|
 |
506676 |
From 377085a7fd41e01c0c1ad5d1c1f90b59e8257593
|
|
|
506676 |
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
|
|
|
506676 |
Subject: [PATCH] Fix two DPPRIV buffer overflows and a bug
|
|
|
506676 |
|
|
|
506676 |
* jbig.c:jbg_dec_in(): when a BIE with option DPPRIV=1 was received,
|
|
|
506676 |
the included private DP table (1728 bytes) was loaded into
|
|
|
506676 |
20-byte array s->buffer, creating a buffer overflow vulnerability.
|
|
|
506676 |
It is now loaded instead into a malloc'ed temporary buffer.
|
|
|
506676 |
|
|
|
506676 |
* jbig.c:jbg_dec_in(): buffer allocated for internal representation
|
|
|
506676 |
of private DP table was 1728 bytes long, but must be 6912 bytes long,
|
|
|
506676 |
creating another buffer overflow vulnerability.
|
|
|
506676 |
|
|
|
506676 |
* jbig.c: a loop in the routines for converting between the internal and
|
|
|
506676 |
external representations of a DP table terminated earlier than intended.
|
|
|
506676 |
As a result, a private DP table provided to the decoder was not
|
|
|
506676 |
interpreted correctly. Likewise, if a user asked the encoder to output
|
|
|
506676 |
its standard DP table (which is only useful for testing), the result
|
|
|
506676 |
would have been incorrect.
|
|
|
506676 |
|
|
|
506676 |
* tstcodec.c: test case for DPPRIV=1 added.
|
|
|
506676 |
|
|
|
506676 |
The buffer overflow vulnerability was reported by Florian Weimer (Red Hat)
|
|
|
506676 |
and has been assigned CVE-2013-6369.
|
|
|
506676 |
|
|
|
506676 |
None of these fixes should affect ABI compatibility; jbig.h remains unchanged.
|
|
|
506676 |
|
|
|
506676 |
All past releases of jbig.c are believed to be affected.
|
|
|
506676 |
The jbig85.c lightwight implementation was not affected.
|
|
|
506676 |
---
|
|
|
506676 |
libjbig/jbig.c | 16 ++++++++++------
|
|
|
506676 |
libjbig/tstcodec.c | 11 ++++++++---
|
|
|
506676 |
2 files changed, 18 insertions(+), 9 deletions(-)
|
|
|
506676 |
|
|
|
506676 |
diff --git a/libjbig/jbig.c b/libjbig/jbig.c
|
|
|
506676 |
index f3c35cc..48fc128 100644
|
|
|
506676 |
--- a/libjbig/jbig.c
|
|
|
506676 |
+++ b/libjbig/jbig.c
|
|
|
506676 |
@@ -1738,7 +1738,7 @@ void jbg_int2dppriv(unsigned char *dptable, const char *internal)
|
|
|
506676 |
#define FILL_TABLE1(offset, len, trans) \
|
|
|
506676 |
for (i = 0; i < len; i++) { \
|
|
|
506676 |
k = 0; \
|
|
|
506676 |
- for (j = 0; j < 8; j++) \
|
|
|
506676 |
+ for (j = 0; i >> j; j++) \
|
|
|
506676 |
k |= ((i >> j) & 1) << trans[j]; \
|
|
|
506676 |
dptable[(i + offset) >> 2] |= \
|
|
|
506676 |
(internal[k + offset] & 3) << ((3 - (i&3)) << 1); \
|
|
|
506676 |
@@ -1769,7 +1769,7 @@ void jbg_dppriv2int(char *internal, const unsigned char *dptable)
|
|
|
506676 |
#define FILL_TABLE2(offset, len, trans) \
|
|
|
506676 |
for (i = 0; i < len; i++) { \
|
|
|
506676 |
k = 0; \
|
|
|
506676 |
- for (j = 0; j < 8; j++) \
|
|
|
506676 |
+ for (j = 0; i >> j; j++) \
|
|
|
506676 |
k |= ((i >> j) & 1) << trans[j]; \
|
|
|
506676 |
internal[k + offset] = \
|
|
|
506676 |
(dptable[(i + offset) >> 2] >> ((3 - (i & 3)) << 1)) & 3; \
|
|
|
506676 |
@@ -2574,6 +2574,7 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len,
|
|
|
506676 |
unsigned long x, y;
|
|
|
506676 |
unsigned long is[3], ie[3];
|
|
|
506676 |
size_t dummy_cnt;
|
|
|
506676 |
+ unsigned char *dppriv;
|
|
|
506676 |
|
|
|
506676 |
if (!cnt) cnt = &dummy_cnt;
|
|
|
506676 |
*cnt = 0;
|
|
|
506676 |
@@ -2711,13 +2712,16 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len,
|
|
|
506676 |
(s->options & (JBG_DPON | JBG_DPPRIV | JBG_DPLAST)) ==
|
|
|
506676 |
(JBG_DPON | JBG_DPPRIV)) {
|
|
|
506676 |
assert(s->bie_len >= 20);
|
|
|
506676 |
+ if (!s->dppriv || s->dppriv == jbg_dptable)
|
|
|
506676 |
+ s->dppriv = (char *) checked_malloc(1728, sizeof(char));
|
|
|
506676 |
while (s->bie_len < 20 + 1728 && *cnt < len)
|
|
|
506676 |
- s->buffer[s->bie_len++ - 20] = data[(*cnt)++];
|
|
|
506676 |
+ s->dppriv[s->bie_len++ - 20] = data[(*cnt)++];
|
|
|
506676 |
if (s->bie_len < 20 + 1728)
|
|
|
506676 |
return JBG_EAGAIN;
|
|
|
506676 |
- if (!s->dppriv || s->dppriv == jbg_dptable)
|
|
|
506676 |
- s->dppriv = (char *) checked_malloc(1728, sizeof(char));
|
|
|
506676 |
- jbg_dppriv2int(s->dppriv, s->buffer);
|
|
|
506676 |
+ dppriv = s->dppriv;
|
|
|
506676 |
+ s->dppriv = (char *) checked_malloc(6912, sizeof(char));
|
|
|
506676 |
+ jbg_dppriv2int(s->dppriv, dppriv);
|
|
|
506676 |
+ checked_free(dppriv);
|
|
|
506676 |
}
|
|
|
506676 |
|
|
|
506676 |
/*
|
|
|
506676 |
diff --git a/libjbig/tstcodec.c b/libjbig/tstcodec.c
|
|
|
506676 |
index 44bae57..6289748 100644
|
|
|
506676 |
--- a/libjbig/tstcodec.c
|
|
|
506676 |
+++ b/libjbig/tstcodec.c
|
|
|
506676 |
@@ -483,11 +483,16 @@ int main(int argc, char **argv)
|
|
|
506676 |
problems += test_cycle(&pp, 1960, 1951,
|
|
|
506676 |
JBG_DELAY_AT | JBG_TPBON | JBG_TPDON | JBG_DPON,
|
|
|
506676 |
0, 6, 1, 2, 8, 279314L, "3.4");
|
|
|
506676 |
-#if 0
|
|
|
506676 |
- puts("Test 3.5: as Test 3.4 but with order bit SEQ set");
|
|
|
506676 |
+ puts("Test 3.5: as Test 3.4 but with DPPRIV=1");
|
|
|
506676 |
+ problems += test_cycle(&pp, 1960, 1951,
|
|
|
506676 |
+ JBG_DELAY_AT | JBG_TPBON | JBG_TPDON | JBG_DPON |
|
|
|
506676 |
+ JBG_DPPRIV,
|
|
|
506676 |
+ 0, 6, 1, 2, 8, 279314L + 1728, "3.5");
|
|
|
506676 |
+#if 0 /* Note: option SEQ is currently not supported by the decoder */
|
|
|
506676 |
+ puts("Test 3.6: as Test 3.4 but with order bit SEQ set");
|
|
|
506676 |
problems += test_cycle(&pp, 1960, 1951,
|
|
|
506676 |
JBG_DELAY_AT | JBG_TPBON | JBG_TPDON | JBG_DPON,
|
|
|
506676 |
- JBG_SEQ, 6, 1, 2, 8, 279314L, "3.5");
|
|
|
506676 |
+ JBG_SEQ, 6, 1, 2, 8, 279314L, "3.6");
|
|
|
506676 |
#endif
|
|
|
506676 |
#endif
|
|
|
506676 |
|
|
|
506676 |
--
|
|
|
506676 |
1.7.9.5
|
|
|
506676 |
|
|
|
506676 |
|