gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}.

* gnu/packages/patches/jbig2dec-CVE-2017-7885.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7975.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jbig2dec)[source]: Use them.
This commit is contained in:
Leo Famulari 2017-05-20 15:48:11 -04:00
parent fefd4c197f
commit 10cb88f85c
No known key found for this signature in database
GPG Key ID: 2646FA30BACA7F08
5 changed files with 207 additions and 1 deletions

View File

@ -689,6 +689,9 @@ dist_patch_DATA = \
%D%/packages/patches/jasper-CVE-2017-6850.patch \
%D%/packages/patches/jbig2dec-ignore-testtest.patch \
%D%/packages/patches/jbig2dec-CVE-2016-9601.patch \
%D%/packages/patches/jbig2dec-CVE-2017-7885.patch \
%D%/packages/patches/jbig2dec-CVE-2017-7975.patch \
%D%/packages/patches/jbig2dec-CVE-2017-7976.patch \
%D%/packages/patches/jq-CVE-2015-8863.patch \
%D%/packages/patches/kdbusaddons-kinit-file-name.patch \
%D%/packages/patches/khmer-use-libraries.patch \

View File

@ -509,7 +509,10 @@ arithmetic ops.")
(sha256
(base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s"))
(patches (search-patches "jbig2dec-ignore-testtest.patch"
"jbig2dec-CVE-2016-9601.patch"))))
"jbig2dec-CVE-2016-9601.patch"
"jbig2dec-CVE-2017-7885.patch"
"jbig2dec-CVE-2017-7975.patch"
"jbig2dec-CVE-2017-7976.patch"))))
(build-system gnu-build-system)
(synopsis "Decoder of the JBIG2 image compression format")

View File

@ -0,0 +1,38 @@
Fix CVE-2017-7885:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
https://bugs.ghostscript.com/show_bug.cgi?id=697703
Patch copied from upstream source repository:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3
From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 3 May 2017 22:06:01 +0100
Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability.
Add extra check for the offset being greater than the size
of the image and hence reading off the end of the buffer.
Thank you to Dai Ge for finding this issue and suggesting a patch.
---
jbig2_symbol_dict.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
index 4acaba9..36225cb 100644
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
byte *dst = image->data;
/* SumatraPDF: prevent read access violation */
- if (size - jbig2_huffman_offset(hs) < image->height * stride) {
+ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
size - jbig2_huffman_offset(hs));
jbig2_image_release(ctx, image);
--
2.13.0

View File

@ -0,0 +1,40 @@
Fix CVE-2017-7975:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
https://bugs.ghostscript.com/show_bug.cgi?id=697693
Patch copied from upstream source repository:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66
From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 26 Apr 2017 22:12:14 +0100
Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
While building a Huffman table, the start and end points were susceptible
to integer overflow.
Thank you to Jiaqi for finding this issue and suggesting a patch.
---
jbig2_huffman.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/jbig2_huffman.c b/jbig2_huffman.c
index 511e461..b4189a1 100644
--- a/jbig2_huffman.c
+++ b/jbig2_huffman.c
@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
if (PREFLEN == CURLEN) {
int RANGELEN = lines[CURTEMP].RANGELEN;
- int start_j = CURCODE << shift;
- int end_j = (CURCODE + 1) << shift;
+ uint32_t start_j = CURCODE << shift;
+ uint32_t end_j = (CURCODE + 1) << shift;
byte eflags = 0;
if (end_j > max_j) {
--
2.13.0

View File

@ -0,0 +1,122 @@
Fix CVE-2017-7976:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
https://bugs.ghostscript.com/show_bug.cgi?id=697683
In order to make the bug-fix patch apply, we also include an earlier commit
that it depends on.
Patches copied from upstream source repository:
Earlier commit, creating context for the CVE fix:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
CVE-2017-7976 bug fix:
https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
From: Tor Andersson <tor.andersson@artifex.com>
Date: Wed, 14 Dec 2016 15:56:31 +0100
Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
false.
---
jbig2_image.c | 2 +-
jbig2_mmr.c | 2 +-
jbig2_symbol_dict.c | 9 ++-------
3 files changed, 4 insertions(+), 9 deletions(-)
diff --git a/jbig2_image.c b/jbig2_image.c
index 94e5a4c..00f966b 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {
diff --git a/jbig2_mmr.c b/jbig2_mmr.c
index 390e27c..da54934 100644
--- a/jbig2_mmr.c
+++ b/jbig2_mmr.c
@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
if (b1 < 2)
break;
if (c) {
- if (b1 - 2 < a0 || a0 < 0)
+ if (a0 == MINUS1 || b1 - 2 < a0)
return -1;
jbig2_set_bits(dst, a0, b1 - 2);
}
diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
index 11a2252..4acaba9 100644
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
{
Jbig2SymbolDict *new_dict = NULL;
- if (n_symbols < 0) {
- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
- return NULL;
- }
-
new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
if (new_dict != NULL) {
new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
uint32_t j;
int x;
- if (code || (BMSIZE < 0)) {
+ if (code) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
goto cleanup4;
}
@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
/* prevent infinite loop */
zerolength = exrunlength > 0 ? 0 : zerolength + 1;
- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
else if (exrunlength <= 0)
--
2.13.0
From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 10 May 2017 17:50:39 +0100
Subject: [PATCH] Bug 697683: Bounds check before reading from image source
data.
Add extra check to prevent reading off the end of the image source
data buffer.
Thank you to Dai Ge for finding this issue and suggesting a patch.
---
jbig2_image.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/jbig2_image.c b/jbig2_image.c
index 661d0a5..ae161b9 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {
--
2.13.0