526924 – (CVE-2009-3607) CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow

Bug 526924 (CVE-2009-3607) - CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow

Summary: CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2009-3607
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	530890
Blocks:
TreeView+	depends on / blocked

Reported:	2009-10-02 14:42 UTC by Tomas Hoger
Modified:	2021-11-12 20:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2009-10-28 11:01:42 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2009-10-02 14:42:44 UTC

Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function.  cairo_pixels buffer is allocated as:

  cairo_pixels = (guchar *)g_malloc (4 * width * height);

  http://cgit.freedesktop.org/poppler/poppler/tree/glib/poppler-page.cc#n615

where width / height is read from PDF file.  Some validation of the values is done in Page::loadThumb(), but it is not sufficient to prevent the overflow:

  if (width > INT_MAX / 3 / height)

  http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Page.cc#n547

This code does not exist in poppler as shipped in EL5, nor it is part of xpdf.

Comment 1 Tomas Hoger 2009-10-15 07:37:42 UTC

Lifting embargo, fix should get committed to upstream git soon.  This was likely missed before while hardening other gmalloc uses (#526911#c17), as this uses glib's g_malloc and not xpdf/poppler's gmalloc.

Comment 2 Tomas Hoger 2009-10-20 09:50:52 UTC

Upstream fix:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b706

Comment 4 Fedora Update System 2009-10-26 12:19:01 UTC

poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10

Comment 5 Fedora Update System 2009-10-26 12:20:27 UTC

poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11

Comment 6 Fedora Update System 2009-10-27 07:05:06 UTC

poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-10-27 07:15:09 UTC

poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Jan Lieskovsky 2009-12-12 11:56:38 UTC

Duplicate CVE identifier of CVE-2009-3907 has been also (by mistake)
assigned to this issue:

Name: CVE-2009-3907
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3907
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091109
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3607. Reason:
This candidate is a duplicate of CVE-2009-3607. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3607 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.

Note You need to log in before you can comment on or make changes to this bug.