summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch')
-rw-r--r--media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch b/media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch
new file mode 100644
index 00000000000..52a7f448e6f
--- /dev/null
+++ b/media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch
@@ -0,0 +1,51 @@
+https://github.com/ArtifexSoftware/jbig2dec/commit/873694419b3498708b90c5c36ee0a73795a90c84
+----
+From 873694419b3498708b90c5c36ee0a73795a90c84 Mon Sep 17 00:00:00 2001
+From: Sebastian Rasmussen <sebras@gmail.com>
+Date: Sun, 15 Sep 2019 17:31:48 +0200
+Subject: [PATCH] jbig2dec: Handle under-/overflow detection and messaging
+ better.
+
+Previously SYMWIDTH was capped too early in order to prevent underflow
+Moreover TOTWIDTH was allowed to overflow.
+
+Now the value DW is checked compared to SYMWIDTH, preventing over
+underflow and overflow at the correct limits, and an overflow
+check has been added for TOTWIDTH.
+---
+ jbig2_symbol_dict.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index e606529..bc6e98c 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -428,14 +428,24 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ break;
+ }
+
++ if (DW < 0 && SYMWIDTH < (uint32_t) -DW) {
++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1);
++ goto cleanup;
++ }
++ if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) {
++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1);
++ goto cleanup;
++ }
++
+ SYMWIDTH = SYMWIDTH + DW;
+- TOTWIDTH = TOTWIDTH + SYMWIDTH;
+- if ((int32_t) SYMWIDTH < 0) {
+- code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1);
++ if (SYMWIDTH > UINT32_MAX - TOTWIDTH) {
++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1);
+ goto cleanup;
+ }
++
++ TOTWIDTH = TOTWIDTH + SYMWIDTH;
+ #ifdef JBIG2_DEBUG
+- jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH);
++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH);
+ #endif
+ /* 6.5.5 (4c.ii) */
+ if (!params->SDHUFF || params->SDREFAGG) {