Security: sanitize /W in xref stream

The /W array was not sanitized, possibly causing an integer overflow in a multiplication. An analysis of the code suggests that there were no possible exploits based on this since the problems were in checking expected values but bounds checks were performed on actual values.
author: Jay Berkenbilt <ejb@ql.org> 2013-10-05 18:28:52 +0200
committer: Jay Berkenbilt <ejb@ql.org> 2013-10-10 02:57:07 +0200
commit: 10bceb552f1cfd2ddae3c8bfd7d9b38a66e710c4 (patch)
tree: 35fab8055e7eb30f4a13aa6aabba1ec0aeac2d6f /ChangeLog
parent: 3eb4b066ab3f25f6454214d33b2fc17161812dfa (diff)
download: qpdf-10bceb552f1cfd2ddae3c8bfd7d9b38a66e710c4.tar.zst
1 files changed, 5 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 8a10865f..124a086d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 2013-10-05  Jay Berkenbilt  <ejb@ql.org>
 
+	* Security fix: sanitize /W array in cross reference stream to
+	avoid a potential integer overflow in a multiplication.  It is
+	unlikely that any exploits were possible from this bug as
+	additional checks were also performed.
+
 	* Security fix: avoid buffer overrun that could be caused by bogus
 	data in linearization hint streams.  The incorrect code could only
 	be triggered when checking linearization data, which must be
author	Jay Berkenbilt <ejb@ql.org>	2013-10-05 18:28:52 +0200
committer	Jay Berkenbilt <ejb@ql.org>	2013-10-10 02:57:07 +0200
commit	10bceb552f1cfd2ddae3c8bfd7d9b38a66e710c4 (patch)
tree	35fab8055e7eb30f4a13aa6aabba1ec0aeac2d6f /ChangeLog
parent	3eb4b066ab3f25f6454214d33b2fc17161812dfa (diff)
download	qpdf-10bceb552f1cfd2ddae3c8bfd7d9b38a66e710c4.tar.zst