REDHAT-BUG-526911: Buffer Overflow
First published: Fri Oct 02 2009(Updated: )
Adam Zabrocki reported flaws in xpdf's Splash::drawImage function related to buffer memory allocations: 2220 // allocate pixel buffers 2221 colorBuf = (SplashColorPtr)gmalloc((yp + 1) * w * nComps); 2222 if (srcAlpha) { 2223 alphaBuf = (Guchar *)gmalloc((yp + 1) * w); 2224 } else { 2225 alphaBuf = NULL; 2226 } Values used to compute argument passed to gmalloc come from input PDF file. Properly chosen values will cause gmalloc to return NULL or buffer of insufficient size, leading to NULL pointer dereference or heap buffer overflow later. Affected Splash output device is not available in xpdf 2.x versions and earlier. It is also not used in xpdf embedded in CUPS or tetex. This was already fixed in poppler as part of preventive gmalloc -> gmallocn changes: <a href="http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2">http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2</a> This fix is also present in the EL5 poppler packages. Acknowledgements: Red Hat would like to thank Adam Zabrocki for reporting this issue.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xpdf | >2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cgit.freedesktop.org/poppler/poppler/commit/?id=9cf2325fb2
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=363485&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=363485&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/ftp:/ftp.foolabs.com/pub/xpdf/xpdf-3.02pl4.patch
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=526637#c14
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=526911#c0
- http://cgit.freedesktop.org/poppler/poppler/diff/?id=284a928996&id2=75c3466ba2
- https://rhn.redhat.com/errata/RHSA-2009-1502.html
- https://rhn.redhat.com/errata/RHSA-2009-1501.html
- https://rhn.redhat.com/errata/RHSA-2009-1500.html
- https://rhn.redhat.com/errata/RHSA-2009-1503.html
- https://rhn.redhat.com/errata/RHSA-2009-1512.html
- http://admin.fedoraproject.org/updates/poppler-0.8.7-7.fc10
- http://admin.fedoraproject.org/updates/poppler-0.10.7-3.fc11
- https://bugzilla.redhat.com/show_bug.cgi?id=526911
Frequently Asked Questions
What is the severity of REDHAT-BUG-526911?
The severity of REDHAT-BUG-526911 has not been explicitly stated, but it involves memory allocation flaws which could lead to potential security issues.
How do I fix REDHAT-BUG-526911?
To fix REDHAT-BUG-526911, update to the latest version of xpdf that addresses the memory allocation flaws.
Which versions of xpdf are affected by REDHAT-BUG-526911?
xpdf versions earlier than 2.0 are affected by REDHAT-BUG-526911.
What is the impact of REDHAT-BUG-526911?
The impact of REDHAT-BUG-526911 can include potential crashes or memory corruption due to improper handling of buffer allocations.
Who reported REDHAT-BUG-526911?
REDHAT-BUG-526911 was reported by Adam Zabrocki.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-3604
- agent/source
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/xpdf
- canonical/xpdf