source: projects/specs/branches/6/t/texlive/texlive-2009-CVE-2010-1440.patch @ 1973

Revision 1973, 1.6 KB checked in by munepi, 14 years ago (diff)

texlive: rebuilt zlib-1.2.5; applied security patches and some patches for libpoppler-0.12

  • texk/dvipsk/dospecial.c 

    Fix for CVE-2010-1440
From Jan Lieskovsky <jlieskov@redhat.com>

  we decided to treat the CVE-2010-1440 issue as a completely
  new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739
  (in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator
  to see this flaw on ppc architecture, but in fact, it's another occurrence
  of integer overflow in teTeX / TeXLive code).

---
 texk/dvipsk/dospecial.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
    old new  
    333333   int j ; 
    334334   static int omega_specials = 0; 
    335335 
    336    if (nextstring + numbytes > maxstring) { 
     336   if (numbytes < 0 || numbytes > maxstring - nextstring) { 
     337      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { 
     338         error("! Integer overflow in predospecial"); 
     339         exit(1); 
     340      } 
    337341      p = nextstring = mymalloc(1000 + 2 * numbytes) ; 
    338342      maxstring = nextstring + 2 * numbytes + 700 ; 
    339343   } 
     
    918922   char seen[NKEYS] ; 
    919923   float valseen[NKEYS] ; 
    920924 
    921    if (nextstring + nbytes > maxstring) { 
     925   if (nbytes < 0 || nbytes > maxstring - nextstring) { 
     926      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { 
     927         error("! Integer overflow in bbdospecial"); 
     928         exit(1); 
     929      } 
    922930      p = nextstring = mymalloc(1000 + 2 * nbytes) ; 
    923931      maxstring = nextstring + 2 * nbytes + 700 ; 
    924932   } 
Note: See TracBrowser for help on using the repository browser.