1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
|
From: Luciano Bello <luciano@debian.org>
Subject: An integer overflow was discovered in pdf_read_new_xref_section
Origin: upstream, http://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8
Bug-Debian: https://bugs.debian.org/879055
X-CVE: CVE-2017-15587
Kan-Ru Chen noticed that the upstream fix might be removed by compiler optimization
See: https://bugs.ghostscript.com/show_bug.cgi?id=698704
So, it was sligtly changed to avoid that effect.
Index: mupdf-1.5/source/pdf/pdf-xref.c
===================================================================
--- mupdf-1.5.orig/source/pdf/pdf-xref.c
+++ mupdf-1.5/source/pdf/pdf-xref.c
@@ -524,7 +524,7 @@ pdf_read_new_xref_section(pdf_document *
{
int i, n;
- if (i0 < 0 || i1 < 0)
+ if ( (i0+i1) < 0 || i0 < 0 || i1 < 0 )
fz_throw(doc->ctx, FZ_ERROR_GENERIC, "negative xref stream entry index");
if (i0 + i1 > pdf_xref_len(doc))
fz_throw(doc->ctx, FZ_ERROR_GENERIC, "xref stream has too many entries");
|