diff options
Diffstat (limited to 'media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch')
-rw-r--r-- | media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch new file mode 100644 index 000000000000..c6dbd182c616 --- /dev/null +++ b/media-libs/jbig2dec/files/jbig2dec-0.13-CVE-2017-7976.patch @@ -0,0 +1,29 @@ +From ed6c5133a1004ce8d38f1b44de85a7186feda95e Mon Sep 17 00:00:00 2001 +From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> +Date: Wed, 10 May 2017 17:50:39 +0100 +Subject: [PATCH] Bug 697683: Bounds check before reading from image source + data. + +Add extra check to prevent reading off the end of the image source +data buffer. + +Thank you to Dai Ge for finding this issue and suggesting a patch. +--- + jbig2dec/jbig2_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Backported dilfridge@g.o + +diff -ruN jbig2dec-0.13.orig/jbig2_image.c jbig2dec-0.13/jbig2_image.c +--- jbig2dec-0.13.orig/jbig2_image.c 2017-06-10 01:41:16.207939489 +0200 ++++ jbig2dec-0.13/jbig2_image.c 2017-06-10 01:46:28.009952461 +0200 +@@ -256,7 +256,8 @@ + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { |