Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 672165 - (CVE-2010-4653) CVE-2010-4653 xpdf: integer overflow in CharCodeToUnicode::addMapping
CVE-2010-4653 xpdf: integer overflow in CharCodeToUnicode::addMapping
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=vendor-sec,rep...
: Security
Depends On:
Blocks: 734819
  Show dependency treegraph
 
Reported: 2011-01-24 04:39 EST by Tomas Hoger
Modified: 2018-06-21 05:10 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Tomas Hoger 2011-01-24 04:39:48 EST 
Dan Rosenberg reported an issue in xpdf/poppler code base:

  http://thread.gmane.org/gmane.comp.security.oss.general/4109

  Due to an integer overflow when parsing CharCodes for fonts and a
  failure to check the return value of a memory allocation, it is
  possible to trigger writes to a narrow range of offsets from a NULL
  pointer.  The chance of being able to exploit this for anything other
  than a crash is very remote: on x86 32-bit, there's no chance (since
  the write occurs between 0xffffffc4 and 0xfffffffc).  At least the
  write lands in valid userspace on x86-64, but in my testing this
  memory is never mapped.

poppler git commit that addresses integer overflow issue:
http://cgit.freedesktop.org/poppler/poppler/commit/?id=cad66a7d25abdb6aa15f3aa94a35737b119b2659

Acknowledgements:

Red Hat would like to thank Dan Rosenberg for reporting this issue.
Comment 1 Tomas Hoger 2011-01-24 05:16:11 EST 
Affected code can be reached via GfxFont::readToUnicodeCMap function, which is called both from Gfx8BitFont and GfxCIDFont with different nBits values (8 and 16 respectively).  This further calls CharCodeToUnicode::parseCMap1, which reads character codes from the file.  Expected character code format is either "<XX>" or "<XXXX>" depending on the nBits value, where X is hexadecimal number.  The code value is read using sscanf("%x"), so '-' character is recognized too.  parseCMap1 code ensures there are exactly 2 or 4 digits.

Reproducer triggering this flaw used char code as "<-1>".  This negative value is stored in the unsigned int code variable as high positive value that wraps to 0 when the following computation is performed in addMapping:

  mapLen = (code + 256) & ~255;

Subsequent greallocn call returns NULL as requested nObjs == 0.  Unchecked return value cause addMapping to perform a NULL pointer deference.  For 8 bit codes, this results in an access to limited address range mentioned in the Dan's report (as code triggering the issue are in the range "<-1>" .. "<-f>").

For nBits == 16, problematic codes are "<-001>" .. "<-fff>".  Only the code "<-001>" .. "<-0ff>" trigger integer overflow.  Remaining values do not pass an integer overflow check in greallocn, which results in the program abort.  Referenced poppler fix does not change the code to handle this error condition more gracefully.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.