| 12345678910111213141516171819202122232425262728293031323334353637383940414243 |
- Fix for CVE-2010-1440
- From Jan Lieskovsky <jlieskov@redhat.com>
- we decided to treat the CVE-2010-1440 issue as a completely
- new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739
- (in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator
- to see this flaw on ppc architecture, but in fact, it's another occurrence
- of integer overflow in teTeX / TeXLive code).
- ---
- texk/dvipsk/dospecial.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
- Index: texlive-bin-2009/texk/dvipsk/dospecial.c
- ===================================================================
- --- texlive-bin-2009.orig/texk/dvipsk/dospecial.c 2010-05-01 02:15:09.000000000 +0900
- +++ texlive-bin-2009/texk/dvipsk/dospecial.c 2010-05-01 02:15:16.000000000 +0900
- @@ -333,7 +333,11 @@
- int j ;
- static int omega_specials = 0;
-
- - if (nextstring + numbytes > maxstring) {
- + if (numbytes < 0 || numbytes > maxstring - nextstring) {
- + if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
- + error("! Integer overflow in predospecial");
- + exit(1);
- + }
- p = nextstring = mymalloc(1000 + 2 * numbytes) ;
- maxstring = nextstring + 2 * numbytes + 700 ;
- }
- @@ -918,7 +922,11 @@
- char seen[NKEYS] ;
- float valseen[NKEYS] ;
-
- - if (nextstring + nbytes > maxstring) {
- + if (nbytes < 0 || nbytes > maxstring - nextstring) {
- + if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
- + error("! Integer overflow in bbdospecial");
- + exit(1);
- + }
- p = nextstring = mymalloc(1000 + 2 * nbytes) ;
- maxstring = nextstring + 2 * nbytes + 700 ;
- }
|
