diff options
| author |   Andreas K. Hüttel <dilfridge@gentoo.org> | 2017-06-10 01:49:30 +0200 |
|---|---|---|
| committer | Andreas K. Hüttel <dilfridge@gentoo.org> | 2017-06-10 01:49:30 +0200 |
| commit | f8d0fa98dc2921fd3c0ddb62b193a787644020c2 (patch) | |
| tree | 9cdf67987adc352fe1c87d214ed06c521b6b9713 /media-libs/jbig2dec/files | |
| parent | net-libs/openslp: Remove old (diff) | |
| download | gentoo-f8d0fa98dc2921fd3c0ddb62b193a787644020c2.tar.gz gentoo-f8d0fa98dc2921fd3c0ddb62b193a787644020c2.tar.bz2 gentoo-f8d0fa98dc2921fd3c0ddb62b193a787644020c2.zip | |
media-libs/jbig2dec: Revision bump for bug 616464
Package-Manager: Portage-2.3.6, Repoman-2.3.2
Diffstat (limited to 'media-libs/jbig2dec/files')
3 files changed, 89 insertions, 0 deletions
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch new file mode 100644 index 000000000000..e8ffccd45344 --- /dev/null +++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch @@ -0,0 +1,29 @@ +From b184e783702246e154294326d03d9abda669fcfa Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> +Date: Wed, 3 May 2017 22:06:01 +0100 +Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability. + +Add extra check for the offset being greater than the size +of the image and hence reading off the end of the buffer. + +Thank you to Dai Ge for finding this issue and suggesting a patch. +--- + jbig2dec/jbig2_symbol_dict.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c +index 4acaba9d0..36225cb1f 100644 +--- a/jbig2_symbol_dict.c ++++ b/jbig2_symbol_dict.c +@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + byte *dst = image->data; + + /* SumatraPDF: prevent read access violation */ +- if (size - jbig2_huffman_offset(hs) < image->height * stride) { ++ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, + size - jbig2_huffman_offset(hs)); + jbig2_image_release(ctx, image); +-- +2.13.1 + diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch new file mode 100644 index 000000000000..d5e62762b9a5 --- /dev/null +++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch @@ -0,0 +1,31 @@ +From 5e57e483298dae8b8d4ec9aab37a526736ac2e97 Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> +Date: Wed, 26 Apr 2017 22:12:14 +0100 +Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow. + +While building a Huffman table, the start and end points were susceptible +to integer overflow. + +Thank you to Jiaqi for finding this issue and suggesting a patch. +--- + jbig2dec/jbig2_huffman.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c +index 511e46170..b4189a12c 100644 +--- a/jbig2_huffman.c ++++ b/jbig2_huffman.c +@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params) + + if (PREFLEN == CURLEN) { + int RANGELEN = lines[CURTEMP].RANGELEN; +- int start_j = CURCODE << shift; +- int end_j = (CURCODE + 1) << shift; ++ uint32_t start_j = CURCODE << shift; ++ uint32_t end_j = (CURCODE + 1) << shift; + byte eflags = 0; + + if (end_j > max_j) { +-- +2.13.1 + diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch new file mode 100644 index 000000000000..c6dbd182c616 --- /dev/null +++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch @@ -0,0 +1,29 @@ +From ed6c5133a1004ce8d38f1b44de85a7186feda95e Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> +Date: Wed, 10 May 2017 17:50:39 +0100 +Subject: [PATCH] Bug 697683: Bounds check before reading from image source + data. + +Add extra check to prevent reading off the end of the image source +data buffer. + +Thank you to Dai Ge for finding this issue and suggesting a patch. +--- + jbig2dec/jbig2_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Backported dilfridge@g.o + +diff -ruN jbig2dec-0.13.orig/jbig2_image.c jbig2dec-0.13/jbig2_image.c +--- jbig2dec-0.13.orig/jbig2_image.c 2017-06-10 01:41:16.207939489 +0200 ++++ jbig2dec-0.13/jbig2_image.c 2017-06-10 01:46:28.009952461 +0200 +@@ -256,7 +256,8 @@ + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { |