Description: pdftoopvp: SECURITY FIX for CVE-2013-6474, CVE-2013-6475, and CVE-2013-6476: Introductionof gmallocn and gmallocn3 to protect against arbitrary code execution with the privileges of the "lp" user via malicious PDF files. Also restrict the directory from where OPVP drivers can get loaded. Origin: upstream Author: Till Kamppeter Last-Update: 2014-03-10 Bug-Debian: https://bugs.debian.org/741318 Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6474 Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6475 Bug: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6476 --- a/pdftoopvp/OPVPOutputDev.cxx +++ b/pdftoopvp/OPVPOutputDev.cxx @@ -144,8 +144,8 @@ } else { cacheSets = 1; } - cacheData = (Guchar *)gmalloc(cacheSets * cacheAssoc * glyphSize); - cacheTags = (T3FontCacheTag *)gmalloc(cacheSets * cacheAssoc * + cacheData = (Guchar *)gmallocn3(cacheSets , cacheAssoc , glyphSize); + cacheTags = (T3FontCacheTag *)gmallocn3(cacheSets , cacheAssoc , sizeof(T3FontCacheTag)); for (i = 0; i < cacheSets * cacheAssoc; ++i) { cacheTags[i].mru = i & (cacheAssoc - 1); @@ -1415,7 +1415,7 @@ switch (colorMode) { case splashModeMono1: case splashModeMono8: - imgData.lookup = (SplashColorPtr)gmalloc(n); + imgData.lookup = (SplashColorPtr)gmallocn(n,1); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getGray(&pix, &gray); @@ -1423,7 +1423,7 @@ } break; case splashModeRGB8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,3); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -1433,7 +1433,7 @@ } break; case splashModeBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,3); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -1444,7 +1444,7 @@ break; #if SPLASH_CMYK case splashModeCMYK8: - imgData.lookup = (SplashColorPtr)gmalloc(4 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,4); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getCMYK(&pix, &cmyk); @@ -1671,7 +1671,7 @@ switch (colorMode) { case splashModeMono1: case splashModeMono8: - imgData.lookup = (SplashColorPtr)gmalloc(n); + imgData.lookup = (SplashColorPtr)gmallocn(n,1); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getGray(&pix, &gray); @@ -1679,7 +1679,7 @@ } break; case splashModeRGB8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,3); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -1689,7 +1689,7 @@ } break; case splashModeBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,3); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -1700,7 +1700,7 @@ break; #if SPLASH_CMYK case splashModeCMYK8: - imgData.lookup = (SplashColorPtr)gmalloc(4 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,4); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getCMYK(&pix, &cmyk); @@ -1792,7 +1792,7 @@ imgMaskData.height = maskHeight; imgMaskData.y = 0; n = 1 << maskColorMap->getBits(); - imgMaskData.lookup = (SplashColorPtr)gmalloc(n); + imgMaskData.lookup = (SplashColorPtr)gmallocn(n,1); for (i = 0; i < n; ++i) { pix = (Guchar)i; maskColorMap->getGray(&pix, &gray); @@ -1832,7 +1832,7 @@ switch (colorMode) { case splashModeMono1: case splashModeMono8: - imgData.lookup = (SplashColorPtr)gmalloc(n); + imgData.lookup = (SplashColorPtr)gmallocn(n,1); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getGray(&pix, &gray); @@ -1840,7 +1840,7 @@ } break; case splashModeRGB8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,3); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -1850,7 +1850,7 @@ } break; case splashModeBGR8: - imgData.lookup = (SplashColorPtr)gmalloc(3 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,3); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getRGB(&pix, &rgb); @@ -1861,7 +1861,7 @@ break; #if SPLASH_CMYK case splashModeCMYK8: - imgData.lookup = (SplashColorPtr)gmalloc(4 * n); + imgData.lookup = (SplashColorPtr)gmallocn(n,4); for (i = 0; i < n; ++i) { pix = (Guchar)i; colorMap->getCMYK(&pix, &cmyk); --- a/pdftoopvp/oprs/OPVPSplash.cxx +++ b/pdftoopvp/oprs/OPVPSplash.cxx @@ -1091,7 +1091,7 @@ opvpbytes = (m+3)/4; opvpbytes *= 4; - bp = (Guchar *)gmalloc(opvpbytes*glyph->h); + bp = (Guchar *)gmallocn(glyph->h,opvpbytes); for (i = 0;i < glyph->h;i++) { memcpy(bp+i*opvpbytes,glyph->data+i*m,m); } @@ -1235,8 +1235,8 @@ /* align 4 */ opvpbytes = (opvpbytes+3)/4; opvpbytes *= 4; - buf = (Guchar *)gmalloc(opvpbytes*h); - lineBuf = (SplashColorPtr)gmalloc(opvpbytes*8); + buf = (Guchar *)gmallocn(h,opvpbytes); + lineBuf = (SplashColorPtr)gmallocn(8,opvpbytes); for (i = 0;i < h;i++) { int k; @@ -1414,7 +1414,7 @@ imat[3] = mat[0]/det; /* read source image */ - pixBuf = (SplashColorPtr)gmalloc(h * w); + pixBuf = (SplashColorPtr)gmallocn(h , w); p = pixBuf; for (i = 0; i < h; ++i) { @@ -1568,8 +1568,8 @@ hs = h-1; he = -1; } - buf = (Guchar *)gmalloc(opvpbytes*h); - lineBuf = (SplashColorPtr)gmalloc(lineBufSize); + buf = (Guchar *)gmallocn(h,opvpbytes); + lineBuf = (SplashColorPtr)gmallocn(lineBufSize,1); switch (colorMode) { case splashModeMono1: case splashModeMono8: @@ -1731,7 +1731,7 @@ return splashErrOPVP; break; } - buf = (Guchar *)gmalloc(opvpbytes*h); + buf = (Guchar *)gmallocn(h,opvpbytes); switch (colorMode) { case splashModeMono1: @@ -1957,7 +1957,7 @@ } /* read source image */ - pixBuf = (SplashColorPtr)gmalloc(h * linesize); + pixBuf = (SplashColorPtr)gmallocn(h , linesize); p = pixBuf; for (i = 0; i < h; ++i) { @@ -1965,8 +1965,8 @@ p += linesize; } /* allocate line buffer */ - Guchar *lineBuf = (Guchar *)gmalloc(opvpbytes); - Guchar *onBuf = (Guchar *)gmalloc(width); + Guchar *lineBuf = (Guchar *)gmallocn(opvpbytes,1); + Guchar *onBuf = (Guchar *)gmallocn(width,1); OPVPSplashClip *clip; opvpctm.a = 1.0; opvpctm.b = 0.0; --- a/pdftoopvp/oprs/OPVPWrapper.cxx +++ b/pdftoopvp/oprs/OPVPWrapper.cxx @@ -822,6 +822,12 @@ void *handle = 0; OPVPWrapper *opvp = 0; + // remove directory part + const char *s = strrchr(driverName,'/'); + if (s != NULL) { + driverName = s+1; + } + list = genDynamicLibName(driverName); if (list) {