p96705831
/
qpdf
forked from openkylin/qpdf
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

CVE-2021-36978 安全更新:当某个下游写操作失败时,QPDF中存在基于堆的缓冲区溢出漏洞

This commit is contained in:
lch 2023-03-14 11:09:22 +08:00 committed by cckylin-cibot
parent 83116f7aaf
commit 26f6b3e7b0
3 changed files with 98 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
debian/changelog vendored
View File

@ -1,11 +1,17 @@
qpdf (9.1.1-ok2) yangtze; urgency=medium qpdf (9.1.1-ok3) yangtze; urgency=medium
* Update version. * omelette-guo CVE-2021-36978 安全更新当某个下游写操作失败时QPDF中存在基于堆的缓冲区溢出漏洞
-- zhouganqing <zhouganqing@kylinos.cn> Mon, 15 Aug 2022 17:00:51 +0800 -- lichaoheng <o_o@bupt.edu.cn> Tue, 14 Mar 2023 11:06:54 +0800
qpdf (9.1.1-ok1) yangtze; urgency=medium qpdf (9.1.1-ok2) yangtze; urgency=medium
* Build for openKylin. * Update version.
-- openKylinBot <openKylinBot@openkylin.com> Mon, 25 Apr 2022 22:03:04 +0800 -- zhouganqing <zhouganqing@kylinos.cn> Mon, 15 Aug 2022 17:00:51 +0800
qpdf (9.1.1-ok1) yangtze; urgency=medium
* Build for openKylin.
-- openKylinBot <openKylinBot@openkylin.com> Mon, 25 Apr 2022 22:03:04 +0800

80
debian/patches/0001-CVE-2021-36978-QPDF.patch vendored Normal file
View File

@ -0,0 +1,80 @@
From: lch <32248802@qq.com>
Date: Tue, 14 Mar 2023 11:09:22 +0800
Subject: =?utf-8?b?Q1ZFLTIwMjEtMzY5Nzgg5a6J5YWo5pu05paw77ya5b2T5p+Q5Liq5LiL?=
=?utf-8?b?5ri45YaZ5pON5L2c5aSx6LSl5pe277yMUVBERuS4reWtmOWcqOWfuuS6juWghg==?=
=?utf-8?b?55qE57yT5Yay5Yy65rqi5Ye65ryP5rSe?=
---
libqpdf/Pl_AES_PDF.cc | 2 +-
libqpdf/Pl_ASCII85Decoder.cc | 7 +++++--
libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
libqpdf/Pl_Count.cc | 2 +-
4 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
index 18cf3a4..2865f80 100644
--- a/libqpdf/Pl_AES_PDF.cc
+++ b/libqpdf/Pl_AES_PDF.cc
@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
}
}
}
- getNext()->write(this->outbuf, bytes);
this->offset = 0;
+ getNext()->write(this->outbuf, bytes);
}
diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
index b8df3e8..9d9f670 100644
--- a/libqpdf/Pl_ASCII85Decoder.cc
+++ b/libqpdf/Pl_ASCII85Decoder.cc
@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
(this->pos == 5) ? 0 : 1);
- getNext()->write(outbuf, this->pos - 1);
-
+ // Reset before calling getNext()->write in case that throws an
+ // exception.
+ auto t = this->pos - 1;
this->pos = 0;
memset(this->inbuf, 117, 5);
+
+ getNext()->write(outbuf, t);
}
void
diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
index f20a976..7845268 100644
--- a/libqpdf/Pl_ASCIIHexDecoder.cc
+++ b/libqpdf/Pl_ASCIIHexDecoder.cc
@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
(this->pos == 2) ? 0 : 1);
- getNext()->write(&ch, 1);
-
+ // Reset before calling getNext()->write in case that throws an
+ // exception.
this->pos = 0;
this->inbuf[0] = '0';
this->inbuf[1] = '0';
this->inbuf[2] = '\0';
+
+ getNext()->write(&ch, 1);
}
void
diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
index 8077092..c35619b 100644
--- a/libqpdf/Pl_Count.cc
+++ b/libqpdf/Pl_Count.cc
@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
if (len)
{
this->m->count += QIntC::to_offset(len);
- getNext()->write(buf, len);
this->m->last_char = buf[len - 1];
+ getNext()->write(buf, len);
}
}

1
debian/patches/series vendored Normal file
View File

@ -0,0 +1 @@
0001-CVE-2021-36978-QPDF.patch