Fix CVE-2017-7976: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976 https://bugs.ghostscript.com/show_bug.cgi?id=697683 In order to make the bug-fix patch apply, we also include an earlier commit that it depends on. Patches copied from upstream source repository: Earlier commit, creating context for the CVE fix: https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544 CVE-2017-7976 bug fix: https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6 From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001 From: Tor Andersson <tor.andersson@artifex.com> Date: Wed, 14 Dec 2016 15:56:31 +0100 Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always false. --- jbig2_image.c | 2 +- jbig2_mmr.c | 2 +- jbig2_symbol_dict.c | 9 ++------- 3 files changed, 4 insertions(+), 9 deletions(-) diff --git a/jbig2_image.c b/jbig2_image.c index 94e5a4c..00f966b 100644 --- a/jbig2_image.c +++ b/jbig2_image.c @@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int /* general OR case */ s = ss; d = dd = dst->data + y * dst->stride + leftbyte; - if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { + if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); } if (leftbyte == rightbyte) { diff --git a/jbig2_mmr.c b/jbig2_mmr.c index 390e27c..da54934 100644 --- a/jbig2_mmr.c +++ b/jbig2_mmr.c @@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) if (b1 < 2) break; if (c) { - if (b1 - 2 < a0 || a0 < 0) + if (a0 == MINUS1 || b1 - 2 < a0) return -1; jbig2_set_bits(dst, a0, b1 - 2); } diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c index 11a2252..4acaba9 100644 --- a/jbig2_symbol_dict.c +++ b/jbig2_symbol_dict.c @@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols) { Jbig2SymbolDict *new_dict = NULL; - if (n_symbols < 0) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols); - return NULL; - } - new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1); if (new_dict != NULL) { new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); @@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, uint32_t j; int x; - if (code || (BMSIZE < 0)) { + if (code) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!"); goto cleanup4; } @@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength); /* prevent infinite loop */ zerolength = exrunlength > 0 ? 0 : zerolength + 1; - if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { + if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { if (code) jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols"); else if (exrunlength <= 0) -- 2.13.0 From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001 From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> Date: Wed, 10 May 2017 17:50:39 +0100 Subject: [PATCH] Bug 697683: Bounds check before reading from image source data. Add extra check to prevent reading off the end of the image source data buffer. Thank you to Dai Ge for finding this issue and suggesting a patch. --- jbig2_image.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/jbig2_image.c b/jbig2_image.c index 661d0a5..ae161b9 100644 --- a/jbig2_image.c +++ b/jbig2_image.c @@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int /* general OR case */ s = ss; d = dd = dst->data + y * dst->stride + leftbyte; - if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { + if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || + s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); } if (leftbyte == rightbyte) { -- 2.13.0