Ludwig Nussel reported an integer overflow in poppler's create_surface_from_thumbnail_data() function. cairo_pixels buffer is allocated as:
cairo_pixels = (guchar *)g_malloc (4 * width * height);
where width / height is read from PDF file. Some validation of the values is done in Page::loadThumb(), but it is not sufficient to prevent the overflow:
if (width > INT_MAX / 3 / height)
This code does not exist in poppler as shipped in EL5, nor it is part of xpdf.
Lifting embargo, fix should get committed to upstream git soon. This was likely missed before while hardening other gmalloc uses (#526911#c17), as this uses glib's g_malloc and not xpdf/poppler's gmalloc.
poppler-0.8.7-7.fc10 has been submitted as an update for Fedora 10.
poppler-0.10.7-3.fc11 has been submitted as an update for Fedora 11.
poppler-0.8.7-7.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
poppler-0.10.7-3.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Duplicate CVE identifier of CVE-2009-3907 has been also (by mistake)
assigned to this issue:
** REJECT **
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-3607. Reason:
This candidate is a duplicate of CVE-2009-3607. A typo caused the
wrong ID to be used. Notes: All CVE users should reference
CVE-2009-3607 instead of this candidate. All references and
descriptions in this candidate have been removed to prevent accidental