[pdf-devel] [flyspray] Possible memory overflow in the bignums implementation

[GNU PDF Library]

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Jose E. Marchesi (jemarch) 

Attached to Project - GNU PDF Library
Summary - Possible memory overflow in the bignums implementation
Task Type - Sporadic Task
Category - Basic Types Module
Status - NEXT
Assigned To - 
Operating System - All
Severity - Medium
Priority - Normal
Reported Version - START
Due in Version - BASE-LAYER-0
Due Date - Undecided
Details - Brad Hards reported the following:

Start with types. It appears to have one issue:
base/types/pdf-i64-div.c:168:E:pdf_i64_div:pdf_i64_div_005:0: (after this 
point) Received signal 11 (Segmentation fault)

I'm pretty confident that there is a buffer overflow, but I have no ideas
what the fix is.

I added an assert that triggers on the problem, but don't have a real
fix.
--- src/base/pdf-types.c        2009-03-03 22:26:28 +0000
+++ src/base/pdf-types.c        2009-06-13 08:27:12 +0000
@@ -26,6 +26,7 @@
#include <pdf-types.h>
#include <pdf-alloc.h>

+#include <assert.h>

#ifndef PDF_USE_BUILTIN_64BIT_SUPPORT

@@ -766,6 +767,7 @@
          pdf_i64_subtraction(&temp, temp, v_pdf, p_status);

          /*We finally put q_bar in the results array*/
+          assert (j < (sizeof(q)/sizeof(q[0])));
          q[j] = q_bar;
          /*If the remainder is less than zero then we re-add the divisor and 
subtract one from q
            Step D6*/

Anyone understand what is actually going wrong?


More information can be found at the following URL:
http://gnupdf.org/flyspray/index.php?do=details&task_id=103

You are receiving this message because you have requested it from the Flyspray 
bugtracking system.  If you did not expect this message or don't want to 
receive mails in future, you can change your notification settings at the URL 
shown above.