Added security patch for CVE-2016-9601 (bug #1410021)

This commit is contained in:
David Kaspar [Dee'Kej] 2017-01-25 10:49:59 +01:00
parent 254a99729c
commit d24d06ee44
2 changed files with 902 additions and 0 deletions

View File

@ -0,0 +1,897 @@
From cecf6b592945d247bf932f6a4f50065db4acfba8 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Mon, 12 Dec 2016 17:47:17 +0000
Subject: [PATCH] Squash signed/unsigned warnings in MSVC jbig2 build.
Also rename "new" to "new_dict", because "new" is a bad
variable name.
---
jbig2dec/jbig2.c | 4 +--
jbig2dec/jbig2.h | 8 +++--
jbig2dec/jbig2_generic.c | 2 +-
jbig2dec/jbig2_halftone.c | 24 +++++++--------
jbig2dec/jbig2_huffman.c | 10 +++---
jbig2dec/jbig2_huffman.h | 2 +-
jbig2dec/jbig2_image.c | 32 +++++++++----------
jbig2dec/jbig2_mmr.c | 66 ++++++++++++++++++++-------------------
jbig2dec/jbig2_page.c | 6 ++--
jbig2dec/jbig2_priv.h | 4 +--
jbig2dec/jbig2_segment.c | 10 +++---
jbig2dec/jbig2_symbol_dict.c | 73 ++++++++++++++++++++++----------------------
jbig2dec/jbig2_symbol_dict.h | 6 ++--
jbig2dec/jbig2_text.c | 16 +++++-----
jbig2dec/jbig2_text.h | 2 +-
15 files changed, 134 insertions(+), 131 deletions(-)
diff --git a/jbig2dec/jbig2.c b/jbig2dec/jbig2.c
index f729e29..e51380f 100644
--- a/jbig2dec/jbig2.c
+++ b/jbig2dec/jbig2.c
@@ -379,7 +379,7 @@ typedef struct {
} Jbig2WordStreamBuf;
static int
-jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t *word)
+jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, size_t offset, uint32_t *word)
{
Jbig2WordStreamBuf *z = (Jbig2WordStreamBuf *) self;
const byte *data = z->data;
@@ -390,7 +390,7 @@ jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t
else if (offset > z->size)
return -1;
else {
- int i;
+ size_t i;
result = 0;
for (i = 0; i < z->size - offset; i++)
diff --git a/jbig2dec/jbig2.h b/jbig2dec/jbig2.h
index d5aa52f..624e0ed 100644
--- a/jbig2dec/jbig2.h
+++ b/jbig2dec/jbig2.h
@@ -56,17 +56,19 @@ typedef struct _Jbig2SymbolDictionary Jbig2SymbolDictionary;
*/
struct _Jbig2Image {
- int width, height, stride;
+ uint32_t width;
+ uint32_t height;
+ uint32_t stride;
uint8_t *data;
int refcount;
};
-Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, int width, int height);
+Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height);
Jbig2Image *jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_clear(Jbig2Ctx *ctx, Jbig2Image *image, int value);
-Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height);
+Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height);
/* errors are returned from the library via a callback. If no callback
is provided (a NULL argument is passed ot jbig2_ctx_new) a default
diff --git a/jbig2dec/jbig2_generic.c b/jbig2dec/jbig2_generic.c
index 02fdbfb..9656198 100644
--- a/jbig2dec/jbig2_generic.c
+++ b/jbig2dec/jbig2_generic.c
@@ -718,7 +718,7 @@ jbig2_immediate_generic_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte
byte seg_flags;
int8_t gbat[8];
int offset;
- int gbat_bytes = 0;
+ uint32_t gbat_bytes = 0;
Jbig2GenericRegionParams params;
int code = 0;
Jbig2Image *image = NULL;
diff --git a/jbig2dec/jbig2_halftone.c b/jbig2dec/jbig2_halftone.c
index aeab576..acfbc56 100644
--- a/jbig2dec/jbig2_halftone.c
+++ b/jbig2dec/jbig2_halftone.c
@@ -257,8 +257,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
{
uint8_t **GSVALS = NULL;
size_t consumed_bytes = 0;
- int i, j, code, stride;
- int x, y;
+ uint32_t i, j, stride, x, y;
+ int code;
Jbig2Image **GSPLANES;
Jbig2GenericRegionParams rparams;
Jbig2WordStream *ws = NULL;
@@ -276,9 +276,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
if (GSPLANES[i] == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate %dx%d image for GSPLANES", GSW, GSH);
/* free already allocated */
- for (j = i - 1; j >= 0; --j) {
- jbig2_image_release(ctx, GSPLANES[j]);
- }
+ for (j = i; j > 0;)
+ jbig2_image_release(ctx, GSPLANES[--j]);
jbig2_free(ctx->allocator, GSPLANES);
return NULL;
}
@@ -323,9 +322,10 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
}
/* C.5 step 2. Set j = GSBPP-2 */
- j = GSBPP - 2;
+ j = GSBPP - 1;
/* C.5 step 3. decode loop */
- while (j >= 0) {
+ while (j > 0) {
+ j--;
/* C.5 step 3. (a) */
if (GSMMR) {
code = jbig2_decode_halftone_mmr(ctx, &rparams, data + consumed_bytes, size - consumed_bytes, GSPLANES[j], &consumed_bytes);
@@ -345,7 +345,6 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
GSPLANES[j]->data[i] ^= GSPLANES[j + 1]->data[i];
/* C.5 step 3. (c) */
- --j;
}
/* allocate GSVALS */
@@ -359,9 +358,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
if (GSVALS[i] == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate GSVALS: %d bytes", GSH * GSW);
/* free already allocated */
- for (j = i - 1; j >= 0; --j) {
- jbig2_free(ctx->allocator, GSVALS[j]);
- }
+ for (j = i; j > 0;)
+ jbig2_free(ctx->allocator, GSVALS[--j]);
jbig2_free(ctx->allocator, GSVALS);
GSVALS = NULL;
goto cleanup;
@@ -450,7 +448,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
uint8_t **GI;
Jbig2Image *HSKIP = NULL;
Jbig2PatternDict *HPATS;
- int i;
+ uint32_t i;
uint32_t mg, ng;
int32_t x, y;
uint8_t gray_val;
@@ -476,7 +474,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
/* calculate ceil(log2(HNUMPATS)) */
HBPP = 0;
- while (HNUMPATS > (1 << ++HBPP));
+ while (HNUMPATS > (1U << ++HBPP));
/* 6.6.5 point 4. decode gray-scale image as mentioned in annex C */
GI = jbig2_decode_gray_scale_image(ctx, segment, data, size,
diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
index 4521b48..f77981b 100644
--- a/jbig2dec/jbig2_huffman.c
+++ b/jbig2dec/jbig2_huffman.c
@@ -47,16 +47,16 @@ struct _Jbig2HuffmanState {
is (offset + 4) * 8. */
uint32_t this_word;
uint32_t next_word;
- int offset_bits;
- int offset;
- int offset_limit;
+ uint32_t offset_bits;
+ uint32_t offset;
+ uint32_t offset_limit;
Jbig2WordStream *ws;
Jbig2Ctx *ctx;
};
static uint32_t
-huff_get_next_word(Jbig2HuffmanState *hs, int offset)
+huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset)
{
uint32_t word = 0;
Jbig2WordStream *ws = hs->ws;
@@ -213,7 +213,7 @@ jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
/* return the offset of the huffman decode pointer (in bytes)
* from the beginning of the WordStream
*/
-int
+uint32_t
jbig2_huffman_offset(Jbig2HuffmanState *hs)
{
return hs->offset + (hs->offset_bits >> 3);
diff --git a/jbig2dec/jbig2_huffman.h b/jbig2dec/jbig2_huffman.h
index 5d1e6e0..cfda9e0 100644
--- a/jbig2dec/jbig2_huffman.h
+++ b/jbig2dec/jbig2_huffman.h
@@ -64,7 +64,7 @@ void jbig2_huffman_skip(Jbig2HuffmanState *hs);
void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
-int jbig2_huffman_offset(Jbig2HuffmanState *hs);
+uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
int32_t jbig2_huffman_get(Jbig2HuffmanState *hs, const Jbig2HuffmanTable *table, bool *oob);
diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
index 1ae614e..94e5a4c 100644
--- a/jbig2dec/jbig2_image.c
+++ b/jbig2dec/jbig2_image.c
@@ -32,10 +32,10 @@
/* allocate a Jbig2Image structure and its associated bitmap */
Jbig2Image *
-jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
+jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
{
Jbig2Image *image;
- int stride;
+ uint32_t stride;
int64_t check;
image = jbig2_new(ctx, Jbig2Image, 1);
@@ -99,7 +99,7 @@ jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image)
/* resize a Jbig2Image */
Jbig2Image *
-jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
+jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height)
{
if (width == image->width) {
/* check for integer multiplication overflow */
@@ -133,11 +133,11 @@ jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
static int
jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
{
- int i, j;
- int sw = src->width;
- int sh = src->height;
- int sx = 0;
- int sy = 0;
+ uint32_t i, j;
+ uint32_t sw = src->width;
+ uint32_t sh = src->height;
+ uint32_t sx = 0;
+ uint32_t sy = 0;
/* clip to the dst image boundaries */
if (x < 0) {
@@ -200,10 +200,10 @@ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x
int
jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
{
- int i, j;
- int w, h;
- int leftbyte, rightbyte;
- int shift;
+ uint32_t i, j;
+ uint32_t w, h;
+ uint32_t leftbyte, rightbyte;
+ uint32_t shift;
uint8_t *s, *ss;
uint8_t *d, *dd;
uint8_t mask, rightmask;
@@ -226,8 +226,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
h += y;
y = 0;
}
- w = (x + w < dst->width) ? w : dst->width - x;
- h = (y + h < dst->height) ? h : dst->height - y;
+ w = ((uint32_t)x + w < dst->width) ? w : ((dst->width >= (uint32_t)x) ? dst->width - (uint32_t)x : 0);
+ h = ((uint32_t)y + h < dst->height) ? h : ((dst->height >= (uint32_t)y) ? dst->height - (uint32_t)y : 0);
#ifdef JBIG2_DEBUG
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "compositing %dx%d at (%d, %d) after clipping\n", w, h, x, y);
#endif
@@ -249,8 +249,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
}
#endif
- leftbyte = x >> 3;
- rightbyte = (x + w - 1) >> 3;
+ leftbyte = (uint32_t)x >> 3;
+ rightbyte = ((uint32_t)x + w - 1) >> 3;
shift = x & 7;
/* general OR case */
diff --git a/jbig2dec/jbig2_mmr.c b/jbig2dec/jbig2_mmr.c
index d4cd3a2..390e27c 100644
--- a/jbig2dec/jbig2_mmr.c
+++ b/jbig2dec/jbig2_mmr.c
@@ -38,19 +38,21 @@
#include "jbig2_mmr.h"
typedef struct {
- int width;
- int height;
+ uint32_t width;
+ uint32_t height;
const byte *data;
size_t size;
- int data_index;
- int bit_index;
+ uint32_t data_index;
+ uint32_t bit_index;
uint32_t word;
} Jbig2MmrCtx;
+#define MINUS1 ((uint32_t)-1)
+
static void
jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size)
{
- int i;
+ size_t i;
uint32_t word = 0;
mmr->width = width;
@@ -732,14 +734,14 @@ const mmr_table_node jbig2_mmr_black_decode[] = {
#define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 )
static int
-jbig2_find_changing_element(const byte *line, int x, int w)
+jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
{
int a, b;
if (line == 0)
- return w;
+ return (int)w;
- if (x == -1) {
+ if (x == MINUS1) {
a = 0;
x = 0;
} else {
@@ -758,7 +760,7 @@ jbig2_find_changing_element(const byte *line, int x, int w)
}
static int
-jbig2_find_changing_element_of_color(const byte *line, int x, int w, int color)
+jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color)
{
if (line == 0)
return w;
@@ -772,9 +774,9 @@ static const byte lm[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0x0F, 0x07, 0x03, 0x01 };
static const byte rm[8] = { 0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE };
static void
-jbig2_set_bits(byte *line, int x0, int x1)
+jbig2_set_bits(byte *line, uint32_t x0, uint32_t x1)
{
- int a0, a1, b0, b1, a;
+ uint32_t a0, a1, b0, b1, a;
a0 = x0 >> 3;
a1 = x1 >> 3;
@@ -831,8 +833,8 @@ jbig2_decode_get_run(Jbig2MmrCtx *mmr, const mmr_table_node *table, int initial_
static int
jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
{
- int a0 = -1;
- int a1, a2, b1, b2;
+ uint32_t a0 = MINUS1;
+ uint32_t a1, a2, b1, b2;
int c = 0; /* 0 is white, black is 1 */
while (1) {
@@ -840,7 +842,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("%08x\n", word); */
- if (a0 >= mmr->width)
+ if (a0 != MINUS1 && a0 >= mmr->width)
break;
if ((word >> (32 - 3)) == 1) {
@@ -848,7 +850,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
jbig2_decode_mmr_consume(mmr, 3);
- if (a0 == -1)
+ if (a0 == MINUS1)
a0 = 0;
if (c == 0) {
@@ -860,7 +862,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
a1 = mmr->width;
if (a2 > mmr->width)
a2 = mmr->width;
- if (a2 < a1 || a1 < 0)
+ if (a1 == MINUS1 || a2 < a1)
return -1;
jbig2_set_bits(dst, a1, a2);
a0 = a2;
@@ -874,7 +876,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
a1 = mmr->width;
if (a2 > mmr->width)
a2 = mmr->width;
- if (a1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || a1 < a0)
return -1;
jbig2_set_bits(dst, a0, a1);
a0 = a2;
@@ -888,7 +890,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
b2 = jbig2_find_changing_element(ref, b1, mmr->width);
if (c) {
- if (b2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b2 < a0)
return -1;
jbig2_set_bits(dst, a0, b2);
}
@@ -900,7 +902,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
jbig2_decode_mmr_consume(mmr, 1);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
if (c) {
- if (b1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1);
}
@@ -915,7 +917,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 + 1 > mmr->width)
break;
if (c) {
- if (b1 + 1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 1);
}
@@ -930,7 +932,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 + 2 > mmr->width)
break;
if (c) {
- if (b1 + 2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 2 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 2);
}
@@ -942,10 +944,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VR(3)\n"); */
jbig2_decode_mmr_consume(mmr, 7);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 + 3 > mmr->width)
+ if (b1 + 3 > (int)mmr->width)
break;
if (c) {
- if (b1 + 3 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 3 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 3);
}
@@ -957,10 +959,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(1)\n"); */
jbig2_decode_mmr_consume(mmr, 3);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 1 < 0)
+ if (b1 < 1)
break;
if (c) {
- if (b1 - 1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 1);
}
@@ -972,7 +974,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(2)\n"); */
jbig2_decode_mmr_consume(mmr, 6);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 2 < 0)
+ if (b1 < 2)
break;
if (c) {
if (b1 - 2 < a0 || a0 < 0)
@@ -987,10 +989,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(3)\n"); */
jbig2_decode_mmr_consume(mmr, 7);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 3 < 0)
+ if (b1 < 3)
break;
if (c) {
- if (b1 - 3 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 3 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 3);
}
@@ -1009,10 +1011,10 @@ int
jbig2_decode_generic_mmr(Jbig2Ctx *ctx, Jbig2Segment *segment, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image)
{
Jbig2MmrCtx mmr;
- const int rowstride = image->stride;
+ const uint32_t rowstride = image->stride;
byte *dst = image->data;
byte *ref = NULL;
- int y;
+ uint32_t y;
int code = 0;
jbig2_decode_mmr_init(&mmr, image->width, image->height, data, size);
@@ -1047,10 +1049,10 @@ int
jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image, size_t *consumed_bytes)
{
Jbig2MmrCtx mmr;
- const int rowstride = image->stride;
+ const uint32_t rowstride = image->stride;
byte *dst = image->data;
byte *ref = NULL;
- int y;
+ uint32_t y;
int code = 0;
const uint32_t EOFB = 0x001001;
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c
index 110ff7c..1ed1c8a 100644
--- a/jbig2dec/jbig2_page.c
+++ b/jbig2dec/jbig2_page.c
@@ -155,9 +155,9 @@ int
jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
{
Jbig2Page page = ctx->pages[ctx->current_page];
- int end_row;
+ uint32_t end_row;
- end_row = jbig2_get_int32(segment_data);
+ end_row = jbig2_get_uint32(segment_data);
if (end_row < page.end_row) {
jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
"end of stripe segment with non-positive end row advance" " (new end row %d vs current end row %d)", end_row, page.end_row);
@@ -248,7 +248,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, int x,
/* grow the page to accomodate a new stripe if necessary */
if (page->striped) {
- int new_height = y + image->height + page->end_row;
+ uint32_t new_height = y + image->height + page->end_row;
if (page->image->height < new_height) {
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "growing page buffer to %d rows " "to accomodate new stripe", new_height);
diff --git a/jbig2dec/jbig2_priv.h b/jbig2dec/jbig2_priv.h
index 42ba496..3d44b42 100644
--- a/jbig2dec/jbig2_priv.h
+++ b/jbig2dec/jbig2_priv.h
@@ -132,7 +132,7 @@ struct _Jbig2Page {
uint32_t x_resolution, y_resolution; /* in pixels per meter */
uint16_t stripe_size;
bool striped;
- int end_row;
+ uint32_t end_row;
uint8_t flags;
Jbig2Image *image;
};
@@ -182,7 +182,7 @@ int jbig2_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segm
typedef struct _Jbig2WordStream Jbig2WordStream;
struct _Jbig2WordStream {
- int (*get_next_word)(Jbig2WordStream *self, int offset, uint32_t *word);
+ int (*get_next_word)(Jbig2WordStream *self, size_t offset, uint32_t *word);
};
Jbig2WordStream *jbig2_word_stream_buf_new(Jbig2Ctx *ctx, const byte *data, size_t size);
diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c
index 2e0db67..5b63706 100644
--- a/jbig2dec/jbig2_segment.c
+++ b/jbig2dec/jbig2_segment.c
@@ -39,10 +39,10 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
uint8_t rtscarf;
uint32_t rtscarf_long;
uint32_t *referred_to_segments;
- int referred_to_segment_count;
- int referred_to_segment_size;
- int pa_size;
- int offset;
+ uint32_t referred_to_segment_count;
+ uint32_t referred_to_segment_size;
+ uint32_t pa_size;
+ uint32_t offset;
/* minimum possible size of a jbig2 segment header */
if (buf_size < 11)
@@ -83,7 +83,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
/* 7.2.5 */
if (referred_to_segment_count) {
- int i;
+ uint32_t i;
referred_to_segments = jbig2_new(ctx, uint32_t, referred_to_segment_count * referred_to_segment_size);
if (referred_to_segments == NULL) {
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
index 2c71a4c..11a2252 100644
--- a/jbig2dec/jbig2_symbol_dict.c
+++ b/jbig2dec/jbig2_symbol_dict.c
@@ -88,40 +88,40 @@ jbig2_dump_symbol_dict(Jbig2Ctx *ctx, Jbig2Segment *segment)
/* return a new empty symbol dict */
Jbig2SymbolDict *
-jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols)
+jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
{
- Jbig2SymbolDict *new = NULL;
+ Jbig2SymbolDict *new_dict = NULL;
if (n_symbols < 0) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
return NULL;
}
- new = jbig2_new(ctx, Jbig2SymbolDict, 1);
- if (new != NULL) {
- new->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
- new->n_symbols = n_symbols;
+ new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
+ if (new_dict != NULL) {
+ new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+ new_dict->n_symbols = n_symbols;
} else {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate new empty symbol dict");
return NULL;
}
- if (new->glyphs != NULL) {
- memset(new->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
+ if (new_dict->glyphs != NULL) {
+ memset(new_dict->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
} else {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate glyphs for new empty symbol dict");
- jbig2_free(ctx->allocator, new);
+ jbig2_free(ctx->allocator, new_dict);
return NULL;
}
- return new;
+ return new_dict;
}
/* release the memory associated with a symbol dict */
void
jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict)
{
- int i;
+ uint32_t i;
if (dict == NULL)
return;
@@ -142,12 +142,12 @@ jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id)
}
/* count the number of dictionary segments referred to by the given segment */
-int
+uint32_t
jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
{
int index;
Jbig2Segment *rsegment;
- int n_dicts = 0;
+ uint32_t n_dicts = 0;
for (index = 0; index < segment->referred_to_segment_count; index++) {
rsegment = jbig2_find_segment(ctx, segment->referred_to_segments[index]);
@@ -166,8 +166,8 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
int index;
Jbig2Segment *rsegment;
Jbig2SymbolDict **dicts;
- int n_dicts = jbig2_sd_count_referred(ctx, segment);
- int dindex = 0;
+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
+ uint32_t dindex = 0;
dicts = jbig2_new(ctx, Jbig2SymbolDict *, n_dicts);
if (dicts == NULL) {
@@ -195,10 +195,10 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
/* generate a new symbol dictionary by concatenating a list of
existing dictionaries */
Jbig2SymbolDict *
-jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
+jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts)
{
- int i, j, k, symbols;
- Jbig2SymbolDict *new = NULL;
+ uint32_t i, j, k, symbols;
+ Jbig2SymbolDict *new_dict = NULL;
/* count the imported symbols and allocate a new array */
symbols = 0;
@@ -206,17 +206,17 @@ jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
symbols += dicts[i]->n_symbols;
/* fill a new array with cloned glyph pointers */
- new = jbig2_sd_new(ctx, symbols);
- if (new != NULL) {
+ new_dict = jbig2_sd_new(ctx, symbols);
+ if (new_dict != NULL) {
k = 0;
for (i = 0; i < n_dicts; i++)
for (j = 0; j < dicts[i]->n_symbols; j++)
- new->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
+ new_dict->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
} else {
jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1, "failed to allocate new symbol dictionary");
}
- return new;
+ return new_dict;
}
/* Decoding routines */
@@ -431,7 +431,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
if (REFAGGNINST > 1) {
Jbig2Image *image;
- int i;
+ uint32_t i;
if (tparams == NULL) {
/* First time through, we need to initialise the */
@@ -512,7 +512,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
uint32_t ID;
int32_t RDX, RDY;
int BMSIZE = 0;
- int ninsyms = params->SDNUMINSYMS;
+ uint32_t ninsyms = params->SDNUMINSYMS;
int code1 = 0;
int code2 = 0;
int code3 = 0;
@@ -609,8 +609,9 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
if (params->SDHUFF && !params->SDREFAGG) {
/* 6.5.9 */
Jbig2Image *image;
- int BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
- int j, x;
+ uint32_t BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
+ uint32_t j;
+ int x;
if (code || (BMSIZE < 0)) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
@@ -700,22 +701,22 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate symbols exported from symbols dictionary");
goto cleanup4;
} else {
- int i = 0;
- int j = 0;
- int k;
+ uint32_t i = 0;
+ uint32_t j = 0;
+ uint32_t k;
int exflag = 0;
- int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
- int32_t exrunlength;
+ uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
+ uint32_t exrunlength;
int zerolength = 0;
while (i < limit) {
if (params->SDHUFF)
exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
else
- code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
/* prevent infinite loop */
zerolength = exrunlength > 0 ? 0 : zerolength + 1;
- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
+ if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
else if (exrunlength <= 0)
@@ -797,8 +798,8 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
{
Jbig2SymbolDictParams params;
uint16_t flags;
- int sdat_bytes;
- int offset;
+ uint32_t sdat_bytes;
+ uint32_t offset;
Jbig2ArithCx *GB_stats = NULL;
Jbig2ArithCx *GR_stats = NULL;
int table_index = 0;
@@ -951,7 +952,7 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
/* 7.4.2.2 (2) */
{
- int n_dicts = jbig2_sd_count_referred(ctx, segment);
+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
Jbig2SymbolDict **dicts = NULL;
if (n_dicts > 0) {
diff --git a/jbig2dec/jbig2_symbol_dict.h b/jbig2dec/jbig2_symbol_dict.h
index d56d62d..30211d4 100644
--- a/jbig2dec/jbig2_symbol_dict.h
+++ b/jbig2dec/jbig2_symbol_dict.h
@@ -32,18 +32,18 @@ int jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *se
Jbig2Image *jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id);
/* return a new empty symbol dict */
-Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols);
+Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols);
/* release the memory associated with a symbol dict */
void jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict);
/* generate a new symbol dictionary by concatenating a list of
existing dictionaries */
-Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts);
+Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts);
/* count the number of dictionary segments referred
to by the given segment */
-int jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
+uint32_t jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
/* return an array of pointers to symbol dictionaries referred
to by a segment */
diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c
index 5c99640..e77460f 100644
--- a/jbig2dec/jbig2_text.c
+++ b/jbig2dec/jbig2_text.c
@@ -55,7 +55,7 @@
int
jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
const Jbig2TextRegionParams *params,
- const Jbig2SymbolDict *const *dicts, const int n_dicts,
+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws)
{
/* relevent bits of 6.4.4 */
@@ -476,19 +476,19 @@ cleanup2:
int
jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data)
{
- int offset = 0;
+ uint32_t offset = 0;
Jbig2RegionSegmentInfo region_info;
Jbig2TextRegionParams params;
Jbig2Image *image = NULL;
Jbig2SymbolDict **dicts = NULL;
- int n_dicts = 0;
+ uint32_t n_dicts = 0;
uint16_t flags = 0;
uint16_t huffman_flags = 0;
Jbig2ArithCx *GR_stats = NULL;
int code = 0;
Jbig2WordStream *ws = NULL;
Jbig2ArithState *as = NULL;
- int table_index = 0;
+ uint32_t table_index = 0;
const Jbig2HuffmanParams *huffman_params = NULL;
/* 7.4.1 */
@@ -779,7 +779,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unable to retrive symbol dictionaries! previous parsing error?");
goto cleanup1;
} else {
- int index;
+ uint32_t index;
if (dicts[0] == NULL) {
code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to find first referenced symbol dictionary!");
@@ -823,8 +823,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
if (!params.SBHUFF) {
- int SBSYMCODELEN, index;
- int SBNUMSYMS = 0;
+ uint32_t SBSYMCODELEN, index;
+ uint32_t SBNUMSYMS = 0;
for (index = 0; index < n_dicts; index++) {
SBNUMSYMS += dicts[index]->n_symbols;
@@ -840,7 +840,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
/* Table 31 */
- for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
+ for (SBSYMCODELEN = 0; (1U << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
}
params.IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN);
params.IARI = jbig2_arith_int_ctx_new(ctx);
diff --git a/jbig2dec/jbig2_text.h b/jbig2dec/jbig2_text.h
index aec2732..51d242e 100644
--- a/jbig2dec/jbig2_text.h
+++ b/jbig2dec/jbig2_text.h
@@ -70,5 +70,5 @@ typedef struct {
int
jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
const Jbig2TextRegionParams *params,
- const Jbig2SymbolDict *const *dicts, const int n_dicts,
+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws);
--
2.9.3

View File

@ -29,6 +29,7 @@ Patch6: ghostscript-9.20-cve-2016-7976.patch
Patch7: ghostscript-9.20-cve-2016-7978.patch
Patch8: ghostscript-9.20-cve-2016-8602.patch
Patch9: ghostscript-9.20-cve-2016-7977.patch
Patch12: ghostscript-9.20-cve-2016-9601.patch
Requires: %{name}-core%{?_isa} = %{version}-%{release}
Requires: %{name}-x11%{?_isa} = %{version}-%{release}
@ -151,6 +152,9 @@ rm -rf expat freetype icclib jasper jpeg jpegxr lcms lcms2 libpng openjpeg zlib
# Remove (and re-implement) ConvertUTF.c because of licensing issues (bug #1404933):
%patch11 -p1
# Squash signed/unsigned warnings in MSVC jbig2 build (bug #1410021):
%patch12 -p1
# Convert manual pages to UTF-8
from8859_1() {
iconv -f iso-8859-1 -t utf-8 < "$1" > "${1}_"
@ -349,6 +353,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Tue Jan 24 2017 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-6
- Remove and (re-implement) ConvertUTF.c (bug #1404933)
- Added security fix for CVE-2016-9601 (bug #1410021)
* Thu Nov 3 2016 David Kaspar [Dee'Kej] <dkaspar@redhat.com> - 9.20-5
- Added fix to avoid SIGSEGV for some *.ps files. More info here: