diff options
author | Jay Berkenbilt <ejb@ql.org> | 2013-10-05 18:28:52 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2013-10-10 02:57:07 +0200 |
commit | 10bceb552f1cfd2ddae3c8bfd7d9b38a66e710c4 (patch) | |
tree | 35fab8055e7eb30f4a13aa6aabba1ec0aeac2d6f /ChangeLog | |
parent | 3eb4b066ab3f25f6454214d33b2fc17161812dfa (diff) | |
download | qpdf-10bceb552f1cfd2ddae3c8bfd7d9b38a66e710c4.tar.zst |
Security: sanitize /W in xref stream
The /W array was not sanitized, possibly causing an integer overflow
in a multiplication. An analysis of the code suggests that there were
no possible exploits based on this since the problems were in checking
expected values but bounds checks were performed on actual values.
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -1,5 +1,10 @@ 2013-10-05 Jay Berkenbilt <ejb@ql.org> + * Security fix: sanitize /W array in cross reference stream to + avoid a potential integer overflow in a multiplication. It is + unlikely that any exploits were possible from this bug as + additional checks were also performed. + * Security fix: avoid buffer overrun that could be caused by bogus data in linearization hint streams. The incorrect code could only be triggered when checking linearization data, which must be |