/[packages]/updates/5/jbig2dec/current/SOURCES/jbig2dec-int_overflows.patch
ViewVC logotype

Contents of /updates/5/jbig2dec/current/SOURCES/jbig2dec-int_overflows.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1109583 - (show annotations) (download)
Sat Jul 8 23:50:30 2017 UTC (6 years, 8 months ago) by luigiwalser
File size: 2260 byte(s)
- 0.13
- remove old patch 1 (fixed upstream)
- add patches from debian to fix CVE-2016-9601
- add patch from fedora to fix CVE-2017-797[56] and CVE-2017-7885

1 From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
2 From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
3 Date: Wed, 26 Apr 2017 22:12:14 +0100
4 Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
5
6 While building a Huffman table, the start and end points were susceptible
7 to integer overflow.
8
9 Thank you to Jiaqi for finding this issue and suggesting a patch.
10 ---
11 jbig2_huffman.c | 4 ++--
12 1 file changed, 2 insertions(+), 2 deletions(-)
13
14 diff --git a/jbig2_huffman.c b/jbig2_huffman.c
15 index 511e461..b4189a1 100644
16 --- a/jbig2_huffman.c
17 +++ b/jbig2_huffman.c
18 @@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
19
20 if (PREFLEN == CURLEN) {
21 int RANGELEN = lines[CURTEMP].RANGELEN;
22 - int start_j = CURCODE << shift;
23 - int end_j = (CURCODE + 1) << shift;
24 + uint32_t start_j = CURCODE << shift;
25 + uint32_t end_j = (CURCODE + 1) << shift;
26 byte eflags = 0;
27
28 if (end_j > max_j) {
29 --
30 2.9.3
31
32 commit 258290340bb657c9efb44457f717b0d8b49f4aa3
33 Author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
34 Date: Wed May 3 22:06:01 2017 +0100
35
36 Bug 697703: Prevent integer overflow vulnerability.
37
38 Add extra check for the offset being greater than the size
39 of the image and hence reading off the end of the buffer.
40
41 Thank you to Dai Ge for finding this issue and suggesting a patch.
42
43 diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
44 index 4acaba9..36225cb 100644
45 --- a/jbig2_symbol_dict.c
46 +++ b/jbig2_symbol_dict.c
47 @@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
48 byte *dst = image->data;
49
50 /* SumatraPDF: prevent read access violation */
51 - if (size - jbig2_huffman_offset(hs) < image->height * stride) {
52 + if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
53 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
54 size - jbig2_huffman_offset(hs));
55 jbig2_image_release(ctx, image);

  ViewVC Help
Powered by ViewVC 1.1.30