CVE-2021-36978 安全更新：当某个下游写操作失败时，QPDF中存在基于堆的缓冲区溢出漏洞

2023-03-14 11:09:22 +08:00 · 2023-03-14 11:09:22 +08:00 · e7c511d7eb
parent e1f56a2fe5
commit e7c511d7eb
5 changed files with 28 additions and 17 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,11 +1,17 @@
-qpdf (9.1.1-ok2) yangtze; urgency=medium
-
-  * Update version.
-
- -- zhouganqing <zhouganqing@kylinos.cn>  Mon, 15 Aug 2022 17:00:51 +0800
-
-qpdf (9.1.1-ok1) yangtze; urgency=medium
-
-  * Build for openKylin.
-
- -- openKylinBot <openKylinBot@openkylin.com>  Mon, 25 Apr 2022 22:03:04 +0800
+qpdf (9.1.1-ok3) yangtze; urgency=medium
+
+  * omelette-guo CVE-2021-36978 安全更新：当某个下游写操作失败时，QPDF中存在基于堆的缓冲区溢出漏洞
+
+ -- lichaoheng <o_o@bupt.edu.cn>  Tue, 14 Mar 2023 11:06:54 +0800
+
+qpdf (9.1.1-ok2) yangtze; urgency=medium
+
+  * Update version.
+
+ -- zhouganqing <zhouganqing@kylinos.cn>  Mon, 15 Aug 2022 17:00:51 +0800
+
+qpdf (9.1.1-ok1) yangtze; urgency=medium
+
+  * Build for openKylin.
+
+ -- openKylinBot <openKylinBot@openkylin.com>  Mon, 25 Apr 2022 22:03:04 +0800
--- a/libqpdf/Pl_AES_PDF.cc
+++ b/libqpdf/Pl_AES_PDF.cc
@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
 	    }
 	}
    }
-    getNext()->write(this->outbuf, bytes);
    this->offset = 0;
+    getNext()->write(this->outbuf, bytes);
 }
--- a/libqpdf/Pl_ASCII85Decoder.cc
+++ b/libqpdf/Pl_ASCII85Decoder.cc
@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()

    QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
 	    (this->pos == 5) ? 0 : 1);
-    getNext()->write(outbuf, this->pos - 1);
-
+    // Reset before calling getNext()->write in case that throws an
+    // exception.
+    auto t = this->pos - 1;
    this->pos = 0;
    memset(this->inbuf, 117, 5);
+
+    getNext()->write(outbuf, t);
 }

 void
--- a/libqpdf/Pl_ASCIIHexDecoder.cc
+++ b/libqpdf/Pl_ASCIIHexDecoder.cc
@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()

    QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
 	    (this->pos == 2) ? 0 : 1);
-    getNext()->write(&ch, 1);
-
+    // Reset before calling getNext()->write in case that throws an
+    // exception.
    this->pos = 0;
    this->inbuf[0] = '0';
    this->inbuf[1] = '0';
    this->inbuf[2] = '\0';
+
+    getNext()->write(&ch, 1);
 }

 void
--- a/libqpdf/Pl_Count.cc
+++ b/libqpdf/Pl_Count.cc
@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
    if (len)
    {
 	this->m->count += QIntC::to_offset(len);
-	getNext()->write(buf, len);
 	this->m->last_char = buf[len - 1];
+	getNext()->write(buf, len);
    }
 }