Bug 526924 (CVE-2009-3607) - CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow
Summary: CVE-2009-3607 poppler: create_surface_from_thumbnail_data integer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-3607
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 530890
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-02 14:42 UTC by Tomas Hoger
Modified: 2019-09-29 12:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-28 11:01:42 UTC


Attachments (Terms of Use)

Description Tomas Hoger 2009-10-02 14:42:44 UTC
Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function.  cairo_pixels buffer is allocated as:

  cairo_pixels = (guchar *)g_malloc (4 * width * height);

  http://cgit.freedesktop.org/poppler/poppler/tree/glib/poppler-page.cc#n615

where width / height is read from PDF file.  Some validation of the values is done in Page::loadThumb(), but it is not sufficient to prevent the overflow:

  if (width > INT_MAX / 3 / height)

  http://cgit.freedesktop.org/poppler/poppler/tree/poppler/Page.cc#n547

This code does not exist in poppler as shipped in EL5, nor it is part of xpdf.

Comment 1 Tomas Hoger 2009-10-15 07:37:42 UTC
Lifting embargo, fix should get committed to upstream git soon.  This was likely missed before while hardening other gmalloc uses (#526911#c17), as this uses glib's g_malloc and not xpdf/poppler's gmalloc.

Comment 2 Tomas Hoger 2009-10-20 09:50:52 UTC
Upstream fix:
  http://cgit.freedesktop.org/poppler/poppler/commit/?id=c839b706

Comment 4 Fedora Update System 2009-10-26 12:19:01 UTC
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10

Comment 5 Fedora Update System 2009-10-26 12:20:27 UTC
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11

Comment 6 Fedora Update System 2009-10-27 07:05:06 UTC
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-10-27 07:15:09 UTC
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Jan Lieskovsky 2009-12-12 11:56:38 UTC
Duplicate CVE identifier of CVE-2009-3907 has been also (by mistake)
assigned to this issue:

Name: CVE-2009-3907
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3907
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20091109
Category:

** REJECT **

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3607. Reason:
This candidate is a duplicate of CVE-2009-3607. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3607 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental
usage.


Note You need to log in before you can comment on or make changes to this bug.