From f8856d143c7c7cf0d73d1ee20cb2fead0efb40fb Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Thu, 11 May 2017 09:40:04 +0200 Subject: [PATCH] Fix for CVE-2017-7976 (#1443898) --- jbig2dec-int_overflows.patch | 15 +++++++++++++++ jbig2dec.spec | 5 ++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/jbig2dec-int_overflows.patch b/jbig2dec-int_overflows.patch index 61f9886..999ee67 100644 --- a/jbig2dec-int_overflows.patch +++ b/jbig2dec-int_overflows.patch @@ -53,3 +53,18 @@ index 4acaba9..36225cb 100644 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, size - jbig2_huffman_offset(hs)); jbig2_image_release(ctx, image); + +diff --git a/jbig2_image.c b/jbig2_image.c +index 1ae614e..bddb3cd 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -256,7 +256,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { diff --git a/jbig2dec.spec b/jbig2dec.spec index 4a5f2e6..943f37a 100644 --- a/jbig2dec.spec +++ b/jbig2dec.spec @@ -1,6 +1,6 @@ Name: jbig2dec Version: 0.13 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A decoder implementation of the JBIG2 image compression format Group: System Environment/Libraries @@ -87,6 +87,9 @@ rm -f %{buildroot}%{_libdir}/*.la %changelog +* Thu May 11 2017 Pavel Zhukov - 0.13.4 +- Add fix for CVE-2017-7976 (#1443898) + * Wed May 3 2017 Pavel Zhukov - 0.13-3 - Prevent segserv due to int overflow (#1443898)