Bug 526911 (CVE-2009-3604) - CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing allocation return value check
Summary: CVE-2009-3604 xpdf/poppler: Splash::drawImage integer overflow and missing al...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3604
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 527413 527414 527454 527455 527456 527457 527468 527469 530890 833916
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-02 13:30 UTC by Tomas Hoger
Modified: 2023-05-11 13:39 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-07-08 16:27:34 UTC
Embargoed:


Attachments (Terms of Use)
xpdf upstream patch from Derek B. Noonburg (1.91 KB, patch)
2009-10-02 13:48 UTC, Tomas Hoger
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1500 0 normal SHIPPED_LIVE Important: xpdf security update 2009-10-15 08:37:08 UTC
Red Hat Product Errata RHSA-2009:1501 0 normal SHIPPED_LIVE Important: xpdf security update 2009-10-15 08:34:24 UTC
Red Hat Product Errata RHSA-2009:1502 0 normal SHIPPED_LIVE Important: kdegraphics security update 2009-10-15 08:26:05 UTC
Red Hat Product Errata RHSA-2009:1503 0 normal SHIPPED_LIVE Important: gpdf security update 2009-10-15 08:48:32 UTC
Red Hat Product Errata RHSA-2009:1512 0 normal SHIPPED_LIVE Important: kdegraphics security update 2009-10-15 09:05:55 UTC

Description Tomas Hoger 2009-10-02 13:30:23 UTC
Adam Zabrocki reported flaws in xpdf's Splash::drawImage function related to buffer memory allocations:

2220   // allocate pixel buffers
2221   colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps);
2222   if (srcAlpha) {
2223     alphaBuf = (Guchar *)gmalloc((yp + 1) * w);
2224   } else {
2225     alphaBuf = NULL;
2226   }

Values used to compute argument passed to gmalloc come from input PDF file.  Properly chosen values will cause gmalloc to return NULL or buffer of insufficient size, leading to NULL pointer dereference or heap buffer overflow later.

Affected Splash output device is not available in xpdf 2.x versions and earlier.  It is also not used in xpdf embedded in CUPS or tetex.

This was already fixed in poppler as part of preventive gmalloc -> gmallocn changes:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2

This fix is also present in the EL5 poppler packages.

Acknowledgements:

Red Hat would like to thank Adam Zabrocki for reporting this issue.

Comment 4 Tomas Hoger 2009-10-02 13:48:19 UTC
Created attachment 363485 [details]
xpdf upstream patch from Derek B. Noonburg

Comment 9 Tomas Hoger 2009-10-12 16:55:19 UTC
Splash outupt device used in newer Xpdf versions (or at least some parts of it) is derived from XOutputDev used in older Xpdf versions.  This flaw also exists in XOutputDev in Xpdf 2.x versions

Comment 17 Tomas Hoger 2009-10-15 07:15:51 UTC
(In reply to comment #0)
> This was already fixed in poppler as part of preventive gmalloc -> gmallocn
> changes:
> http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2

poppler commits adding mentioned gmalloc -> gmallocn changes:
0131f0a01c 7b2d314a61 c399b2d512 9cf2325fb2 284a928996
(note: two of those commits revert mistakes from previous ones)

Full patch:
http://cgit.freedesktop.org/poppler/poppler/diff/?id=284a928996&id2=75c3466ba2

Comment 18 errata-xmlrpc 2009-10-15 08:26:16 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1502 https://rhn.redhat.com/errata/RHSA-2009-1502.html

Comment 19 errata-xmlrpc 2009-10-15 08:34:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1501 https://rhn.redhat.com/errata/RHSA-2009-1501.html

Comment 20 errata-xmlrpc 2009-10-15 08:37:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1500 https://rhn.redhat.com/errata/RHSA-2009-1500.html

Comment 21 errata-xmlrpc 2009-10-15 08:48:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1503 https://rhn.redhat.com/errata/RHSA-2009-1503.html

Comment 22 errata-xmlrpc 2009-10-15 09:06:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1512 https://rhn.redhat.com/errata/RHSA-2009-1512.html

Comment 23 Fedora Update System 2009-10-21 00:47:33 UTC
xpdf-3.02-15.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 24 Fedora Update System 2009-10-21 00:54:18 UTC
xpdf-3.02-15.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2009-10-26 12:18:48 UTC
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10

Comment 27 Fedora Update System 2009-10-26 12:20:15 UTC
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11

Comment 28 Fedora Update System 2009-10-27 07:04:48 UTC
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2009-10-27 07:14:50 UTC
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2009-11-06 18:31:47 UTC
xpdf-3.02-15.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2010-02-20 00:11:23 UTC
pdfedit-0.4.3-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 32 Fedora Update System 2010-02-20 00:23:41 UTC
pdfedit-0.4.3-4.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 33 Fedora Update System 2010-02-20 00:25:20 UTC
pdfedit-0.4.3-4.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.