texlive-2009-CVE-2010-1440.patch 1.6 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243
  1. Fix for CVE-2010-1440
  2. From Jan Lieskovsky <jlieskov@redhat.com>
  3. we decided to treat the CVE-2010-1440 issue as a completely
  4. new tetex / texlive issue, rather than an incomplete fix for CVE-2010-0739
  5. (in fact, the reproducer for CVE-2010-0739 is only catalyst / accelerator
  6. to see this flaw on ppc architecture, but in fact, it's another occurrence
  7. of integer overflow in teTeX / TeXLive code).
  8. ---
  9. texk/dvipsk/dospecial.c | 12 ++++++++++--
  10. 1 file changed, 10 insertions(+), 2 deletions(-)
  11. Index: texlive-bin-2009/texk/dvipsk/dospecial.c
  12. ===================================================================
  13. --- texlive-bin-2009.orig/texk/dvipsk/dospecial.c 2010-05-01 02:15:09.000000000 +0900
  14. +++ texlive-bin-2009/texk/dvipsk/dospecial.c 2010-05-01 02:15:16.000000000 +0900
  15. @@ -333,7 +333,11 @@
  16. int j ;
  17. static int omega_specials = 0;
  18. - if (nextstring + numbytes > maxstring) {
  19. + if (numbytes < 0 || numbytes > maxstring - nextstring) {
  20. + if (numbytes < 0 || numbytes > (INT_MAX - 1000) / 2 ) {
  21. + error("! Integer overflow in predospecial");
  22. + exit(1);
  23. + }
  24. p = nextstring = mymalloc(1000 + 2 * numbytes) ;
  25. maxstring = nextstring + 2 * numbytes + 700 ;
  26. }
  27. @@ -918,7 +922,11 @@
  28. char seen[NKEYS] ;
  29. float valseen[NKEYS] ;
  30. - if (nextstring + nbytes > maxstring) {
  31. + if (nbytes < 0 || nbytes > maxstring - nextstring) {
  32. + if (nbytes < 0 || nbytes > (INT_MAX - 1000) / 2 ) {
  33. + error("! Integer overflow in bbdospecial");
  34. + exit(1);
  35. + }
  36. p = nextstring = mymalloc(1000 + 2 * nbytes) ;
  37. maxstring = nextstring + 2 * nbytes + 700 ;
  38. }