Bug 526924 - (CVE-2009-3607) CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow
CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 530890
  Show dependency treegraph
Reported: 2009-10-02 10:42 EDT by Tomas Hoger
Modified: 2016-03-04 05:59 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-10-28 07:01:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2009-10-02 10:42:44 EDT
Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function.  cairo_pixels buffer is allocated as:

  cairo_pixels = (guchar *)g_malloc (4 * width * height);


where width / height is read from PDF file.  Some validation of the values is done in Page::loadThumb(), but it is not sufficient to prevent the overflow:

  if (width > INT_MAX / 3 / height)


This code does not exist in poppler as shipped in EL5, nor it is part of xpdf.
Comment 1 Tomas Hoger 2009-10-15 03:37:42 EDT
Lifting embargo, fix should get committed to upstream git soon.  This was likely missed before while hardening other gmalloc uses (#526911#c17), as this uses glib's g_malloc and not xpdf/poppler's gmalloc.
Comment 2 Tomas Hoger 2009-10-20 05:50:52 EDT
Upstream fix:
Comment 4 Fedora Update System 2009-10-26 08:19:01 EDT
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
Comment 5 Fedora Update System 2009-10-26 08:20:27 EDT
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
Comment 6 Fedora Update System 2009-10-27 03:05:06 EDT
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-10-27 03:15:09 EDT
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Jan Lieskovsky 2009-12-12 06:56:38 EST
Duplicate CVE identifier of CVE-2009-3907 has been also (by mistake)
assigned to this issue:

Name: CVE-2009-3907
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3907
Assigned: 20091109

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3607. Reason:
This candidate is a duplicate of CVE-2009-3607. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3607 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental

Note You need to log in before you can comment on or make changes to this bug.