xorl %eax, %eax

CVE-2010-2640: Evince PK Parser Array Index Error

leave a comment »

This is almost identical to the VF issue which was also reported by Jon Larimer of IBM X-Force and can be seen at CVE-2010-2641. Specifically, here is its code from the equivalent font parser from backend/dvi/mdvi-lib/pk.c.

/* supports any number of characters in a font */
static int pk_load_font(DviParams *unused, DviFont *font)
{
        int     i;
        int     flag_byte;
        int     loc, hic, maxch;
  ...
        font->chars = xnalloc(DviFontChar, 256);
  ...
        while((flag_byte = fuget1(p)) != PK_POST) {
  ...
                        default:
                                pl = (flag_byte % 4) * 256 + fuget1(p);
                                cc = fuget1(p);
  ...
                        }
                        if(feof(p))
                                break;
                        if(cc < loc)
                                loc = cc;
                        if(cc > hic)
                                hic = cc;
                        if(cc > maxch) {
   ...
                        font->chars[cc].code = cc;
                        font->chars[cc].flags = flag_byte;
                        font->chars[cc].offset = ftell(p);
                        font->chars[cc].width = w;
                        font->chars[cc].height = h;
                        font->chars[cc].glyph.data = NULL;
                        font->chars[cc].x = x;
                        font->chars[cc].y = y;
                        font->chars[cc].glyph.x = x;
                        font->chars[cc].glyph.y = y;
                        font->chars[cc].glyph.w = w;
                        font->chars[cc].glyph.h = h;
                        font->chars[cc].grey.data = NULL;
                        font->chars[cc].shrunk.data = NULL;
                        font->chars[cc].tfmwidth = TFMSCALE(z, tfm, alpha, beta);
                        font->chars[cc].loaded = 0;
                        fseek(p, (long)offset, SEEK_SET);
                }
   ...
        font->loc = font->hic = 0;
        return -1;
}

And the equivalent patch…

                        if(feof(p))
                                break;
+
+                        /* Although the PK format support bigger char codes,
+                         * XeTeX and other extended TeX engines support charcodes up to
+                         * 65536, while normal TeX engine supports only charcode up to 255.*/
+                       if (cc < 0 || cc > 65536) {
+                              mdvi_error (_("%s: unexpected charcode (%d)\n"),
+                                          font->fontname,cc);
+                              goto error;
+                       }
                        if(cc < loc)
                                loc = cc;

And in addition to this, a correction was made to the following check…

        /* resize font char data */
-       if(loc > 0 || hic < maxch-1) {
+       if(loc > 0 && hic < maxch-1) {
                memmove(font->chars, font->chars + loc, 
                        (hic - loc + 1) * sizeof(DviFontChar));

Written by xorl

January 14, 2011 at 14:48

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s