REDHAT-BUG-526877: Integer Overflow
First published: Fri Oct 02 2009(Updated: )
xpdf's PSOutputDev::doImageL1Sep contains an integer overflow in the lineBuf buffer allocation: 4303 // allocate a line buffer 4304 lineBuf = (Guchar *)gmalloc(4 * width); width is read from the input PDF file and can integer overflow / wrap when multiplied by 4, resulting in an insufficient memory allocation, leading to heap overflow. Impact of this flaw is, however, quite limited. This affects PSOutputDev class used to write / convert PDF input to PS (PostScript) output. For GUI viewers, this is done e.g. when trying to print the file. Additionally, this requires non-default Level 1 separable PostScript language level to be used for the output file (specified via e.g. -level1sep command line option for pdftops, or psLevel configuration option in xpdfrc).
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xpdf |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cgit.freedesktop.org/poppler/poppler/diff/poppler/PSOutputDev.cc?id=7b2d314a61
- http://bugs.gentoo.org/show_bug.cgi?id=242930
- https://bugzilla.redhat.com/show_bug.cgi/ftp:/ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=526637#c14
- https://rhn.redhat.com/errata/RHSA-2009-1502.html
- https://rhn.redhat.com/errata/RHSA-2009-1501.html
- https://rhn.redhat.com/errata/RHSA-2009-1500.html
- http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10
- http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11
- https://access.redhat.com/security/cve/CVE-2009-3906
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3906
- https://access.redhat.com/security/cve/CVE-2009-3606
- https://bugzilla.redhat.com/show_bug.cgi?id=526877
Frequently Asked Questions
What is the severity of REDHAT-BUG-526877?
The severity of REDHAT-BUG-526877 is considered critical due to the potential for integer overflow in the buffer allocation.
How do I fix REDHAT-BUG-526877?
To fix REDHAT-BUG-526877, you should apply the patch provided in the vulnerability details to ensure proper handling of width values.
What causes the vulnerability in REDHAT-BUG-526877?
The vulnerability in REDHAT-BUG-526877 is caused by an integer overflow in the lineBuf buffer allocation when processing the 'width' value from the input PDF.
Which software is affected by REDHAT-BUG-526877?
The software affected by REDHAT-BUG-526877 is Xpdf.
Is there a workaround for REDHAT-BUG-526877?
Currently, there is no specific workaround for REDHAT-BUG-526877 other than updating to a patched version of the software.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-3606
- agent/source
- agent/references
- agent/severity
- agent/weakness
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/xpdf
- canonical/xpdf