- Applied patch to fix NULL dereference in JBIG2 decoder (bug #503995).

2009-06-04 12:49:21 +00:00 · 2009-06-04 12:49:21 +00:00 · 12d81d66b1
parent b62d20303f
commit 12d81d66b1
2 changed files with 89 additions and 1 deletions
--- a/ghostscript-jbig2dec-nullderef.patch
+++ b/ghostscript-jbig2dec-nullderef.patch
@ -0,0 +1,81 @@
+diff -up ghostscript-8.64/jbig2dec/jbig2_generic.c.jbig2dec-nullderef ghostscript-8.64/jbig2dec/jbig2_generic.c
+--- ghostscript-8.64/jbig2dec/jbig2_generic.c.jbig2dec-nullderef	2007-10-25 23:14:22.000000000 +0100
+++ ghostscript-8.64/jbig2dec/jbig2_generic.c	2009-06-02 10:45:01.814127074 +0100
+@@ -599,6 +599,10 @@ jbig2_immediate_generic_region(Jbig2Ctx 
+   memcpy (params.gbat, gbat, gbat_bytes);
+ 
+   image = jbig2_image_new(ctx, rsi.width, rsi.height);
+  if (image == NULL)
+    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+		       "failed to allocate buffer for image");
+
+   jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
+     "allocated %d x %d image buffer for region decode results",
+         rsi.width, rsi.height);
+diff -up ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c
+--- ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c.jbig2dec-nullderef	2009-06-02 10:45:01.809127374 +0100
+++ ghostscript-8.64/jbig2dec/jbig2_symbol_dict.c	2009-06-02 10:45:01.814127074 +0100
+@@ -370,6 +370,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 		  memcpy(region_params.gbat, params->sdat, sdat_bytes);
+ 
+ 		  image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT);
+		  if (image == NULL) {
+		      jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+				  "failed to allocate image storage");
+		      return NULL;
+		  }
+ 
+ 		  code = jbig2_decode_generic_region(ctx, segment, &region_params,
+ 						     as, image, GB_stats);
+@@ -520,6 +525,11 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 			ID, RDX, RDY);
+ 
+ 		      image = jbig2_image_new(ctx, SYMWIDTH, HCHEIGHT);
+		      if (image == NULL) {
+			  jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+				      "failed to allocate image storage");
+			  return NULL;
+		      }
+ 
+ 		      /* Table 18 */
+ 		      rparams.GRTEMPLATE = params->SDRTEMPLATE;
+@@ -638,6 +648,16 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 	for (j = HCFIRSTSYM; j < NSYMSDECODED; j++) {
+ 	  Jbig2Image *glyph;
+ 	  glyph = jbig2_image_new(ctx, SDNEWSYMWIDTHS[j], HCHEIGHT);
+	  if (glyph == NULL) {
+	      jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+			  "error allocating image storage for glyph");
+	      while (--j >= HCFIRSTSYM) {
+		  jbig2_image_release(ctx, SDNEWSYMS->glyphs[j]);
+		  SDNEWSYMS->glyphs[j] = NULL;
+	      }
+	      jbig2_image_release(ctx, image);
+	      return NULL;
+	  }
+ 	  jbig2_image_compose(ctx, glyph, image, 
+ 		-x, 0, JBIG2_COMPOSE_REPLACE);
+ 	  x += SDNEWSYMWIDTHS[j];
+diff -up ghostscript-8.64/jbig2dec/jbig2_text.c.jbig2dec-nullderef ghostscript-8.64/jbig2dec/jbig2_text.c
+--- ghostscript-8.64/jbig2dec/jbig2_text.c.jbig2dec-nullderef	2008-05-09 15:00:44.000000000 +0100
+++ ghostscript-8.64/jbig2dec/jbig2_text.c	2009-06-02 10:45:01.816126454 +0100
+@@ -315,6 +315,9 @@ jbig2_decode_text_region(Jbig2Ctx *ctx, 
+ 		IBO = IB;
+ 		image = jbig2_image_new(ctx, IBO->width + RDW,
+ 					     IBO->height + RDH);
+		if (image == NULL)
+		    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+				       "could not allocate image storage");
+ 
+ 		/* Table 12 */
+ 		rparams.GRTEMPLATE = params->SBRTEMPLATE;
+@@ -676,6 +679,9 @@ jbig2_parse_text_region(Jbig2Ctx *ctx, J
+     }
+ 
+     image = jbig2_image_new(ctx, region_info.width, region_info.height);
+    if (image == NULL)
+	return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
+			   "unable to allocate image storage");
+ 
+     ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset);
+     if (!params.SBHUFF) {
--- a/ghostscript.spec
+++ b/ghostscript.spec
@ -5,7 +5,7 @@ Summary: A PostScript interpreter and renderer.
 Name: ghostscript
 Version: %{gs_ver}

-Release: 6%{?dist}
+Release: 7%{?dist}

 License: GPLv2
 URL: http://www.ghostscript.com/
@ -25,6 +25,7 @@ Patch8: ghostscript-bitcmyk.patch
 Patch9: ghostscript-CVE-2009-0583,0584.patch
 Patch10: ghostscript-CVE-2009-0792.patch
 Patch11: ghostscript-CVE-2009-0196.patch
+Patch12: ghostscript-jbig2dec-nullderef.patch

 Requires: urw-fonts >= 1.1, ghostscript-fonts
 BuildRequires: libjpeg-devel, libXt-devel
@ -121,6 +122,9 @@ rm -rf libpng zlib jpeg jasper
 # Applied patch to fix CVE-2009-0196 (bug #493379).
 %patch11 -p1 -b .CVE-2009-0196

+# Applied patch to fix NULL dereference in JBIG2 decoder (bug #501710).
+%patch12 -p1 -b .jbig2dec-nullderef
+
 # Convert manual pages to UTF-8
 from8859_1() {
 	iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -302,6 +306,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/libgs.so

 %changelog
+* Thu Jun  4 2009 Tim Waugh <twaugh@redhat.com> 8.64-7
+- Applied patch to fix NULL dereference in JBIG2 decoder (bug #503995).
+
 * Wed Apr 15 2009 Tim Waugh <twaugh@redhat.com> 8.64-6
 - Applied patch to fix CVE-2009-0792 (bug #491853).
 - Applied patch to fix CVE-2009-0196 (bug #493379).