summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'media-libs/jbig2dec')
-rw-r--r--media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch29
-rw-r--r--media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch31
-rw-r--r--media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch29
-rw-r--r--media-libs/jbig2dec/jbig2dec-0.13-r3.ebuild52
4 files changed, 141 insertions, 0 deletions
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch
new file mode 100644
index 000000000000..e8ffccd45344
--- /dev/null
+++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7885.patch
@@ -0,0 +1,29 @@
+From b184e783702246e154294326d03d9abda669fcfa Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 3 May 2017 22:06:01 +0100
+Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability.
+
+Add extra check for the offset being greater than the size
+of the image and hence reading off the end of the buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2dec/jbig2_symbol_dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
+index 4acaba9d0..36225cb1f 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ byte *dst = image->data;
+
+ /* SumatraPDF: prevent read access violation */
+- if (size - jbig2_huffman_offset(hs) < image->height * stride) {
++ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
+ size - jbig2_huffman_offset(hs));
+ jbig2_image_release(ctx, image);
+--
+2.13.1
+
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch
new file mode 100644
index 000000000000..d5e62762b9a5
--- /dev/null
+++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7975.patch
@@ -0,0 +1,31 @@
+From 5e57e483298dae8b8d4ec9aab37a526736ac2e97 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 26 Apr 2017 22:12:14 +0100
+Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
+
+While building a Huffman table, the start and end points were susceptible
+to integer overflow.
+
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+---
+ jbig2dec/jbig2_huffman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jbig2dec/jbig2_huffman.c b/jbig2dec/jbig2_huffman.c
+index 511e46170..b4189a12c 100644
+--- a/jbig2_huffman.c
++++ b/jbig2_huffman.c
+@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
+
+ if (PREFLEN == CURLEN) {
+ int RANGELEN = lines[CURTEMP].RANGELEN;
+- int start_j = CURCODE << shift;
+- int end_j = (CURCODE + 1) << shift;
++ uint32_t start_j = CURCODE << shift;
++ uint32_t end_j = (CURCODE + 1) << shift;
+ byte eflags = 0;
+
+ if (end_j > max_j) {
+--
+2.13.1
+
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch
new file mode 100644
index 000000000000..c6dbd182c616
--- /dev/null
+++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch
@@ -0,0 +1,29 @@
+From ed6c5133a1004ce8d38f1b44de85a7186feda95e Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 10 May 2017 17:50:39 +0100
+Subject: [PATCH] Bug 697683: Bounds check before reading from image source
+ data.
+
+Add extra check to prevent reading off the end of the image source
+data buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2dec/jbig2_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Backported dilfridge@g.o
+
+diff -ruN jbig2dec-0.13.orig/jbig2_image.c jbig2dec-0.13/jbig2_image.c
+--- jbig2dec-0.13.orig/jbig2_image.c 2017-06-10 01:41:16.207939489 +0200
++++ jbig2dec-0.13/jbig2_image.c 2017-06-10 01:46:28.009952461 +0200
+@@ -256,7 +256,8 @@
+ /* general OR case */
+ s = ss;
+ d = dd = dst->data + y * dst->stride + leftbyte;
+- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+ }
+ if (leftbyte == rightbyte) {
diff --git a/media-libs/jbig2dec/jbig2dec-0.13-r3.ebuild b/media-libs/jbig2dec/jbig2dec-0.13-r3.ebuild
new file mode 100644
index 000000000000..5d681123a460
--- /dev/null
+++ b/media-libs/jbig2dec/jbig2dec-0.13-r3.ebuild
@@ -0,0 +1,52 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+DESCRIPTION="A decoder implementation of the JBIG2 image compression format"
+HOMEPAGE="http://ghostscript.com/jbig2dec.html"
+SRC_URI="http://downloads.ghostscript.com/public/${PN}/${P}.tar.gz
+ test? ( http://jbig2dec.sourceforge.net/ubc/jb2streams.zip )"
+
+LICENSE="AGPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x64-cygwin ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~m68k-mint ~sparc-solaris ~x86-solaris"
+IUSE="png static-libs test"
+
+RDEPEND="png? ( media-libs/libpng:0= )"
+DEPEND="${RDEPEND}
+ test? ( app-arch/unzip )"
+
+RESTRICT="test"
+# bug 324275
+
+DOCS="CHANGES README"
+
+PATCHES=(
+ "${FILESDIR}/${P}-CVE-2016-9601.patch"
+ "${FILESDIR}/${P}-CVE-2017-9216.patch"
+ "${FILESDIR}/${P}-CVE-2017-7885.patch"
+ "${FILESDIR}/${P}-CVE-2017-7975.patch"
+# "${FILESDIR}/${P}-CVE-2017-7976.patch"
+)
+
+src_prepare() {
+ default
+
+ if use test; then
+ mkdir "${WORKDIR}/ubc" || die
+ mv -v "${WORKDIR}"/*.jb2 "${WORKDIR}/ubc/" || die
+ mv -v "${WORKDIR}"/*.bmp "${WORKDIR}/ubc/" || die
+ fi
+}
+
+src_configure() {
+ econf \
+ $(use_enable static-libs static) \
+ $(use_with png libpng)
+}
+
+src_install() {
+ default
+ find "${ED}" -name '*.la' -exec rm {} + || die
+}