wallenstein/void-packages
1
0
Fork 0
mirror of https://github.com/void-linux/void-packages.git synced 2025-10-11 13:05:11 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
void-packages/srcpkgs/jbig2dec/patches/CVE-2017-7976.patch
Helmut Pozimski b2f6fbd9dd jbig2dec: add patches for multiple CVEs 
fixes CVE-2017-7885, CVE-2017-7975 and CVE-2017-7976.
Patches taken from the upstream ghostpdl git repository,
http://git.ghostscript.com/?p=ghostpdl.git
git revisions
b184e783702246e154294326d03d9abda669fcfa
ed6c5133a1004ce8d38f1b44de85a7186feda95e
5e57e483298dae8b8d4ec9aab37a526736ac2e97 and
73060a27e554f8e64ae2aba4a1b03822207346c7
2017-05-28 16:55:45 +02:00

29 lines
1.6 KiB
Diff
Raw Blame History

diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
index 94e5a4c..00f966b 100644 (file)
--- jbig2_image.c
+++ jbig2_image.c
@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {
diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
index 661d0a5..ae161b9 100644 (file)
--- jbig2_image.c
+++ jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
/* general OR case */
s = ss;
d = dd = dst->data + y * dst->stride + leftbyte;
- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
}
if (leftbyte == rightbyte) {
Reference in a new issue View git blame Copy permalink