Integer overflow was discovered in SplashBitmap::SplashBitmap when computing memory allocation requirements. This issue was previously reported as CVE-2009-1188 / bug #495907 and addressed in poppler via gmalloc -> gmallocn change via:
However, such fix is not sufficient, as overflow can occur even during rowSize calculation.
Splash output device is not present in xpdf 2.x, it's also not in the xpdf code embedded in CUPS or tetex.
Created attachment 363486 [details]
xpdf upstream patch from Derek B. Noonburg
xpdf is fixed now for the CVE-2009-1188/CVE-2009-3603 in xpdf-3.02pl4:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:1504 https://rhn.redhat.com/errata/RHSA-2009-1504.html
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.