gnu: jbig2dec: Update to 0.14.

* gnu/packages/image.scm (jbi2dec): Update to 0.14.
[source]: Remove obsolete patches.
* gnu/packages/patches/jbig2dec-CVE-2016-9601.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7885.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7975.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
* gnu/packages/patches/jbig2dec-ignore-testtest.patch: Update for new release.
This commit is contained in:
Leo Famulari 2017-11-25 10:22:25 -05:00
parent d6adba786c
commit ef56fdc18d
No known key found for this signature in database
GPG key ID: 2646FA30BACA7F08
7 changed files with 6 additions and 1121 deletions

View file

@ -749,10 +749,6 @@ dist_patch_DATA = \
%D%/packages/patches/jacal-fix-texinfo.patch \ %D%/packages/patches/jacal-fix-texinfo.patch \
%D%/packages/patches/java-powermock-fix-java-files.patch \ %D%/packages/patches/java-powermock-fix-java-files.patch \
%D%/packages/patches/jbig2dec-ignore-testtest.patch \ %D%/packages/patches/jbig2dec-ignore-testtest.patch \
%D%/packages/patches/jbig2dec-CVE-2016-9601.patch \
%D%/packages/patches/jbig2dec-CVE-2017-7885.patch \
%D%/packages/patches/jbig2dec-CVE-2017-7975.patch \
%D%/packages/patches/jbig2dec-CVE-2017-7976.patch \
%D%/packages/patches/jq-CVE-2015-8863.patch \ %D%/packages/patches/jq-CVE-2015-8863.patch \
%D%/packages/patches/kdbusaddons-kinit-file-name.patch \ %D%/packages/patches/kdbusaddons-kinit-file-name.patch \
%D%/packages/patches/khmer-use-libraries.patch \ %D%/packages/patches/khmer-use-libraries.patch \

View file

@ -479,20 +479,15 @@ (define-public leptonica
(define-public jbig2dec (define-public jbig2dec
(package (package
(name "jbig2dec") (name "jbig2dec")
(version "0.13") (version "0.14")
(source (source
(origin (origin
(method url-fetch) (method url-fetch)
(uri (string-append "http://downloads.ghostscript.com/public/" name "/" (uri (string-append "http://downloads.ghostscript.com/public/" name "/"
name "-" version ".tar.gz")) name "-" version ".tar.gz"))
(sha256 (sha256
(base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s")) (base32 "0k01hp0q4275fj4rbr1gy64svfraw5w7wvwl08yjhvsnpb1rid11"))
(patches (search-patches "jbig2dec-ignore-testtest.patch" (patches (search-patches "jbig2dec-ignore-testtest.patch"))))
"jbig2dec-CVE-2016-9601.patch"
"jbig2dec-CVE-2017-7885.patch"
"jbig2dec-CVE-2017-7975.patch"
"jbig2dec-CVE-2017-7976.patch"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(synopsis "Decoder of the JBIG2 image compression format") (synopsis "Decoder of the JBIG2 image compression format")
(description (description

View file

@ -1,906 +0,0 @@
Fix CVE-2016-9601:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
https://bugs.ghostscript.com/show_bug.cgi?id=697457
Patch copied from upstream source repository:
http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092
From e698d5c11d27212aa1098bc5b1673a3378563092 Mon Sep 17 00:00:00 2001
From: Robin Watts <robin.watts@artifex.com>
Date: Mon, 12 Dec 2016 17:47:17 +0000
Subject: [PATCH] Squash signed/unsigned warnings in MSVC jbig2 build.
Also rename "new" to "new_dict", because "new" is a bad
variable name.
---
jbig2.c | 4 +--
jbig2.h | 8 +++---
jbig2_generic.c | 2 +-
jbig2_halftone.c | 24 ++++++++----------
jbig2_huffman.c | 10 ++++----
jbig2_huffman.h | 2 +-
jbig2_image.c | 32 +++++++++++------------
jbig2_mmr.c | 66 +++++++++++++++++++++++++-----------------------
jbig2_page.c | 6 ++---
jbig2_priv.h | 4 +--
jbig2_segment.c | 10 ++++----
jbig2_symbol_dict.c | 73 +++++++++++++++++++++++++++--------------------------
jbig2_symbol_dict.h | 6 ++---
jbig2_text.c | 16 ++++++------
jbig2_text.h | 2 +-
15 files changed, 134 insertions(+), 131 deletions(-)
diff --git a/jbig2.c b/jbig2.c
index f729e29..e51380f 100644
--- a/jbig2.c
+++ b/jbig2.c
@@ -379,7 +379,7 @@ typedef struct {
} Jbig2WordStreamBuf;
static int
-jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t *word)
+jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, size_t offset, uint32_t *word)
{
Jbig2WordStreamBuf *z = (Jbig2WordStreamBuf *) self;
const byte *data = z->data;
@@ -390,7 +390,7 @@ jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t
else if (offset > z->size)
return -1;
else {
- int i;
+ size_t i;
result = 0;
for (i = 0; i < z->size - offset; i++)
diff --git a/jbig2.h b/jbig2.h
index d5aa52f..624e0ed 100644
--- a/jbig2.h
+++ b/jbig2.h
@@ -56,17 +56,19 @@ typedef struct _Jbig2SymbolDictionary Jbig2SymbolDictionary;
*/
struct _Jbig2Image {
- int width, height, stride;
+ uint32_t width;
+ uint32_t height;
+ uint32_t stride;
uint8_t *data;
int refcount;
};
-Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, int width, int height);
+Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height);
Jbig2Image *jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image);
void jbig2_image_clear(Jbig2Ctx *ctx, Jbig2Image *image, int value);
-Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height);
+Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height);
/* errors are returned from the library via a callback. If no callback
is provided (a NULL argument is passed ot jbig2_ctx_new) a default
diff --git a/jbig2_generic.c b/jbig2_generic.c
index 02fdbfb..9656198 100644
--- a/jbig2_generic.c
+++ b/jbig2_generic.c
@@ -718,7 +718,7 @@ jbig2_immediate_generic_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte
byte seg_flags;
int8_t gbat[8];
int offset;
- int gbat_bytes = 0;
+ uint32_t gbat_bytes = 0;
Jbig2GenericRegionParams params;
int code = 0;
Jbig2Image *image = NULL;
diff --git a/jbig2_halftone.c b/jbig2_halftone.c
index aeab576..acfbc56 100644
--- a/jbig2_halftone.c
+++ b/jbig2_halftone.c
@@ -257,8 +257,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
{
uint8_t **GSVALS = NULL;
size_t consumed_bytes = 0;
- int i, j, code, stride;
- int x, y;
+ uint32_t i, j, stride, x, y;
+ int code;
Jbig2Image **GSPLANES;
Jbig2GenericRegionParams rparams;
Jbig2WordStream *ws = NULL;
@@ -276,9 +276,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
if (GSPLANES[i] == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate %dx%d image for GSPLANES", GSW, GSH);
/* free already allocated */
- for (j = i - 1; j >= 0; --j) {
- jbig2_image_release(ctx, GSPLANES[j]);
- }
+ for (j = i; j > 0;)
+ jbig2_image_release(ctx, GSPLANES[--j]);
jbig2_free(ctx->allocator, GSPLANES);
return NULL;
}
@@ -323,9 +322,10 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
}
/* C.5 step 2. Set j = GSBPP-2 */
- j = GSBPP - 2;
+ j = GSBPP - 1;
/* C.5 step 3. decode loop */
- while (j >= 0) {
+ while (j > 0) {
+ j--;
/* C.5 step 3. (a) */
if (GSMMR) {
code = jbig2_decode_halftone_mmr(ctx, &rparams, data + consumed_bytes, size - consumed_bytes, GSPLANES[j], &consumed_bytes);
@@ -345,7 +345,6 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
GSPLANES[j]->data[i] ^= GSPLANES[j + 1]->data[i];
/* C.5 step 3. (c) */
- --j;
}
/* allocate GSVALS */
@@ -359,9 +358,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
if (GSVALS[i] == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate GSVALS: %d bytes", GSH * GSW);
/* free already allocated */
- for (j = i - 1; j >= 0; --j) {
- jbig2_free(ctx->allocator, GSVALS[j]);
- }
+ for (j = i; j > 0;)
+ jbig2_free(ctx->allocator, GSVALS[--j]);
jbig2_free(ctx->allocator, GSVALS);
GSVALS = NULL;
goto cleanup;
@@ -450,7 +448,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
uint8_t **GI;
Jbig2Image *HSKIP = NULL;
Jbig2PatternDict *HPATS;
- int i;
+ uint32_t i;
uint32_t mg, ng;
int32_t x, y;
uint8_t gray_val;
@@ -476,7 +474,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
/* calculate ceil(log2(HNUMPATS)) */
HBPP = 0;
- while (HNUMPATS > (1 << ++HBPP));
+ while (HNUMPATS > (1U << ++HBPP));
/* 6.6.5 point 4. decode gray-scale image as mentioned in annex C */
GI = jbig2_decode_gray_scale_image(ctx, segment, data, size,
diff --git a/jbig2_huffman.c b/jbig2_huffman.c
index 4521b48..f77981b 100644
--- a/jbig2_huffman.c
+++ b/jbig2_huffman.c
@@ -47,16 +47,16 @@ struct _Jbig2HuffmanState {
is (offset + 4) * 8. */
uint32_t this_word;
uint32_t next_word;
- int offset_bits;
- int offset;
- int offset_limit;
+ uint32_t offset_bits;
+ uint32_t offset;
+ uint32_t offset_limit;
Jbig2WordStream *ws;
Jbig2Ctx *ctx;
};
static uint32_t
-huff_get_next_word(Jbig2HuffmanState *hs, int offset)
+huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset)
{
uint32_t word = 0;
Jbig2WordStream *ws = hs->ws;
@@ -213,7 +213,7 @@ jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
/* return the offset of the huffman decode pointer (in bytes)
* from the beginning of the WordStream
*/
-int
+uint32_t
jbig2_huffman_offset(Jbig2HuffmanState *hs)
{
return hs->offset + (hs->offset_bits >> 3);
diff --git a/jbig2_huffman.h b/jbig2_huffman.h
index 5d1e6e0..cfda9e0 100644
--- a/jbig2_huffman.h
+++ b/jbig2_huffman.h
@@ -64,7 +64,7 @@ void jbig2_huffman_skip(Jbig2HuffmanState *hs);
void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
-int jbig2_huffman_offset(Jbig2HuffmanState *hs);
+uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
int32_t jbig2_huffman_get(Jbig2HuffmanState *hs, const Jbig2HuffmanTable *table, bool *oob);
diff --git a/jbig2_image.c b/jbig2_image.c
index 1ae614e..94e5a4c 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -32,10 +32,10 @@
/* allocate a Jbig2Image structure and its associated bitmap */
Jbig2Image *
-jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
+jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
{
Jbig2Image *image;
- int stride;
+ uint32_t stride;
int64_t check;
image = jbig2_new(ctx, Jbig2Image, 1);
@@ -99,7 +99,7 @@ jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image)
/* resize a Jbig2Image */
Jbig2Image *
-jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
+jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height)
{
if (width == image->width) {
/* check for integer multiplication overflow */
@@ -133,11 +133,11 @@ jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
static int
jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
{
- int i, j;
- int sw = src->width;
- int sh = src->height;
- int sx = 0;
- int sy = 0;
+ uint32_t i, j;
+ uint32_t sw = src->width;
+ uint32_t sh = src->height;
+ uint32_t sx = 0;
+ uint32_t sy = 0;
/* clip to the dst image boundaries */
if (x < 0) {
@@ -200,10 +200,10 @@ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x
int
jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
{
- int i, j;
- int w, h;
- int leftbyte, rightbyte;
- int shift;
+ uint32_t i, j;
+ uint32_t w, h;
+ uint32_t leftbyte, rightbyte;
+ uint32_t shift;
uint8_t *s, *ss;
uint8_t *d, *dd;
uint8_t mask, rightmask;
@@ -226,8 +226,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
h += y;
y = 0;
}
- w = (x + w < dst->width) ? w : dst->width - x;
- h = (y + h < dst->height) ? h : dst->height - y;
+ w = ((uint32_t)x + w < dst->width) ? w : ((dst->width >= (uint32_t)x) ? dst->width - (uint32_t)x : 0);
+ h = ((uint32_t)y + h < dst->height) ? h : ((dst->height >= (uint32_t)y) ? dst->height - (uint32_t)y : 0);
#ifdef JBIG2_DEBUG
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "compositing %dx%d at (%d, %d) after clipping\n", w, h, x, y);
#endif
@@ -249,8 +249,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
}
#endif
- leftbyte = x >> 3;
- rightbyte = (x + w - 1) >> 3;
+ leftbyte = (uint32_t)x >> 3;
+ rightbyte = ((uint32_t)x + w - 1) >> 3;
shift = x & 7;
/* general OR case */
diff --git a/jbig2_mmr.c b/jbig2_mmr.c
index d4cd3a2..390e27c 100644
--- a/jbig2_mmr.c
+++ b/jbig2_mmr.c
@@ -38,19 +38,21 @@
#include "jbig2_mmr.h"
typedef struct {
- int width;
- int height;
+ uint32_t width;
+ uint32_t height;
const byte *data;
size_t size;
- int data_index;
- int bit_index;
+ uint32_t data_index;
+ uint32_t bit_index;
uint32_t word;
} Jbig2MmrCtx;
+#define MINUS1 ((uint32_t)-1)
+
static void
jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size)
{
- int i;
+ size_t i;
uint32_t word = 0;
mmr->width = width;
@@ -732,14 +734,14 @@ const mmr_table_node jbig2_mmr_black_decode[] = {
#define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 )
static int
-jbig2_find_changing_element(const byte *line, int x, int w)
+jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
{
int a, b;
if (line == 0)
- return w;
+ return (int)w;
- if (x == -1) {
+ if (x == MINUS1) {
a = 0;
x = 0;
} else {
@@ -758,7 +760,7 @@ jbig2_find_changing_element(const byte *line, int x, int w)
}
static int
-jbig2_find_changing_element_of_color(const byte *line, int x, int w, int color)
+jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color)
{
if (line == 0)
return w;
@@ -772,9 +774,9 @@ static const byte lm[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0x0F, 0x07, 0x03, 0x01 };
static const byte rm[8] = { 0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE };
static void
-jbig2_set_bits(byte *line, int x0, int x1)
+jbig2_set_bits(byte *line, uint32_t x0, uint32_t x1)
{
- int a0, a1, b0, b1, a;
+ uint32_t a0, a1, b0, b1, a;
a0 = x0 >> 3;
a1 = x1 >> 3;
@@ -831,8 +833,8 @@ jbig2_decode_get_run(Jbig2MmrCtx *mmr, const mmr_table_node *table, int initial_
static int
jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
{
- int a0 = -1;
- int a1, a2, b1, b2;
+ uint32_t a0 = MINUS1;
+ uint32_t a1, a2, b1, b2;
int c = 0; /* 0 is white, black is 1 */
while (1) {
@@ -840,7 +842,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("%08x\n", word); */
- if (a0 >= mmr->width)
+ if (a0 != MINUS1 && a0 >= mmr->width)
break;
if ((word >> (32 - 3)) == 1) {
@@ -848,7 +850,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
jbig2_decode_mmr_consume(mmr, 3);
- if (a0 == -1)
+ if (a0 == MINUS1)
a0 = 0;
if (c == 0) {
@@ -860,7 +862,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
a1 = mmr->width;
if (a2 > mmr->width)
a2 = mmr->width;
- if (a2 < a1 || a1 < 0)
+ if (a1 == MINUS1 || a2 < a1)
return -1;
jbig2_set_bits(dst, a1, a2);
a0 = a2;
@@ -874,7 +876,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
a1 = mmr->width;
if (a2 > mmr->width)
a2 = mmr->width;
- if (a1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || a1 < a0)
return -1;
jbig2_set_bits(dst, a0, a1);
a0 = a2;
@@ -888,7 +890,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
b2 = jbig2_find_changing_element(ref, b1, mmr->width);
if (c) {
- if (b2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b2 < a0)
return -1;
jbig2_set_bits(dst, a0, b2);
}
@@ -900,7 +902,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
jbig2_decode_mmr_consume(mmr, 1);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
if (c) {
- if (b1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1);
}
@@ -915,7 +917,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 + 1 > mmr->width)
break;
if (c) {
- if (b1 + 1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 1);
}
@@ -930,7 +932,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 + 2 > mmr->width)
break;
if (c) {
- if (b1 + 2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 2 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 2);
}
@@ -942,10 +944,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VR(3)\n"); */
jbig2_decode_mmr_consume(mmr, 7);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 + 3 > mmr->width)
+ if (b1 + 3 > (int)mmr->width)
break;
if (c) {
- if (b1 + 3 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 + 3 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 + 3);
}
@@ -957,10 +959,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(1)\n"); */
jbig2_decode_mmr_consume(mmr, 3);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 1 < 0)
+ if (b1 < 1)
break;
if (c) {
- if (b1 - 1 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 1 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 1);
}
@@ -972,7 +974,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(2)\n"); */
jbig2_decode_mmr_consume(mmr, 6);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 2 < 0)
+ if (b1 < 2)
break;
if (c) {
if (b1 - 2 < a0 || a0 < 0)
@@ -987,10 +989,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
/* printf ("VL(3)\n"); */
jbig2_decode_mmr_consume(mmr, 7);
b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
- if (b1 - 3 < 0)
+ if (b1 < 3)
break;
if (c) {
- if (b1 - 3 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 3 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 3);
}
@@ -1009,10 +1011,10 @@ int
jbig2_decode_generic_mmr(Jbig2Ctx *ctx, Jbig2Segment *segment, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image)
{
Jbig2MmrCtx mmr;
- const int rowstride = image->stride;
+ const uint32_t rowstride = image->stride;
byte *dst = image->data;
byte *ref = NULL;
- int y;
+ uint32_t y;
int code = 0;
jbig2_decode_mmr_init(&mmr, image->width, image->height, data, size);
@@ -1047,10 +1049,10 @@ int
jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image, size_t *consumed_bytes)
{
Jbig2MmrCtx mmr;
- const int rowstride = image->stride;
+ const uint32_t rowstride = image->stride;
byte *dst = image->data;
byte *ref = NULL;
- int y;
+ uint32_t y;
int code = 0;
const uint32_t EOFB = 0x001001;
diff --git a/jbig2_page.c b/jbig2_page.c
index 110ff7c..1ed1c8a 100644
--- a/jbig2_page.c
+++ b/jbig2_page.c
@@ -155,9 +155,9 @@ int
jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
{
Jbig2Page page = ctx->pages[ctx->current_page];
- int end_row;
+ uint32_t end_row;
- end_row = jbig2_get_int32(segment_data);
+ end_row = jbig2_get_uint32(segment_data);
if (end_row < page.end_row) {
jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
"end of stripe segment with non-positive end row advance" " (new end row %d vs current end row %d)", end_row, page.end_row);
@@ -248,7 +248,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, int x,
/* grow the page to accomodate a new stripe if necessary */
if (page->striped) {
- int new_height = y + image->height + page->end_row;
+ uint32_t new_height = y + image->height + page->end_row;
if (page->image->height < new_height) {
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "growing page buffer to %d rows " "to accomodate new stripe", new_height);
diff --git a/jbig2_priv.h b/jbig2_priv.h
index 42ba496..3d44b42 100644
--- a/jbig2_priv.h
+++ b/jbig2_priv.h
@@ -132,7 +132,7 @@ struct _Jbig2Page {
uint32_t x_resolution, y_resolution; /* in pixels per meter */
uint16_t stripe_size;
bool striped;
- int end_row;
+ uint32_t end_row;
uint8_t flags;
Jbig2Image *image;
};
@@ -182,7 +182,7 @@ int jbig2_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segm
typedef struct _Jbig2WordStream Jbig2WordStream;
struct _Jbig2WordStream {
- int (*get_next_word)(Jbig2WordStream *self, int offset, uint32_t *word);
+ int (*get_next_word)(Jbig2WordStream *self, size_t offset, uint32_t *word);
};
Jbig2WordStream *jbig2_word_stream_buf_new(Jbig2Ctx *ctx, const byte *data, size_t size);
diff --git a/jbig2_segment.c b/jbig2_segment.c
index 2e0db67..5b63706 100644
--- a/jbig2_segment.c
+++ b/jbig2_segment.c
@@ -39,10 +39,10 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
uint8_t rtscarf;
uint32_t rtscarf_long;
uint32_t *referred_to_segments;
- int referred_to_segment_count;
- int referred_to_segment_size;
- int pa_size;
- int offset;
+ uint32_t referred_to_segment_count;
+ uint32_t referred_to_segment_size;
+ uint32_t pa_size;
+ uint32_t offset;
/* minimum possible size of a jbig2 segment header */
if (buf_size < 11)
@@ -83,7 +83,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
/* 7.2.5 */
if (referred_to_segment_count) {
- int i;
+ uint32_t i;
referred_to_segments = jbig2_new(ctx, uint32_t, referred_to_segment_count * referred_to_segment_size);
if (referred_to_segments == NULL) {
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
index 2c71a4c..11a2252 100644
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -88,40 +88,40 @@ jbig2_dump_symbol_dict(Jbig2Ctx *ctx, Jbig2Segment *segment)
/* return a new empty symbol dict */
Jbig2SymbolDict *
-jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols)
+jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
{
- Jbig2SymbolDict *new = NULL;
+ Jbig2SymbolDict *new_dict = NULL;
if (n_symbols < 0) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
return NULL;
}
- new = jbig2_new(ctx, Jbig2SymbolDict, 1);
- if (new != NULL) {
- new->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
- new->n_symbols = n_symbols;
+ new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
+ if (new_dict != NULL) {
+ new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+ new_dict->n_symbols = n_symbols;
} else {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate new empty symbol dict");
return NULL;
}
- if (new->glyphs != NULL) {
- memset(new->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
+ if (new_dict->glyphs != NULL) {
+ memset(new_dict->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
} else {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate glyphs for new empty symbol dict");
- jbig2_free(ctx->allocator, new);
+ jbig2_free(ctx->allocator, new_dict);
return NULL;
}
- return new;
+ return new_dict;
}
/* release the memory associated with a symbol dict */
void
jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict)
{
- int i;
+ uint32_t i;
if (dict == NULL)
return;
@@ -142,12 +142,12 @@ jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id)
}
/* count the number of dictionary segments referred to by the given segment */
-int
+uint32_t
jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
{
int index;
Jbig2Segment *rsegment;
- int n_dicts = 0;
+ uint32_t n_dicts = 0;
for (index = 0; index < segment->referred_to_segment_count; index++) {
rsegment = jbig2_find_segment(ctx, segment->referred_to_segments[index]);
@@ -166,8 +166,8 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
int index;
Jbig2Segment *rsegment;
Jbig2SymbolDict **dicts;
- int n_dicts = jbig2_sd_count_referred(ctx, segment);
- int dindex = 0;
+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
+ uint32_t dindex = 0;
dicts = jbig2_new(ctx, Jbig2SymbolDict *, n_dicts);
if (dicts == NULL) {
@@ -195,10 +195,10 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
/* generate a new symbol dictionary by concatenating a list of
existing dictionaries */
Jbig2SymbolDict *
-jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
+jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts)
{
- int i, j, k, symbols;
- Jbig2SymbolDict *new = NULL;
+ uint32_t i, j, k, symbols;
+ Jbig2SymbolDict *new_dict = NULL;
/* count the imported symbols and allocate a new array */
symbols = 0;
@@ -206,17 +206,17 @@ jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
symbols += dicts[i]->n_symbols;
/* fill a new array with cloned glyph pointers */
- new = jbig2_sd_new(ctx, symbols);
- if (new != NULL) {
+ new_dict = jbig2_sd_new(ctx, symbols);
+ if (new_dict != NULL) {
k = 0;
for (i = 0; i < n_dicts; i++)
for (j = 0; j < dicts[i]->n_symbols; j++)
- new->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
+ new_dict->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
} else {
jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1, "failed to allocate new symbol dictionary");
}
- return new;
+ return new_dict;
}
/* Decoding routines */
@@ -431,7 +431,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
if (REFAGGNINST > 1) {
Jbig2Image *image;
- int i;
+ uint32_t i;
if (tparams == NULL) {
/* First time through, we need to initialise the */
@@ -512,7 +512,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
uint32_t ID;
int32_t RDX, RDY;
int BMSIZE = 0;
- int ninsyms = params->SDNUMINSYMS;
+ uint32_t ninsyms = params->SDNUMINSYMS;
int code1 = 0;
int code2 = 0;
int code3 = 0;
@@ -609,8 +609,9 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
if (params->SDHUFF && !params->SDREFAGG) {
/* 6.5.9 */
Jbig2Image *image;
- int BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
- int j, x;
+ uint32_t BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
+ uint32_t j;
+ int x;
if (code || (BMSIZE < 0)) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
@@ -700,22 +701,22 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate symbols exported from symbols dictionary");
goto cleanup4;
} else {
- int i = 0;
- int j = 0;
- int k;
+ uint32_t i = 0;
+ uint32_t j = 0;
+ uint32_t k;
int exflag = 0;
- int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
- int32_t exrunlength;
+ uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
+ uint32_t exrunlength;
int zerolength = 0;
while (i < limit) {
if (params->SDHUFF)
exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
else
- code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
/* prevent infinite loop */
zerolength = exrunlength > 0 ? 0 : zerolength + 1;
- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
+ if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
else if (exrunlength <= 0)
@@ -797,8 +798,8 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
{
Jbig2SymbolDictParams params;
uint16_t flags;
- int sdat_bytes;
- int offset;
+ uint32_t sdat_bytes;
+ uint32_t offset;
Jbig2ArithCx *GB_stats = NULL;
Jbig2ArithCx *GR_stats = NULL;
int table_index = 0;
@@ -951,7 +952,7 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
/* 7.4.2.2 (2) */
{
- int n_dicts = jbig2_sd_count_referred(ctx, segment);
+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
Jbig2SymbolDict **dicts = NULL;
if (n_dicts > 0) {
diff --git a/jbig2_symbol_dict.h b/jbig2_symbol_dict.h
index d56d62d..30211d4 100644
--- a/jbig2_symbol_dict.h
+++ b/jbig2_symbol_dict.h
@@ -32,18 +32,18 @@ int jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *se
Jbig2Image *jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id);
/* return a new empty symbol dict */
-Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols);
+Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols);
/* release the memory associated with a symbol dict */
void jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict);
/* generate a new symbol dictionary by concatenating a list of
existing dictionaries */
-Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts);
+Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts);
/* count the number of dictionary segments referred
to by the given segment */
-int jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
+uint32_t jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
/* return an array of pointers to symbol dictionaries referred
to by a segment */
diff --git a/jbig2_text.c b/jbig2_text.c
index 5c99640..e77460f 100644
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -55,7 +55,7 @@
int
jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
const Jbig2TextRegionParams *params,
- const Jbig2SymbolDict *const *dicts, const int n_dicts,
+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws)
{
/* relevent bits of 6.4.4 */
@@ -476,19 +476,19 @@ cleanup2:
int
jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data)
{
- int offset = 0;
+ uint32_t offset = 0;
Jbig2RegionSegmentInfo region_info;
Jbig2TextRegionParams params;
Jbig2Image *image = NULL;
Jbig2SymbolDict **dicts = NULL;
- int n_dicts = 0;
+ uint32_t n_dicts = 0;
uint16_t flags = 0;
uint16_t huffman_flags = 0;
Jbig2ArithCx *GR_stats = NULL;
int code = 0;
Jbig2WordStream *ws = NULL;
Jbig2ArithState *as = NULL;
- int table_index = 0;
+ uint32_t table_index = 0;
const Jbig2HuffmanParams *huffman_params = NULL;
/* 7.4.1 */
@@ -779,7 +779,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unable to retrive symbol dictionaries! previous parsing error?");
goto cleanup1;
} else {
- int index;
+ uint32_t index;
if (dicts[0] == NULL) {
code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to find first referenced symbol dictionary!");
@@ -823,8 +823,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
if (!params.SBHUFF) {
- int SBSYMCODELEN, index;
- int SBNUMSYMS = 0;
+ uint32_t SBSYMCODELEN, index;
+ uint32_t SBNUMSYMS = 0;
for (index = 0; index < n_dicts; index++) {
SBNUMSYMS += dicts[index]->n_symbols;
@@ -840,7 +840,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
}
/* Table 31 */
- for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
+ for (SBSYMCODELEN = 0; (1U << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
}
params.IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN);
params.IARI = jbig2_arith_int_ctx_new(ctx);
diff --git a/jbig2_text.h b/jbig2_text.h
index aec2732..51d242e 100644
--- a/jbig2_text.h
+++ b/jbig2_text.h
@@ -70,5 +70,5 @@ typedef struct {
int
jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
const Jbig2TextRegionParams *params,
- const Jbig2SymbolDict *const *dicts, const int n_dicts,
+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws);
--
2.9.1

View file

@ -1,38 +0,0 @@
Fix CVE-2017-7885:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
https://bugs.ghostscript.com/show_bug.cgi?id=697703
Patch copied from upstream source repository:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3
From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 3 May 2017 22:06:01 +0100
Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability.
Add extra check for the offset being greater than the size
of the image and hence reading off the end of the buffer.
Thank you to Dai Ge for finding this issue and suggesting a patch.
---
jbig2_symbol_dict.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
index 4acaba9..36225cb 100644
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
byte *dst = image->data;
/* SumatraPDF: prevent read access violation */
- if (size - jbig2_huffman_offset(hs) < image->height * stride) {
+ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
size - jbig2_huffman_offset(hs));
jbig2_image_release(ctx, image);
--
2.13.0

View file

@ -1,40 +0,0 @@
Fix CVE-2017-7975:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
https://bugs.ghostscript.com/show_bug.cgi?id=697693
Patch copied from upstream source repository:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66
From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 26 Apr 2017 22:12:14 +0100
Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
While building a Huffman table, the start and end points were susceptible
to integer overflow.
Thank you to Jiaqi for finding this issue and suggesting a patch.
---
jbig2_huffman.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jbig2_huffman.c b/jbig2_huffman.c
index 511e461..b4189a1 100644
--- a/jbig2_huffman.c
+++ b/jbig2_huffman.c
@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
if (PREFLEN == CURLEN) {
int RANGELEN = lines[CURTEMP].RANGELEN;
- int start_j = CURCODE << shift;
- int end_j = (CURCODE + 1) << shift;
+ uint32_t start_j = CURCODE << shift;
+ uint32_t end_j = (CURCODE + 1) << shift;
byte eflags = 0;
if (end_j > max_j) {
--
2.13.0

View file

@ -1,122 +0,0 @@
Fix CVE-2017-7976:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
https://bugs.ghostscript.com/show_bug.cgi?id=697683
In order to make the bug-fix patch apply, we also include an earlier commit
that it depends on.
Patches copied from upstream source repository:
Earlier commit, creating context for the CVE fix:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
CVE-2017-7976 bug fix:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 14 Dec 2016 15:56:31 +0100
Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
false.
---
jbig2_image.c | 2 +-
jbig2_mmr.c | 2 +-
jbig2_symbol_dict.c | 9 ++-------
3 files changed, 4 insertions(+), 9 deletions(-)
diff --git a/jbig2_image.c b/jbig2_image.c
index 94e5a4c..00f966b 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {
diff --git a/jbig2_mmr.c b/jbig2_mmr.c
index 390e27c..da54934 100644
--- a/jbig2_mmr.c
+++ b/jbig2_mmr.c
@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 < 2)
break;
if (c) {
- if (b1 - 2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 2 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 2);
}
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
index 11a2252..4acaba9 100644
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
{
Jbig2SymbolDict *new_dict = NULL;
- if (n_symbols < 0) {
- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
- return NULL;
- }
-
new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
if (new_dict != NULL) {
new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
uint32_t j;
int x;
- if (code || (BMSIZE < 0)) {
+ if (code) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
goto cleanup4;
}
@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
/* prevent infinite loop */
zerolength = exrunlength > 0 ? 0 : zerolength + 1;
- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
else if (exrunlength <= 0)
--
2.13.0
From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 10 May 2017 17:50:39 +0100
Subject: [PATCH] Bug 697683: Bounds check before reading from image source
data.
Add extra check to prevent reading off the end of the image source
data buffer.
Thank you to Dai Ge for finding this issue and suggesting a patch.
---
jbig2_image.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/jbig2_image.c b/jbig2_image.c
index 661d0a5..ae161b9 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {
--
2.13.0

View file

@ -1,8 +1,8 @@
Do not run the "testtest script", it doesn't seem to do anything and reports Do not run the test 'test_jbig2dec.py'. It doesn't seem to do anything
failiute. TODO: Actually fix the test instead of ignoring it. and reports failure. TODO: Actually fix the test instead of ignoring it.
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 0573592..1a5de77 100644 index 63982d4..8af1d61 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -93,7 +93,7 @@ host_triplet = @host@ @@ -93,7 +93,7 @@ host_triplet = @host@