source: projects/specs/trunk/t/texlive/texlive-2009-CVE-2010-1440.patch @ 1973

Revision 1973, 1.6 KB checked in by munepi, 14 years ago (diff)

texlive: rebuilt zlib-1.2.5; applied security patches and some patches for libpoppler-0.12
RevLine 
[1973]1Fix for CVE-2010-1440
2From Jan Lieskovsky <jlieskov@redhat.com>
3
4  we decided to treat the CVE-2010-1440 issue as a completely
5  new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739
6  (in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator
7  to see this flaw on ppc architecture, but in fact, it's another occurrence
8  of integer overflow in teTeX / TeXLive code).
9
10---
11 texk/dvipsk/dospecial.c |   12 ++++++++++--
12 1 file changed, 10 insertions(+), 2 deletions(-)
13
14Index: texlive-bin-2009/texk/dvipsk/dospecial.c
15===================================================================
16--- texlive-bin-2009.orig/texk/dvipsk/dospecial.c       2010-05-01 02:15:09.000000000 +0900
17+++ texlive-bin-2009/texk/dvipsk/dospecial.c    2010-05-01 02:15:16.000000000 +0900
18@@ -333,7 +333,11 @@
19    int j ;
20    static int omega_specials = 0;
21 
22-   if (nextstring + numbytes > maxstring) {
23+   if (numbytes < 0 || numbytes > maxstring - nextstring) {
24+      if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
25+         error("! Integer overflow in predospecial");
26+         exit(1);
27+      }
28       p = nextstring = mymalloc(1000 + 2 * numbytes) ;
29       maxstring = nextstring + 2 * numbytes + 700 ;
30    }
31@@ -918,7 +922,11 @@
32    char seen[NKEYS] ;
33    float valseen[NKEYS] ;
34 
35-   if (nextstring + nbytes > maxstring) {
36+   if (nbytes < 0 || nbytes > maxstring - nextstring) {
37+      if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
38+         error("! Integer overflow in bbdospecial");
39+         exit(1);
40+      }
41       p = nextstring = mymalloc(1000 + 2 * nbytes) ;
42       maxstring = nextstring + 2 * nbytes + 700 ;
43    }
Note: See TracBrowser for help on using the repository browser.