[Okular-devel] new xpdf vulnerability
Albert Astals Cid
aacid at kde.org
Wed Jan 10 20:49:58 CET 2007
A Dimecres 10 Gener 2007 18:03, Dirk Mueller va escriure:
> On Tuesday, 9. January 2007 20:01, Albert Astals Cid wrote:
> > So for me it seems it's speedy enough. (i know debug figures mean
> > nothing, but it's a nothing very similar to other nothing)
> 4% slowdown is serious imho. A simple fix for this vulnerability would be
> to limit the recursion depth more or less arbitrarily (e.g. no more than 32
> recursions). wouldn't that work as well?
Well, that would be a bit lame and prone to break easily.
I've improved my patch so it only looks for/adds things on the set when
calling the recursion and compiled on release mode. That gave me similar time
in millisecons (even the code without the patch got a higher average) so it
seems it gets I/O "limited" and adding the patch is "free".
I'm going to commit it to kpdf, will have a look at the xpdf code that there's
on koffice (it's xpdf 2.x based and maybe is not affected) and then will
battle the poppler guys as they were hesitant to add a dependency on STL on
poppler (those crazy gnomies :_D) .
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3410 bytes
Desc: not available
Url : http://mail.kde.org/pipermail/okular-devel/attachments/20070110/a604a730/attachment.bin
More information about the Okular-devel