Fix for CVE-2010-1440
From Jan Lieskovsky <jlieskov@redhat.com>
we decided to treat the CVE-2010-1440 issue as a completely
new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739
(in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator
to see this flaw on ppc architecture, but in fact, it's another occurrence
of integer overflow in teTeX / TeXLive code).
---
texk/dvipsk/dospecial.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
old
|
new
|
|
333 | 333 | int j ; |
334 | 334 | static int omega_specials = 0; |
335 | 335 | |
336 | | if (nextstring + numbytes > maxstring) { |
| 336 | if (numbytes < 0 || numbytes > maxstring - nextstring) { |
| 337 | if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { |
| 338 | error("! Integer overflow in predospecial"); |
| 339 | exit(1); |
| 340 | } |
337 | 341 | p = nextstring = mymalloc(1000 + 2 * numbytes) ; |
338 | 342 | maxstring = nextstring + 2 * numbytes + 700 ; |
339 | 343 | } |
… |
… |
|
918 | 922 | char seen[NKEYS] ; |
919 | 923 | float valseen[NKEYS] ; |
920 | 924 | |
921 | | if (nextstring + nbytes > maxstring) { |
| 925 | if (nbytes < 0 || nbytes > maxstring - nextstring) { |
| 926 | if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { |
| 927 | error("! Integer overflow in bbdospecial"); |
| 928 | exit(1); |
| 929 | } |
922 | 930 | p = nextstring = mymalloc(1000 + 2 * nbytes) ; |
923 | 931 | maxstring = nextstring + 2 * nbytes + 700 ; |
924 | 932 | } |