diff options
author | Leo Famulari <leo@famulari.name> | 2017-05-20 15:48:11 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-05-20 16:26:29 -0400 |
commit | 10cb88f85cb4a967fac756ee76f6dc60d60d7bef (patch) | |
tree | c1fb3d09b04dc2b4975817de3f2d841975aee801 /gnu/packages/patches/jbig2dec-CVE-2017-7976.patch | |
parent | fefd4c197fa89480cafd98ae9b32b7f1b3f57686 (diff) | |
download | guix-10cb88f85cb4a967fac756ee76f6dc60d60d7bef.tar guix-10cb88f85cb4a967fac756ee76f6dc60d60d7bef.tar.gz |
gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}.
* gnu/packages/patches/jbig2dec-CVE-2017-7885.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7975.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jbig2dec)[source]: Use them.
Diffstat (limited to 'gnu/packages/patches/jbig2dec-CVE-2017-7976.patch')
-rw-r--r-- | gnu/packages/patches/jbig2dec-CVE-2017-7976.patch | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch new file mode 100644 index 0000000000..2fe02358b8 --- /dev/null +++ b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch @@ -0,0 +1,122 @@ +Fix CVE-2017-7976: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976 +https://bugs.ghostscript.com/show_bug.cgi?id=697683 + +In order to make the bug-fix patch apply, we also include an earlier commit +that it depends on. + +Patches copied from upstream source repository: + +Earlier commit, creating context for the CVE fix: +https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544 + +CVE-2017-7976 bug fix: +https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6 + +From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001 +From: Tor Andersson <tor.andersson@artifex.com> +Date: Wed, 14 Dec 2016 15:56:31 +0100 +Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always + false. + +--- + jbig2_image.c | 2 +- + jbig2_mmr.c | 2 +- + jbig2_symbol_dict.c | 9 ++------- + 3 files changed, 4 insertions(+), 9 deletions(-) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 94e5a4c..00f966b 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { +diff --git a/jbig2_mmr.c b/jbig2_mmr.c +index 390e27c..da54934 100644 +--- a/jbig2_mmr.c ++++ b/jbig2_mmr.c +@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) + if (b1 < 2) + break; + if (c) { +- if (b1 - 2 < a0 || a0 < 0) ++ if (a0 == MINUS1 || b1 - 2 < a0) + return -1; + jbig2_set_bits(dst, a0, b1 - 2); + } +diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c +index 11a2252..4acaba9 100644 +--- a/jbig2_symbol_dict.c ++++ b/jbig2_symbol_dict.c +@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols) + { + Jbig2SymbolDict *new_dict = NULL; + +- if (n_symbols < 0) { +- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols); +- return NULL; +- } +- + new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1); + if (new_dict != NULL) { + new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); +@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + uint32_t j; + int x; + +- if (code || (BMSIZE < 0)) { ++ if (code) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!"); + goto cleanup4; + } +@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength); + /* prevent infinite loop */ + zerolength = exrunlength > 0 ? 0 : zerolength + 1; +- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { ++ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { + if (code) + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols"); + else if (exrunlength <= 0) +-- +2.13.0 + +From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> +Date: Wed, 10 May 2017 17:50:39 +0100 +Subject: [PATCH] Bug 697683: Bounds check before reading from image source + data. + +Add extra check to prevent reading off the end of the image source +data buffer. + +Thank you to Dai Ge for finding this issue and suggesting a patch. +--- + jbig2_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 661d0a5..ae161b9 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { +-- +2.13.0 + |