forked from openkylin/qpdf
CVE-2021-36978 安全更新:当某个下游写操作失败时,QPDF中存在基于堆的缓冲区溢出漏洞
This commit is contained in:
lch
cckylin-cibot
parent
83116f7aaf
commit
26f6b3e7b0
|
|
@ -1,3 +1,9 @@
|
|||
qpdf (9.1.1-ok3) yangtze; urgency=medium
|
||||
|
||||
* omelette-guo CVE-2021-36978 安全更新:当某个下游写操作失败时,QPDF中存在基于堆的缓冲区溢出漏洞
|
||||
|
||||
-- lichaoheng <o_o@bupt.edu.cn> Tue, 14 Mar 2023 11:06:54 +0800
|
||||
|
||||
qpdf (9.1.1-ok2) yangtze; urgency=medium
|
||||
|
||||
* Update version.
|
||||
|
|
|
|||
|
|
@ -0,0 +1,80 @@
|
|||
From: lch <32248802@qq.com>
|
||||
Date: Tue, 14 Mar 2023 11:09:22 +0800
|
||||
Subject: =?utf-8?b?Q1ZFLTIwMjEtMzY5Nzgg5a6J5YWo5pu05paw77ya5b2T5p+Q5Liq5LiL?=
|
||||
=?utf-8?b?5ri45YaZ5pON5L2c5aSx6LSl5pe277yMUVBERuS4reWtmOWcqOWfuuS6juWghg==?=
|
||||
=?utf-8?b?55qE57yT5Yay5Yy65rqi5Ye65ryP5rSe?=
|
||||
|
||||
---
|
||||
libqpdf/Pl_AES_PDF.cc | 2 +-
|
||||
libqpdf/Pl_ASCII85Decoder.cc | 7 +++++--
|
||||
libqpdf/Pl_ASCIIHexDecoder.cc | 6 ++++--
|
||||
libqpdf/Pl_Count.cc | 2 +-
|
||||
4 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
|
||||
index 18cf3a4..2865f80 100644
|
||||
--- a/libqpdf/Pl_AES_PDF.cc
|
||||
+++ b/libqpdf/Pl_AES_PDF.cc
|
||||
@@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
|
||||
}
|
||||
}
|
||||
}
|
||||
- getNext()->write(this->outbuf, bytes);
|
||||
this->offset = 0;
|
||||
+ getNext()->write(this->outbuf, bytes);
|
||||
}
|
||||
diff --git a/libqpdf/Pl_ASCII85Decoder.cc b/libqpdf/Pl_ASCII85Decoder.cc
|
||||
index b8df3e8..9d9f670 100644
|
||||
--- a/libqpdf/Pl_ASCII85Decoder.cc
|
||||
+++ b/libqpdf/Pl_ASCII85Decoder.cc
|
||||
@@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
|
||||
|
||||
QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
|
||||
(this->pos == 5) ? 0 : 1);
|
||||
- getNext()->write(outbuf, this->pos - 1);
|
||||
-
|
||||
+ // Reset before calling getNext()->write in case that throws an
|
||||
+ // exception.
|
||||
+ auto t = this->pos - 1;
|
||||
this->pos = 0;
|
||||
memset(this->inbuf, 117, 5);
|
||||
+
|
||||
+ getNext()->write(outbuf, t);
|
||||
}
|
||||
|
||||
void
|
||||
diff --git a/libqpdf/Pl_ASCIIHexDecoder.cc b/libqpdf/Pl_ASCIIHexDecoder.cc
|
||||
index f20a976..7845268 100644
|
||||
--- a/libqpdf/Pl_ASCIIHexDecoder.cc
|
||||
+++ b/libqpdf/Pl_ASCIIHexDecoder.cc
|
||||
@@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
|
||||
|
||||
QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
|
||||
(this->pos == 2) ? 0 : 1);
|
||||
- getNext()->write(&ch, 1);
|
||||
-
|
||||
+ // Reset before calling getNext()->write in case that throws an
|
||||
+ // exception.
|
||||
this->pos = 0;
|
||||
this->inbuf[0] = '0';
|
||||
this->inbuf[1] = '0';
|
||||
this->inbuf[2] = '\0';
|
||||
+
|
||||
+ getNext()->write(&ch, 1);
|
||||
}
|
||||
|
||||
void
|
||||
diff --git a/libqpdf/Pl_Count.cc b/libqpdf/Pl_Count.cc
|
||||
index 8077092..c35619b 100644
|
||||
--- a/libqpdf/Pl_Count.cc
|
||||
+++ b/libqpdf/Pl_Count.cc
|
||||
@@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
|
||||
if (len)
|
||||
{
|
||||
this->m->count += QIntC::to_offset(len);
|
||||
- getNext()->write(buf, len);
|
||||
this->m->last_char = buf[len - 1];
|
||||
+ getNext()->write(buf, len);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1 @@
|
|||
0001-CVE-2021-36978-QPDF.patch
|
||||
Loading…
Reference in New Issue