aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/jbig2dec-CVE-2017-7976.patch')
-rw-r--r--gnu/packages/patches/jbig2dec-CVE-2017-7976.patch122
1 files changed, 0 insertions, 122 deletions
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
deleted file mode 100644
index 2fe02358b8..0000000000
--- a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-Fix CVE-2017-7976:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
-https://bugs.ghostscript.com/show_bug.cgi?id=697683
-
-In order to make the bug-fix patch apply, we also include an earlier commit
-that it depends on.
-
-Patches copied from upstream source repository:
-
-Earlier commit, creating context for the CVE fix:
-https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
-
-CVE-2017-7976 bug fix:
-https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
-
-From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
-From: Tor Andersson <tor.andersson@artifex.com>
-Date: Wed, 14 Dec 2016 15:56:31 +0100
-Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
- false.
-
----
- jbig2_image.c | 2 +-
- jbig2_mmr.c | 2 +-
- jbig2_symbol_dict.c | 9 ++-------
- 3 files changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/jbig2_image.c b/jbig2_image.c
-index 94e5a4c..00f966b 100644
---- a/jbig2_image.c
-+++ b/jbig2_image.c
-@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
- /* general OR case */
- s = ss;
- d = dd = dst->data + y * dst->stride + leftbyte;
-- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
-+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
- return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
- }
- if (leftbyte == rightbyte) {
-diff --git a/jbig2_mmr.c b/jbig2_mmr.c
-index 390e27c..da54934 100644
---- a/jbig2_mmr.c
-+++ b/jbig2_mmr.c
-@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
- if (b1 < 2)
- break;
- if (c) {
-- if (b1 - 2 < a0 || a0 < 0)
-+ if (a0 == MINUS1 || b1 - 2 < a0)
- return -1;
- jbig2_set_bits(dst, a0, b1 - 2);
- }
-diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
-index 11a2252..4acaba9 100644
---- a/jbig2_symbol_dict.c
-+++ b/jbig2_symbol_dict.c
-@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
- {
- Jbig2SymbolDict *new_dict = NULL;
-
-- if (n_symbols < 0) {
-- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
-- return NULL;
-- }
--
- new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
- if (new_dict != NULL) {
- new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
-@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
- uint32_t j;
- int x;
-
-- if (code || (BMSIZE < 0)) {
-+ if (code) {
- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
- goto cleanup4;
- }
-@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
- code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
- /* prevent infinite loop */
- zerolength = exrunlength > 0 ? 0 : zerolength + 1;
-- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
-+ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
- if (code)
- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
- else if (exrunlength <= 0)
---
-2.13.0
-
-From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
-From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
-Date: Wed, 10 May 2017 17:50:39 +0100
-Subject: [PATCH] Bug 697683: Bounds check before reading from image source
- data.
-
-Add extra check to prevent reading off the end of the image source
-data buffer.
-
-Thank you to Dai Ge for finding this issue and suggesting a patch.
----
- jbig2_image.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/jbig2_image.c b/jbig2_image.c
-index 661d0a5..ae161b9 100644
---- a/jbig2_image.c
-+++ b/jbig2_image.c
-@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
- /* general OR case */
- s = ss;
- d = dd = dst->data + y * dst->stride + leftbyte;
-- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
-+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
-+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
- return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
- }
- if (leftbyte == rightbyte) {
---
-2.13.0
-