1 files changed, 29 insertions, 0 deletions

diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch
new file mode 100644
index 000000000000..c6dbd182c616
--- /dev/null
+++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch
@@ -0,0 +1,29 @@
+From ed6c5133a1004ce8d38f1b44de85a7186feda95e Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 10 May 2017 17:50:39 +0100
+Subject: [PATCH] Bug 697683: Bounds check before reading from image source
+ data.
+
+Add extra check to prevent reading off the end of the image source
+data buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2dec/jbig2_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Backported dilfridge@g.o
+
+diff -ruN jbig2dec-0.13.orig/jbig2_image.c jbig2dec-0.13/jbig2_image.c
+--- jbig2dec-0.13.orig/jbig2_image.c	2017-06-10 01:41:16.207939489 +0200
++++ jbig2dec-0.13/jbig2_image.c	2017-06-10 01:46:28.009952461 +0200
+@@ -256,7 +256,8 @@
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
++        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {