diff options
Diffstat (limited to 'gnu/packages/patches/jbig2dec-CVE-2017-7976.patch')
| -rw-r--r-- | gnu/packages/patches/jbig2dec-CVE-2017-7976.patch | 122 |
1 files changed, 0 insertions, 122 deletions
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch deleted file mode 100644 index 2fe02358b8..0000000000 --- a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch +++ /dev/null @@ -1,122 +0,0 @@ -Fix CVE-2017-7976: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976 -https://bugs.ghostscript.com/show_bug.cgi?id=697683 - -In order to make the bug-fix patch apply, we also include an earlier commit -that it depends on. - -Patches copied from upstream source repository: - -Earlier commit, creating context for the CVE fix: -https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544 - -CVE-2017-7976 bug fix: -https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6 - -From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Wed, 14 Dec 2016 15:56:31 +0100 -Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always - false. - ---- - jbig2_image.c | 2 +- - jbig2_mmr.c | 2 +- - jbig2_symbol_dict.c | 9 ++------- - 3 files changed, 4 insertions(+), 9 deletions(-) - -diff --git a/jbig2_image.c b/jbig2_image.c -index 94e5a4c..00f966b 100644 ---- a/jbig2_image.c -+++ b/jbig2_image.c -@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int - /* general OR case */ - s = ss; - d = dd = dst->data + y * dst->stride + leftbyte; -- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { -+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); - } - if (leftbyte == rightbyte) { -diff --git a/jbig2_mmr.c b/jbig2_mmr.c -index 390e27c..da54934 100644 ---- a/jbig2_mmr.c -+++ b/jbig2_mmr.c -@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - if (b1 < 2) - break; - if (c) { -- if (b1 - 2 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 - 2 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 - 2); - } -diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c -index 11a2252..4acaba9 100644 ---- a/jbig2_symbol_dict.c -+++ b/jbig2_symbol_dict.c -@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols) - { - Jbig2SymbolDict *new_dict = NULL; - -- if (n_symbols < 0) { -- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols); -- return NULL; -- } -- - new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1); - if (new_dict != NULL) { - new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); -@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - uint32_t j; - int x; - -- if (code || (BMSIZE < 0)) { -+ if (code) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!"); - goto cleanup4; - } -@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength); - /* prevent infinite loop */ - zerolength = exrunlength > 0 ? 0 : zerolength + 1; -- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { -+ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { - if (code) - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols"); - else if (exrunlength <= 0) --- -2.13.0 - -From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001 -From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> -Date: Wed, 10 May 2017 17:50:39 +0100 -Subject: [PATCH] Bug 697683: Bounds check before reading from image source - data. - -Add extra check to prevent reading off the end of the image source -data buffer. - -Thank you to Dai Ge for finding this issue and suggesting a patch. ---- - jbig2_image.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/jbig2_image.c b/jbig2_image.c -index 661d0a5..ae161b9 100644 ---- a/jbig2_image.c -+++ b/jbig2_image.c -@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int - /* general OR case */ - s = ss; - d = dd = dst->data + y * dst->stride + leftbyte; -- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { -+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || -+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); - } - if (leftbyte == rightbyte) { --- -2.13.0 - |