First published: Thu Oct 01 2009(Updated: )
oCERT reported an integer overflow flaw during the C++ object allocation leading to a heap overflow discovered by Chris Rohlf, affecting xpdf's / poppler's ObjectStream::ObjectStream (XRef.cc). objs = new Object[nObjects]; As new[] as implemented in gcc / libstdc++ does not perform integer overflow check [1], sufficiently large nObjects value (read from the input PDF file) can cause integer overflow / wrap when multiplied by sizeof(Object) resulting in insufficient memory allocation. Affected code was introduced in Xpdf 3.00, packages including / based on this version are affected by this flaw. In Red Hat Enterprise Linux, that means: - xpdf - el4 - gpdf - el4 - poppler - el5 - kdegraphics - el4, el5 - cups - el5 - tetex - el5 Patch attempting to address this was previously added to poppler, but it incorrectly used sizeof(int) instead of sizeof(Object) [2] and hence was insufficient. [1] <a href="http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351">http://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351</a> [2] <a href="http://cgit.freedesktop.org/poppler/poppler/commit/?id=c36d8afc">http://cgit.freedesktop.org/poppler/poppler/commit/?id=c36d8afc</a> <a href="http://cgit.freedesktop.org/poppler/poppler/commit/?id=f41fa9ee">http://cgit.freedesktop.org/poppler/poppler/commit/?id=f41fa9ee</a> Acknowledgements: Red Hat would like to thank Chris Rohlf for reporting this issue.
Affected Software | Affected Version | How to fix |
---|---|---|
Xpdf | >=3.00 | |
Poppler Poppler | >=5 | |
Red Hat Enterprise Linux | >=4>=5 | |
KDE Graphics | >=4>=5 | |
Apple CUPS | >=5 | |
TeX Live | >=5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.