CVE-2021-36978 安全更新:当某个下游写操作失败时,QPDF中存在基于堆的缓冲区溢出漏洞

This commit is contained in:
lch 2023-03-14 11:09:22 +08:00
parent e1f56a2fe5
commit e7c511d7eb
5 changed files with 28 additions and 17 deletions

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
qpdf (9.1.1-ok3) yangtze; urgency=medium
* omelette-guo CVE-2021-36978 安全更新当某个下游写操作失败时QPDF中存在基于堆的缓冲区溢出漏洞
-- lichaoheng <o_o@bupt.edu.cn> Tue, 14 Mar 2023 11:06:54 +0800
qpdf (9.1.1-ok2) yangtze; urgency=medium
* Update version.

View File

@ -238,6 +238,6 @@ Pl_AES_PDF::flush(bool strip_padding)
}
}
}
getNext()->write(this->outbuf, bytes);
this->offset = 0;
getNext()->write(this->outbuf, bytes);
}

View File

@ -119,10 +119,13 @@ Pl_ASCII85Decoder::flush()
QTC::TC("libtests", "Pl_ASCII85Decoder partial flush",
(this->pos == 5) ? 0 : 1);
getNext()->write(outbuf, this->pos - 1);
// Reset before calling getNext()->write in case that throws an
// exception.
auto t = this->pos - 1;
this->pos = 0;
memset(this->inbuf, 117, 5);
getNext()->write(outbuf, t);
}
void

View File

@ -97,12 +97,14 @@ Pl_ASCIIHexDecoder::flush()
QTC::TC("libtests", "Pl_ASCIIHexDecoder partial flush",
(this->pos == 2) ? 0 : 1);
getNext()->write(&ch, 1);
// Reset before calling getNext()->write in case that throws an
// exception.
this->pos = 0;
this->inbuf[0] = '0';
this->inbuf[1] = '0';
this->inbuf[2] = '\0';
getNext()->write(&ch, 1);
}
void

View File

@ -27,8 +27,8 @@ Pl_Count::write(unsigned char* buf, size_t len)
if (len)
{
this->m->count += QIntC::to_offset(len);
getNext()->write(buf, len);
this->m->last_char = buf[len - 1];
getNext()->write(buf, len);
}
}