Fix multiple int overflows
This commit is contained in:
Pavel Zhukov
parent
ff9ab41638
commit
3ede9c4f9e
@ -1,31 +0,0 @@
|
|||||||
From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
|
|
||||||
Date: Wed, 26 Apr 2017 22:12:14 +0100
|
|
||||||
Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
|
|
||||||
|
|
||||||
While building a Huffman table, the start and end points were susceptible
|
|
||||||
to integer overflow.
|
|
||||||
|
|
||||||
Thank you to Jiaqi for finding this issue and suggesting a patch.
|
|
||||||
---
|
|
||||||
jbig2_huffman.c | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/jbig2_huffman.c b/jbig2_huffman.c
|
|
||||||
index 511e461..b4189a1 100644
|
|
||||||
--- a/jbig2_huffman.c
|
|
||||||
+++ b/jbig2_huffman.c
|
|
||||||
@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
|
|
||||||
|
|
||||||
if (PREFLEN == CURLEN) {
|
|
||||||
int RANGELEN = lines[CURTEMP].RANGELEN;
|
|
||||||
- int start_j = CURCODE << shift;
|
|
||||||
- int end_j = (CURCODE + 1) << shift;
|
|
||||||
+ uint32_t start_j = CURCODE << shift;
|
|
||||||
+ uint32_t end_j = (CURCODE + 1) << shift;
|
|
||||||
byte eflags = 0;
|
|
||||||
|
|
||||||
if (end_j > max_j) {
|
|
||||||
--
|
|
||||||
2.9.3
|
|
||||||
|
|
||||||
55
jbig2dec-int_overflows.patch
Normal file
55
jbig2dec-int_overflows.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
|
||||||
|
Date: Wed, 26 Apr 2017 22:12:14 +0100
|
||||||
|
Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
|
||||||
|
|
||||||
|
While building a Huffman table, the start and end points were susceptible
|
||||||
|
to integer overflow.
|
||||||
|
|
||||||
|
Thank you to Jiaqi for finding this issue and suggesting a patch.
|
||||||
|
---
|
||||||
|
jbig2_huffman.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/jbig2_huffman.c b/jbig2_huffman.c
|
||||||
|
index 511e461..b4189a1 100644
|
||||||
|
--- a/jbig2_huffman.c
|
||||||
|
+++ b/jbig2_huffman.c
|
||||||
|
@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
|
||||||
|
|
||||||
|
if (PREFLEN == CURLEN) {
|
||||||
|
int RANGELEN = lines[CURTEMP].RANGELEN;
|
||||||
|
- int start_j = CURCODE << shift;
|
||||||
|
- int end_j = (CURCODE + 1) << shift;
|
||||||
|
+ uint32_t start_j = CURCODE << shift;
|
||||||
|
+ uint32_t end_j = (CURCODE + 1) << shift;
|
||||||
|
byte eflags = 0;
|
||||||
|
|
||||||
|
if (end_j > max_j) {
|
||||||
|
--
|
||||||
|
2.9.3
|
||||||
|
|
||||||
|
commit 258290340bb657c9efb44457f717b0d8b49f4aa3
|
||||||
|
Author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
|
||||||
|
Date: Wed May 3 22:06:01 2017 +0100
|
||||||
|
|
||||||
|
Bug 697703: Prevent integer overflow vulnerability.
|
||||||
|
|
||||||
|
Add extra check for the offset being greater than the size
|
||||||
|
of the image and hence reading off the end of the buffer.
|
||||||
|
|
||||||
|
Thank you to Dai Ge for finding this issue and suggesting a patch.
|
||||||
|
|
||||||
|
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
|
||||||
|
index 4acaba9..36225cb 100644
|
||||||
|
--- a/jbig2_symbol_dict.c
|
||||||
|
+++ b/jbig2_symbol_dict.c
|
||||||
|
@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
|
||||||
|
byte *dst = image->data;
|
||||||
|
|
||||||
|
/* SumatraPDF: prevent read access violation */
|
||||||
|
- if (size - jbig2_huffman_offset(hs) < image->height * stride) {
|
||||||
|
+ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
|
||||||
|
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
|
||||||
|
size - jbig2_huffman_offset(hs));
|
||||||
|
jbig2_image_release(ctx, image);
|
||||||
@ -1,13 +1,15 @@
|
|||||||
Name: jbig2dec
|
Name: jbig2dec
|
||||||
Version: 0.13
|
Version: 0.13
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: A decoder implementation of the JBIG2 image compression format
|
Summary: A decoder implementation of the JBIG2 image compression format
|
||||||
|
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
URL: http://jbig2dec.sourceforge.net/
|
URL: http://jbig2dec.sourceforge.net/
|
||||||
Source0: http://ghostscript.com/~giles/jbig2/jbig2dec/%{name}-%{version}.tar.gz
|
Source0: http://ghostscript.com/~giles/jbig2/jbig2dec/%{name}-%{version}.tar.gz
|
||||||
Patch1: 0001-Bug-697693-Prevent-SEGV-due-to-integer-overflow.patch
|
## ghbz#697703
|
||||||
|
## ghbz#697693
|
||||||
|
Patch1: jbig2dec-int_overflows.patch
|
||||||
BuildRequires: libtool
|
BuildRequires: libtool
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -85,8 +87,8 @@ rm -f %{buildroot}%{_libdir}/*.la
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed May 3 2017 Pavel Zhukov <pzhukov@redhat.com> - 0.13-2
|
* Wed May 3 2017 Pavel Zhukov <pzhukov@redhat.com> - 0.13-3
|
||||||
- Prevent segserv due to int overflow
|
- Prevent segserv due to int overflow (#1443898)
|
||||||
|
|
||||||
* Tue Mar 07 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 0.13-1
|
* Tue Mar 07 2017 Pavel Zhukov <landgraf@fedoraproject.org> - 0.13-1
|
||||||
- New release 0.13
|
- New release 0.13
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user