diff options
Diffstat (limited to 'media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch')
-rw-r--r-- | media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch b/media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch new file mode 100644 index 000000000000..52a7f448e6f3 --- /dev/null +++ b/media-libs/jbig2dec/files/jbig2dec-0.18-extra-overflow-checks.patch @@ -0,0 +1,51 @@ +https://github.com/ArtifexSoftware/jbig2dec/commit/873694419b3498708b90c5c36ee0a73795a90c84 +---- +From 873694419b3498708b90c5c36ee0a73795a90c84 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen <sebras@gmail.com> +Date: Sun, 15 Sep 2019 17:31:48 +0200 +Subject: [PATCH] jbig2dec: Handle under-/overflow detection and messaging + better. + +Previously SYMWIDTH was capped too early in order to prevent underflow +Moreover TOTWIDTH was allowed to overflow. + +Now the value DW is checked compared to SYMWIDTH, preventing over +underflow and overflow at the correct limits, and an overflow +check has been added for TOTWIDTH. +--- + jbig2_symbol_dict.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c +index e606529..bc6e98c 100644 +--- a/jbig2_symbol_dict.c ++++ b/jbig2_symbol_dict.c +@@ -428,14 +428,24 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + break; + } + ++ if (DW < 0 && SYMWIDTH < (uint32_t) -DW) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); ++ goto cleanup; ++ } ++ if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); ++ goto cleanup; ++ } ++ + SYMWIDTH = SYMWIDTH + DW; +- TOTWIDTH = TOTWIDTH + SYMWIDTH; +- if ((int32_t) SYMWIDTH < 0) { +- code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1); ++ if (SYMWIDTH > UINT32_MAX - TOTWIDTH) { ++ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1); + goto cleanup; + } ++ ++ TOTWIDTH = TOTWIDTH + SYMWIDTH; + #ifdef JBIG2_DEBUG +- jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH); ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH); + #endif + /* 6.5.5 (4c.ii) */ + if (!params->SDHUFF || params->SDREFAGG) { |