit.framework (0.8-2sarge2) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Ported patch to fix buffer overflow [splash/Splash.cc, CVE-2006-0301]
+
+ -- Martin Schulze <joey at infodrom.org> Sat, 4 Feb 2006 17:45:01 +0100
+
+pdfkit.framework (0.8-2sarge1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied the patch to fix several buffer overflows
+ [xpdf-3.00/xpdf/JBIG2Stream.cc, xpdf-3.00/xpdf/JBIG2Stream.cc,
+ xpdf-3.00/xpdf/Stream.cc, xpdf-3.00/xpdf/Stream.h, CVE-2005-3191,
+ CVE-2005-3193]
+
[*** SMC. rest of changelog deleted. ***]
More information about the VIM
mailing list