Fix multiple int overflows

2017-05-09 13:05:26 +02:00 · 2017-05-09 13:05:26 +02:00 · 3ede9c4f9e
commit 3ede9c4f9e
parent ff9ab41638
3 changed files with 61 additions and 35 deletions
--- a/0001-Bug-697693-Prevent-SEGV-due-to-integer-overflow.patch
+++ b/0001-Bug-697693-Prevent-SEGV-due-to-integer-overflow.patch
@ -1,31 +0,0 @@
-From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
-From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
-Date: Wed, 26 Apr 2017 22:12:14 +0100
-Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
-
-While building a Huffman table, the start and end points were susceptible
-to integer overflow.
-
-Thank you to Jiaqi for finding this issue and suggesting a patch.
---
- jbig2_huffman.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/jbig2_huffman.c b/jbig2_huffman.c
-index 511e461..b4189a1 100644
--- a/jbig2_huffman.c
-+++ b/jbig2_huffman.c
-@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
- 
-             if (PREFLEN == CURLEN) {
-                 int RANGELEN = lines[CURTEMP].RANGELEN;
-                int start_j = CURCODE << shift;
-                int end_j = (CURCODE + 1) << shift;
-+                uint32_t start_j = CURCODE << shift;
-+                uint32_t end_j = (CURCODE + 1) << shift;
-                 byte eflags = 0;
- 
-                 if (end_j > max_j) {
-- 
-2.9.3
-
--- a/jbig2dec-int_overflows.patch
+++ b/jbig2dec-int_overflows.patch
@ -0,0 +1,55 @@
+From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 26 Apr 2017 22:12:14 +0100
+Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
+
+While building a Huffman table, the start and end points were susceptible
+to integer overflow.
+
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+---
+ jbig2_huffman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jbig2_huffman.c b/jbig2_huffman.c
+index 511e461..b4189a1 100644
+--- a/jbig2_huffman.c
+++ b/jbig2_huffman.c
+@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
+ 
+             if (PREFLEN == CURLEN) {
+                 int RANGELEN = lines[CURTEMP].RANGELEN;
+-                int start_j = CURCODE << shift;
+-                int end_j = (CURCODE + 1) << shift;
+                uint32_t start_j = CURCODE << shift;
+                uint32_t end_j = (CURCODE + 1) << shift;
+                 byte eflags = 0;
+ 
+                 if (end_j > max_j) {
+-- 
+2.9.3
+
+commit 258290340bb657c9efb44457f717b0d8b49f4aa3
+Author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date:   Wed May 3 22:06:01 2017 +0100
+
+    Bug 697703: Prevent integer overflow vulnerability.
+    
+    Add extra check for the offset being greater than the size
+    of the image and hence reading off the end of the buffer.
+    
+    Thank you to Dai Ge for finding this issue and suggesting a patch.
+
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 4acaba9..36225cb 100644
+--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                 byte *dst = image->data;
+ 
+                 /* SumatraPDF: prevent read access violation */
+-                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
+                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
+                                 size - jbig2_huffman_offset(hs));
+                     jbig2_image_release(ctx, image);
--- a/jbig2dec.spec
+++ b/jbig2dec.spec
@ -1,13 +1,15 @@
 Name:           jbig2dec
 Version:        0.13
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A decoder implementation of the JBIG2 image compression format 

 Group:          System Environment/Libraries
 License:        GPLv2
 URL:            http://jbig2dec.sourceforge.net/
 Source0:        http://ghostscript.com/~giles/jbig2/jbig2dec/%{name}-%{version}.tar.gz
-Patch1:         0001-Bug-697693-Prevent-SEGV-due-to-integer-overflow.patch
+## ghbz#697703
+## ghbz#697693
+Patch1:         jbig2dec-int_overflows.patch
 BuildRequires:  libtool

 %description
@ -85,8 +87,8 @@ rm -f %{buildroot}%{_libdir}/*.la


 %changelog
-* Wed May  3 2017 Pavel Zhukov <pzhukov@redhat.com> - 0.13-2
- Prevent segserv due to int overflow
+* Wed May  3 2017 Pavel Zhukov <pzhukov@redhat.com> - 0.13-3
+- Prevent segserv due to int overflow (#1443898)

 * Tue Mar 07 2017  Pavel Zhukov <landgraf@fedoraproject.org> - 0.13-1
 - New release 0.13