Hello community, here is the log from the commit of package podofo for openSUSE:Factory checked in at 2019-05-22 15:40:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/podofo (Old) and /work/SRC/openSUSE:Factory/.podofo.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "podofo" Wed May 22 15:40:31 2019 rev:30 rq:704674 version:0.9.6 Changes: -------- --- /work/SRC/openSUSE:Factory/podofo/podofo.changes 2019-02-25 18:01:00.594099460 +0100 +++ /work/SRC/openSUSE:Factory/.podofo.new.5148/podofo.changes 2019-05-22 15:41:10.766428679 +0200 @@ -1,0 +2,6 @@ +Wed May 15 06:47:07 UTC 2019 - qzheng <qzheng@suse.com> + +- Add r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch + (boo#1129290, CVE-2019-9687). + +------------------------------------------------------------------- New: ---- r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ podofo.spec ++++++ --- /var/tmp/diff_new_pack.hEVnaf/_old 2019-05-22 15:41:15.570427264 +0200 +++ /var/tmp/diff_new_pack.hEVnaf/_new 2019-05-22 15:41:15.574427264 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# Please submit bugfixes or comments via http://bugs.opensuse.org/ # @@ -55,6 +55,8 @@ Patch13: r1961-EncryptTest-Fix-buffer-overflow-in-decrypted-out-buffer-in-TestEncrypt.patch # PATCH-FIX-UPSTREAM Patch14: r1963-Fix-heap-based-buffer-overflow-vulnerability-in-PoDoFo-PdfVariant-DelayedLoad.patch +# PATCH-FIX-UPSTREAM +Patch15: r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch BuildRequires: cmake >= 2.5 BuildRequires: doxygen BuildRequires: fdupes ++++++ r1969-Fix-CVE-2019-9687-heap-based-buffer-overflow.patch ++++++ diff --git src/base/PdfString.cpp src/base/PdfString.cpp index fd87c7e..e5555e8 100644 --- src/base/PdfString.cpp +++ src/base/PdfString.cpp @@ -627,7 +627,19 @@ void PdfString::InitUtf8() this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lBufferLen, ePdfStringConversion_Lenient ); - pBuffer[lUtf8-1] = '\0'; + if (lUtf8 + 1 > lBufferLen) // + 1 to account for 2 bytes termination here vs. 1 byte there + { + pBuffer = static_cast<char*>(podofo_realloc( pBuffer, lUtf8 + 1 ) ); + if( !pBuffer ) + { + PODOFO_RAISE_ERROR( ePdfError_OutOfMemory ); + } + if (lUtf8 - 1 > lBufferLen) + lUtf8 = PdfString::ConvertUTF16toUTF8( reinterpret_cast<const pdf_utf16be*>(m_buffer.GetBuffer()), + this->GetUnicodeLength(), reinterpret_cast<pdf_utf8*>(pBuffer), lUtf8 + 1); + } + + pBuffer[lUtf8 - 1] = '\0'; pBuffer[lUtf8] = '\0'; m_sUtf8 = pBuffer; podofo_free( pBuffer ); @@ -811,6 +823,7 @@ pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_utf8* p return ConvertUTF16toUTF8( pszUtf16, lLen, pszUtf8, lLenUtf8 ); } +// returns used, or if not enough memory passed in, needed length incl. 1 byte termination pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lLenUtf16, pdf_utf8* pszUtf8, pdf_long lLenUtf8, EPdfStringConversion eConversion ) @@ -828,12 +841,21 @@ pdf_long PdfString::ConvertUTF16toUTF8( const pdf_utf16be* pszUtf16, pdf_long lL size_t sLength = lLenUtf16; size_t resultBufLength = lLenUtf8; - u16_to_u8 ( s, sLength, pResultBuf, &resultBufLength); + uint8_t* pReturnBuf = u16_to_u8( s, sLength, pResultBuf, &resultBufLength ); + if (pReturnBuf != pResultBuf) + { + free(pReturnBuf); // allocated by libunistring, so don't use podofo_free() + PdfError::LogMessage( eLogSeverity_Warning, "Output string size too little to hold it\n" ); + return resultBufLength + 1; + } pdf_long lBufferLen = PODOFO_MIN( static_cast<pdf_long>(resultBufLength + 1), lLenUtf8 ); - // Make sure buffer is 0 termnated - pszUtf8[resultBufLength] = 0; + // Make sure buffer is 0 terminated + if ( static_cast<pdf_long>(resultBufLength + 1) <= lLenUtf8 ) + pszUtf8[resultBufLength] = 0; + else + return resultBufLength + 1; // means: check for this in the caller to detect non-termination return lBufferLen; }