Possible INTEGER_OVERFLOW in filter/pdftopdf/qpdf_cm.cc #42
Comments
zdohnal
added a commit
to zdohnal/libcupsfilters
that referenced
this issue
Dec 1, 2023
Use unsigned int (we use the variable as string index anyway) and check if we overflow everytime we increment the variable. Fixes OpenPrinting#42
tillkamppeter
pushed a commit
that referenced
this issue
Dec 1, 2023
Use unsigned int (we use the variable as string index anyway) and check if we overflow everytime we increment the variable. Fixes #42
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Values of the constant
bsize = 2048and the variableposare set at qpdf_cm.cc:19 and qpdf_cm.cc:20 :https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/filter/pdftopdf/qpdf_cm.cc#L19-L20
Next, these variables go into the
while()loop and remain there until the EOF is reached, according to the condition of theif(!feof(f))loop at qpdf_cm.cc:23https://github.com/OpenPrinting/cups-filters/blob/d72184e725591f10e2b404b36fe3bf5bc304a299/filter/pdftopdf/qpdf_cm.cc#L23-L30
posvariable is overwritten each time it passes the loop. So it is possible that the function input will receive a file of very large length, which will result in INTEGER_OVERFLOW.Found by Linux Verification Center (portal.linuxtesting.ru) with SVACE.
Author A. Slepykh.
The text was updated successfully, but these errors were encountered: