rpms / jbig2dec

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-12268.patch

c8 c8-beta c8-containeronly-stream-flatpak c8s c9 c9-beta
  1.   6805a5c69d7bb9494ccf0bfafc9e95a23522e1ba
  2.   SOURCES
  3.   CVE-2020-12268.patch
Blob History Raw
6805a5 
From 24ddcfc7e37c0ce3b0f1852042ee431a53fd774c Mon Sep 17 00:00:00 2001
e9a6b2 
From: Robin Watts <Robin.Watts@artifex.com>
e9a6b2 
Date: Mon, 27 Jan 2020 10:12:24 -0800
e9a6b2 
Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
e9a6b2 
 jbig2_image_compose.
e9a6b2
e9a6b2 
With extreme values of x/y/w/h we can get overflow. Test for this
e9a6b2 
and exit safely.
e9a6b2
e9a6b2 
Thanks for OSS-Fuzz for reporting.
e9a6b2 
---
e9a6b2 
 jbig2_image.c | 13 +++++++++++++
e9a6b2 
 1 file changed, 13 insertions(+)
e9a6b2
e9a6b2 
diff --git a/jbig2_image.c b/jbig2_image.c
6805a5 
index 22e21ef..f036cef 100644
e9a6b2 
--- a/jbig2_image.c
e9a6b2 
+++ b/jbig2_image.c
6805a5 
@@ -34,6 +34,10 @@
6805a5 
 #define INT32_MAX  0x7fffffff
6805a5 
 #endif
e9a6b2
e9a6b2 
+#if !defined (UINT32_MAX)
e9a6b2 
+#define UINT32_MAX  0xffffffffu
e9a6b2 
+#endif
e9a6b2 
+
e9a6b2 
 /* allocate a Jbig2Image structure and its associated bitmap */
e9a6b2 
 Jbig2Image *
e9a6b2 
 jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
6805a5 
@@ -255,6 +259,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
e9a6b2 
     uint8_t *d, *dd;
e9a6b2 
     uint8_t mask, rightmask;
e9a6b2
e9a6b2 
+    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
e9a6b2 
+        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
e9a6b2 
+    {
e9a6b2 
+#ifdef JBIG2_DEBUG
e9a6b2 
+        jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
e9a6b2 
+#endif
e9a6b2 
+        return 0;
e9a6b2 
+    }
e9a6b2 
+
6805a5 
     if (src == NULL)
6805a5 
         return 0;
6805a5
e9a6b2 
--
e9a6b2 
2.26.2
e9a6b2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation