gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}.

* gnu/packages/patches/jbig2dec-CVE-2017-7885.patch, gnu/packages/patches/jbig2dec-CVE-2017-7975.patch, gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/image.scm (jbig2dec)[source]: Use them.
author: Leo Famulari <leo@famulari.name> 2017-05-20 15:48:11 -0400
committer: Leo Famulari <leo@famulari.name> 2017-05-20 16:26:29 -0400
commit: 10cb88f85cb4a967fac756ee76f6dc60d60d7bef (patch)
tree: c1fb3d09b04dc2b4975817de3f2d841975aee801 /gnu/packages/patches
parent: fefd4c197fa89480cafd98ae9b32b7f1b3f57686 (diff)
3 files changed, 200 insertions, 0 deletions
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
new file mode 100644
index 0000000000..a598392765
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch
@@ -0,0 +1,38 @@
+Fix CVE-2017-7885:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885
+https://bugs.ghostscript.com/show_bug.cgi?id=697703
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3
+
+From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 3 May 2017 22:06:01 +0100
+Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability.
+
+Add extra check for the offset being greater than the size
+of the image and hence reading off the end of the buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2_symbol_dict.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 4acaba9..36225cb 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                 byte *dst = image->data;
+ 
+                 /* SumatraPDF: prevent read access violation */
+-                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
++                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
+                                 size - jbig2_huffman_offset(hs));
+                     jbig2_image_release(ctx, image);
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
new file mode 100644
index 0000000000..c83fe9d9f2
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch
@@ -0,0 +1,40 @@
+Fix CVE-2017-7975:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975
+https://bugs.ghostscript.com/show_bug.cgi?id=697693
+
+Patch copied from upstream source repository:
+
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66
+
+From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 26 Apr 2017 22:12:14 +0100
+Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow.
+
+While building a Huffman table, the start and end points were susceptible
+to integer overflow.
+
+Thank you to Jiaqi for finding this issue and suggesting a patch.
+---
+ jbig2_huffman.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/jbig2_huffman.c b/jbig2_huffman.c
+index 511e461..b4189a1 100644
+--- a/jbig2_huffman.c
++++ b/jbig2_huffman.c
+@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params)
+ 
+             if (PREFLEN == CURLEN) {
+                 int RANGELEN = lines[CURTEMP].RANGELEN;
+-                int start_j = CURCODE << shift;
+-                int end_j = (CURCODE + 1) << shift;
++                uint32_t start_j = CURCODE << shift;
++                uint32_t end_j = (CURCODE + 1) << shift;
+                 byte eflags = 0;
+ 
+                 if (end_j > max_j) {
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
new file mode 100644
index 0000000000..2fe02358b8
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
@@ -0,0 +1,122 @@
+Fix CVE-2017-7976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
+https://bugs.ghostscript.com/show_bug.cgi?id=697683
+
+In order to make the bug-fix patch apply, we also include an earlier commit
+that it depends on.
+
+Patches copied from upstream source repository:
+
+Earlier commit, creating context for the CVE fix:
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
+
+CVE-2017-7976 bug fix:
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
+
+From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 14 Dec 2016 15:56:31 +0100
+Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
+ false.
+
+---
+ jbig2_image.c       | 2 +-
+ jbig2_mmr.c         | 2 +-
+ jbig2_symbol_dict.c | 9 ++-------
+ 3 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 94e5a4c..00f966b 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
+diff --git a/jbig2_mmr.c b/jbig2_mmr.c
+index 390e27c..da54934 100644
+--- a/jbig2_mmr.c
++++ b/jbig2_mmr.c
+@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             if (b1 < 2)
+                 break;
+             if (c) {
+-                if (b1 - 2 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 - 2 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 - 2);
+             }
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 11a2252..4acaba9 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
+ {
+     Jbig2SymbolDict *new_dict = NULL;
+ 
+-    if (n_symbols < 0) {
+-        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
+-        return NULL;
+-    }
+-
+     new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
+     if (new_dict != NULL) {
+         new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+             uint32_t j;
+             int x;
+ 
+-            if (code || (BMSIZE < 0)) {
++            if (code) {
+                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
+                 goto cleanup4;
+             }
+@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                 code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
+             /* prevent infinite loop */
+             zerolength = exrunlength > 0 ? 0 : zerolength + 1;
+-            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
++            if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+                 if (code)
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
+                 else if (exrunlength <= 0)
+-- 
+2.13.0
+
+From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 10 May 2017 17:50:39 +0100
+Subject: [PATCH] Bug 697683: Bounds check before reading from image source
+ data.
+
+Add extra check to prevent reading off the end of the image source
+data buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 661d0a5..ae161b9 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
++        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
+-- 
+2.13.0
+
author	Leo Famulari <leo@famulari.name>	2017-05-20 15:48:11 -0400
committer	Leo Famulari <leo@famulari.name>	2017-05-20 16:26:29 -0400
commit	10cb88f85cb4a967fac756ee76f6dc60d60d7bef (patch)
tree	c1fb3d09b04dc2b4975817de3f2d841975aee801 /gnu/packages/patches
parent	fefd4c197fa89480cafd98ae9b32b7f1b3f57686 (diff)