[1973] | 1 | Fix for CVE-2010-1440 |
---|
| 2 | From Jan Lieskovsky <jlieskov@redhat.com> |
---|
| 3 | |
---|
| 4 | we decided to treat the CVE-2010-1440 issue as a completely |
---|
| 5 | new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739 |
---|
| 6 | (in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator |
---|
| 7 | to see this flaw on ppc architecture, but in fact, it's another occurrence |
---|
| 8 | of integer overflow in teTeX / TeXLive code). |
---|
| 9 | |
---|
| 10 | --- |
---|
| 11 | texk/dvipsk/dospecial.c | 12 ++++++++++-- |
---|
| 12 | 1 file changed, 10 insertions(+), 2 deletions(-) |
---|
| 13 | |
---|
| 14 | Index: texlive-bin-2009/texk/dvipsk/dospecial.c |
---|
| 15 | =================================================================== |
---|
| 16 | --- texlive-bin-2009.orig/texk/dvipsk/dospecial.c 2010-05-01 02:15:09.000000000 +0900 |
---|
| 17 | +++ texlive-bin-2009/texk/dvipsk/dospecial.c 2010-05-01 02:15:16.000000000 +0900 |
---|
| 18 | @@ -333,7 +333,11 @@ |
---|
| 19 | int j ; |
---|
| 20 | static int omega_specials = 0; |
---|
| 21 | |
---|
| 22 | - if (nextstring + numbytes > maxstring) { |
---|
| 23 | + if (numbytes < 0 || numbytes > maxstring - nextstring) { |
---|
| 24 | + if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) { |
---|
| 25 | + error("! Integer overflow in predospecial"); |
---|
| 26 | + exit(1); |
---|
| 27 | + } |
---|
| 28 | p = nextstring = mymalloc(1000 + 2 * numbytes) ; |
---|
| 29 | maxstring = nextstring + 2 * numbytes + 700 ; |
---|
| 30 | } |
---|
| 31 | @@ -918,7 +922,11 @@ |
---|
| 32 | char seen[NKEYS] ; |
---|
| 33 | float valseen[NKEYS] ; |
---|
| 34 | |
---|
| 35 | - if (nextstring + nbytes > maxstring) { |
---|
| 36 | + if (nbytes < 0 || nbytes > maxstring - nextstring) { |
---|
| 37 | + if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) { |
---|
| 38 | + error("! Integer overflow in bbdospecial"); |
---|
| 39 | + exit(1); |
---|
| 40 | + } |
---|
| 41 | p = nextstring = mymalloc(1000 + 2 * nbytes) ; |
---|
| 42 | maxstring = nextstring + 2 * nbytes + 700 ; |
---|
| 43 | } |
---|