REDHAT-BUG-526893: Buffer Overflow
First published: Fri Oct 02 2009(Updated: )
An integer overflow flaw exists in xpdf's ImageStream::ImageStream (Stream.cc) when calculating size of the imgLine buffer: 320 nVals = width * nComps; 321 if (nBits == 1) { 322 imgLineSize = (nVals + 7) & ~7; 323 } else { 324 imgLineSize = nVals; 325 } 326 imgLine = (Guchar *)gmallocn(imgLineSize, sizeof(Guchar)); width and nComps used go compute nVals value come from the input PDF file. Their multiplication may overflow / wrap, resulting in smaller imgLine buffer allocation than expected. ImageStream always uses nVals as an upper bound when writing data into imgLine. Therefore, no buffer overflow occurs in ImageStream, but NULL pointer dereference may occur (gmallocn returns NULL when called with imgLineSize 0). Pointer to imgLine is also returned out of ImageStream class instance from ImageStream::getLine() method. Callers of the method may later over-read allocated buffer, but no caller over-writing it was identified. This code was introduced in xpdf in some early versions (exists in 0.9x), so is likely to appear in all applications embedding / forking xpdf.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xpdf | >=0.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=526637#c6
- https://bugzilla.redhat.com/show_bug.cgi/ftp:/ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=526637#c14
- https://rhn.redhat.com/errata/RHSA-2009-1502.html
- https://rhn.redhat.com/errata/RHSA-2009-1501.html
- https://rhn.redhat.com/errata/RHSA-2009-1500.html
- https://rhn.redhat.com/errata/RHSA-2009-1503.html
- https://rhn.redhat.com/errata/RHSA-2009-1504.html
- https://rhn.redhat.com/errata/RHSA-2009-1513.html
- https://rhn.redhat.com/errata/RHSA-2009-1512.html
- http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10
- http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11
- https://rhn.redhat.com/errata/RHSA-2010-0399.html
- https://rhn.redhat.com/errata/RHSA-2010-0400.html
- https://rhn.redhat.com/errata/RHSA-2010-0401.html
- https://rhn.redhat.com/errata/RHSA-2010-0755.html
- https://bugzilla.redhat.com/show_bug.cgi?id=526893
Frequently Asked Questions
What is the severity of REDHAT-BUG-526893?
The severity of REDHAT-BUG-526893 is categorized as critical due to the potential for exploitation through an integer overflow vulnerability.
How do I fix REDHAT-BUG-526893?
To fix REDHAT-BUG-526893, update the xpdf application to the latest version that addresses this integer overflow vulnerability.
What software is affected by REDHAT-BUG-526893?
REDHAT-BUG-526893 affects the xpdf software, specifically versions from 0.9 and above.
What type of vulnerability is REDHAT-BUG-526893?
REDHAT-BUG-526893 is an integer overflow flaw that can lead to buffer overflows and potential code execution.
Can REDHAT-BUG-526893 be exploited remotely?
Yes, REDHAT-BUG-526893 can potentially be exploited remotely if an attacker can manipulate the processing of malformed PDF files.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-3609
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/xpdf
- canonical/xpdf