summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/image.scm3
-rw-r--r--gnu/packages/patches/jbig2dec-CVE-2016-9601.patch906
3 files changed, 909 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index b3829db2b9..9035753673 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -663,6 +663,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ilmbase-fix-tests.patch			\
   %D%/packages/patches/isl-0.11.1-aarch64-support.patch	\
   %D%/packages/patches/jbig2dec-ignore-testtest.patch		\
+  %D%/packages/patches/jbig2dec-CVE-2016-9601.patch		\
   %D%/packages/patches/jq-CVE-2015-8863.patch			\
   %D%/packages/patches/kdbusaddons-kinit-file-name.patch	\
   %D%/packages/patches/khmer-use-libraries.patch                \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index 51b09680a9..b5b3a7283d 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -458,7 +458,8 @@ arithmetic ops.")
                             name "-" version ".tar.gz"))
         (sha256
           (base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s"))
-        (patches (search-patches "jbig2dec-ignore-testtest.patch"))))
+        (patches (search-patches "jbig2dec-ignore-testtest.patch"
+                                 "jbig2dec-CVE-2016-9601.patch"))))
 
     (build-system gnu-build-system)
     (synopsis "Decoder of the JBIG2 image compression format")
diff --git a/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch b/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch
new file mode 100644
index 0000000000..f45209068f
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch
@@ -0,0 +1,906 @@
+Fix CVE-2016-9601:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601
+https://bugs.ghostscript.com/show_bug.cgi?id=697457
+
+Patch copied from upstream source repository:
+
+http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092
+
+From e698d5c11d27212aa1098bc5b1673a3378563092 Mon Sep 17 00:00:00 2001
+From: Robin Watts <robin.watts@artifex.com>
+Date: Mon, 12 Dec 2016 17:47:17 +0000
+Subject: [PATCH] Squash signed/unsigned warnings in MSVC jbig2 build.
+
+Also rename "new" to "new_dict", because "new" is a bad
+variable name.
+---
+ jbig2.c             |  4 +--
+ jbig2.h             |  8 +++---
+ jbig2_generic.c     |  2 +-
+ jbig2_halftone.c    | 24 ++++++++----------
+ jbig2_huffman.c     | 10 ++++----
+ jbig2_huffman.h     |  2 +-
+ jbig2_image.c       | 32 +++++++++++------------
+ jbig2_mmr.c         | 66 +++++++++++++++++++++++++-----------------------
+ jbig2_page.c        |  6 ++---
+ jbig2_priv.h        |  4 +--
+ jbig2_segment.c     | 10 ++++----
+ jbig2_symbol_dict.c | 73 +++++++++++++++++++++++++++--------------------------
+ jbig2_symbol_dict.h |  6 ++---
+ jbig2_text.c        | 16 ++++++------
+ jbig2_text.h        |  2 +-
+ 15 files changed, 134 insertions(+), 131 deletions(-)
+
+diff --git a/jbig2.c b/jbig2.c
+index f729e29..e51380f 100644
+--- a/jbig2.c
++++ b/jbig2.c
+@@ -379,7 +379,7 @@ typedef struct {
+ } Jbig2WordStreamBuf;
+ 
+ static int
+-jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t *word)
++jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, size_t offset, uint32_t *word)
+ {
+     Jbig2WordStreamBuf *z = (Jbig2WordStreamBuf *) self;
+     const byte *data = z->data;
+@@ -390,7 +390,7 @@ jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t
+     else if (offset > z->size)
+         return -1;
+     else {
+-        int i;
++        size_t i;
+ 
+         result = 0;
+         for (i = 0; i < z->size - offset; i++)
+diff --git a/jbig2.h b/jbig2.h
+index d5aa52f..624e0ed 100644
+--- a/jbig2.h
++++ b/jbig2.h
+@@ -56,17 +56,19 @@ typedef struct _Jbig2SymbolDictionary Jbig2SymbolDictionary;
+ */
+ 
+ struct _Jbig2Image {
+-    int width, height, stride;
++    uint32_t width;
++    uint32_t height;
++    uint32_t stride;
+     uint8_t *data;
+     int refcount;
+ };
+ 
+-Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, int width, int height);
++Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height);
+ Jbig2Image *jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image);
+ void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image);
+ void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image);
+ void jbig2_image_clear(Jbig2Ctx *ctx, Jbig2Image *image, int value);
+-Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height);
++Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height);
+ 
+ /* errors are returned from the library via a callback. If no callback
+    is provided (a NULL argument is passed ot jbig2_ctx_new) a default
+diff --git a/jbig2_generic.c b/jbig2_generic.c
+index 02fdbfb..9656198 100644
+--- a/jbig2_generic.c
++++ b/jbig2_generic.c
+@@ -718,7 +718,7 @@ jbig2_immediate_generic_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte
+     byte seg_flags;
+     int8_t gbat[8];
+     int offset;
+-    int gbat_bytes = 0;
++    uint32_t gbat_bytes = 0;
+     Jbig2GenericRegionParams params;
+     int code = 0;
+     Jbig2Image *image = NULL;
+diff --git a/jbig2_halftone.c b/jbig2_halftone.c
+index aeab576..acfbc56 100644
+--- a/jbig2_halftone.c
++++ b/jbig2_halftone.c
+@@ -257,8 +257,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
+ {
+     uint8_t **GSVALS = NULL;
+     size_t consumed_bytes = 0;
+-    int i, j, code, stride;
+-    int x, y;
++    uint32_t i, j, stride, x, y;
++    int code;
+     Jbig2Image **GSPLANES;
+     Jbig2GenericRegionParams rparams;
+     Jbig2WordStream *ws = NULL;
+@@ -276,9 +276,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
+         if (GSPLANES[i] == NULL) {
+             jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate %dx%d image for GSPLANES", GSW, GSH);
+             /* free already allocated */
+-            for (j = i - 1; j >= 0; --j) {
+-                jbig2_image_release(ctx, GSPLANES[j]);
+-            }
++            for (j = i; j > 0;)
++                jbig2_image_release(ctx, GSPLANES[--j]);
+             jbig2_free(ctx->allocator, GSPLANES);
+             return NULL;
+         }
+@@ -323,9 +322,10 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
+     }
+ 
+     /* C.5 step 2. Set j = GSBPP-2 */
+-    j = GSBPP - 2;
++    j = GSBPP - 1;
+     /* C.5 step 3. decode loop */
+-    while (j >= 0) {
++    while (j > 0) {
++        j--;
+         /*  C.5 step 3. (a) */
+         if (GSMMR) {
+             code = jbig2_decode_halftone_mmr(ctx, &rparams, data + consumed_bytes, size - consumed_bytes, GSPLANES[j], &consumed_bytes);
+@@ -345,7 +345,6 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
+             GSPLANES[j]->data[i] ^= GSPLANES[j + 1]->data[i];
+ 
+         /*  C.5 step 3. (c) */
+-        --j;
+     }
+ 
+     /* allocate GSVALS */
+@@ -359,9 +358,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment,
+         if (GSVALS[i] == NULL) {
+             jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate GSVALS: %d bytes", GSH * GSW);
+             /* free already allocated */
+-            for (j = i - 1; j >= 0; --j) {
+-                jbig2_free(ctx->allocator, GSVALS[j]);
+-            }
++            for (j = i; j > 0;)
++                jbig2_free(ctx->allocator, GSVALS[--j]);
+             jbig2_free(ctx->allocator, GSVALS);
+             GSVALS = NULL;
+             goto cleanup;
+@@ -450,7 +448,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
+     uint8_t **GI;
+     Jbig2Image *HSKIP = NULL;
+     Jbig2PatternDict *HPATS;
+-    int i;
++    uint32_t i;
+     uint32_t mg, ng;
+     int32_t x, y;
+     uint8_t gray_val;
+@@ -476,7 +474,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
+ 
+     /* calculate ceil(log2(HNUMPATS)) */
+     HBPP = 0;
+-    while (HNUMPATS > (1 << ++HBPP));
++    while (HNUMPATS > (1U << ++HBPP));
+ 
+     /* 6.6.5 point 4. decode gray-scale image as mentioned in annex C */
+     GI = jbig2_decode_gray_scale_image(ctx, segment, data, size,
+diff --git a/jbig2_huffman.c b/jbig2_huffman.c
+index 4521b48..f77981b 100644
+--- a/jbig2_huffman.c
++++ b/jbig2_huffman.c
+@@ -47,16 +47,16 @@ struct _Jbig2HuffmanState {
+        is (offset + 4) * 8. */
+     uint32_t this_word;
+     uint32_t next_word;
+-    int offset_bits;
+-    int offset;
+-    int offset_limit;
++    uint32_t offset_bits;
++    uint32_t offset;
++    uint32_t offset_limit;
+ 
+     Jbig2WordStream *ws;
+     Jbig2Ctx *ctx;
+ };
+ 
+ static uint32_t
+-huff_get_next_word(Jbig2HuffmanState *hs, int offset)
++huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset)
+ {
+     uint32_t word = 0;
+     Jbig2WordStream *ws = hs->ws;
+@@ -213,7 +213,7 @@ jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
+ /* return the offset of the huffman decode pointer (in bytes)
+  * from the beginning of the WordStream
+  */
+-int
++uint32_t
+ jbig2_huffman_offset(Jbig2HuffmanState *hs)
+ {
+     return hs->offset + (hs->offset_bits >> 3);
+diff --git a/jbig2_huffman.h b/jbig2_huffman.h
+index 5d1e6e0..cfda9e0 100644
+--- a/jbig2_huffman.h
++++ b/jbig2_huffman.h
+@@ -64,7 +64,7 @@ void jbig2_huffman_skip(Jbig2HuffmanState *hs);
+ 
+ void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
+ 
+-int jbig2_huffman_offset(Jbig2HuffmanState *hs);
++uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
+ 
+ int32_t jbig2_huffman_get(Jbig2HuffmanState *hs, const Jbig2HuffmanTable *table, bool *oob);
+ 
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 1ae614e..94e5a4c 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -32,10 +32,10 @@
+ 
+ /* allocate a Jbig2Image structure and its associated bitmap */
+ Jbig2Image *
+-jbig2_image_new(Jbig2Ctx *ctx, int width, int height)
++jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
+ {
+     Jbig2Image *image;
+-    int stride;
++    uint32_t stride;
+     int64_t check;
+ 
+     image = jbig2_new(ctx, Jbig2Image, 1);
+@@ -99,7 +99,7 @@ jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image)
+ 
+ /* resize a Jbig2Image */
+ Jbig2Image *
+-jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
++jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height)
+ {
+     if (width == image->width) {
+         /* check for integer multiplication overflow */
+@@ -133,11 +133,11 @@ jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height)
+ static int
+ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
+ {
+-    int i, j;
+-    int sw = src->width;
+-    int sh = src->height;
+-    int sx = 0;
+-    int sy = 0;
++    uint32_t i, j;
++    uint32_t sw = src->width;
++    uint32_t sh = src->height;
++    uint32_t sx = 0;
++    uint32_t sy = 0;
+ 
+     /* clip to the dst image boundaries */
+     if (x < 0) {
+@@ -200,10 +200,10 @@ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x
+ int
+ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op)
+ {
+-    int i, j;
+-    int w, h;
+-    int leftbyte, rightbyte;
+-    int shift;
++    uint32_t i, j;
++    uint32_t w, h;
++    uint32_t leftbyte, rightbyte;
++    uint32_t shift;
+     uint8_t *s, *ss;
+     uint8_t *d, *dd;
+     uint8_t mask, rightmask;
+@@ -226,8 +226,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+         h += y;
+         y = 0;
+     }
+-    w = (x + w < dst->width) ? w : dst->width - x;
+-    h = (y + h < dst->height) ? h : dst->height - y;
++    w = ((uint32_t)x + w < dst->width) ? w : ((dst->width >= (uint32_t)x) ? dst->width - (uint32_t)x : 0);
++    h = ((uint32_t)y + h < dst->height) ? h : ((dst->height >= (uint32_t)y) ? dst->height - (uint32_t)y : 0);
+ #ifdef JBIG2_DEBUG
+     jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "compositing %dx%d at (%d, %d) after clipping\n", w, h, x, y);
+ #endif
+@@ -249,8 +249,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     }
+ #endif
+ 
+-    leftbyte = x >> 3;
+-    rightbyte = (x + w - 1) >> 3;
++    leftbyte = (uint32_t)x >> 3;
++    rightbyte = ((uint32_t)x + w - 1) >> 3;
+     shift = x & 7;
+ 
+     /* general OR case */
+diff --git a/jbig2_mmr.c b/jbig2_mmr.c
+index d4cd3a2..390e27c 100644
+--- a/jbig2_mmr.c
++++ b/jbig2_mmr.c
+@@ -38,19 +38,21 @@
+ #include "jbig2_mmr.h"
+ 
+ typedef struct {
+-    int width;
+-    int height;
++    uint32_t width;
++    uint32_t height;
+     const byte *data;
+     size_t size;
+-    int data_index;
+-    int bit_index;
++    uint32_t data_index;
++    uint32_t bit_index;
+     uint32_t word;
+ } Jbig2MmrCtx;
+ 
++#define MINUS1 ((uint32_t)-1)
++
+ static void
+ jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size)
+ {
+-    int i;
++    size_t i;
+     uint32_t word = 0;
+ 
+     mmr->width = width;
+@@ -732,14 +734,14 @@ const mmr_table_node jbig2_mmr_black_decode[] = {
+ #define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 )
+ 
+ static int
+-jbig2_find_changing_element(const byte *line, int x, int w)
++jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
+ {
+     int a, b;
+ 
+     if (line == 0)
+-        return w;
++        return (int)w;
+ 
+-    if (x == -1) {
++    if (x == MINUS1) {
+         a = 0;
+         x = 0;
+     } else {
+@@ -758,7 +760,7 @@ jbig2_find_changing_element(const byte *line, int x, int w)
+ }
+ 
+ static int
+-jbig2_find_changing_element_of_color(const byte *line, int x, int w, int color)
++jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color)
+ {
+     if (line == 0)
+         return w;
+@@ -772,9 +774,9 @@ static const byte lm[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0x0F, 0x07, 0x03, 0x01 };
+ static const byte rm[8] = { 0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE };
+ 
+ static void
+-jbig2_set_bits(byte *line, int x0, int x1)
++jbig2_set_bits(byte *line, uint32_t x0, uint32_t x1)
+ {
+-    int a0, a1, b0, b1, a;
++    uint32_t a0, a1, b0, b1, a;
+ 
+     a0 = x0 >> 3;
+     a1 = x1 >> 3;
+@@ -831,8 +833,8 @@ jbig2_decode_get_run(Jbig2MmrCtx *mmr, const mmr_table_node *table, int initial_
+ static int
+ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+ {
+-    int a0 = -1;
+-    int a1, a2, b1, b2;
++    uint32_t a0 = MINUS1;
++    uint32_t a1, a2, b1, b2;
+     int c = 0;                  /* 0 is white, black is 1 */
+ 
+     while (1) {
+@@ -840,7 +842,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+ 
+         /* printf ("%08x\n", word); */
+ 
+-        if (a0 >= mmr->width)
++        if (a0 != MINUS1 && a0 >= mmr->width)
+             break;
+ 
+         if ((word >> (32 - 3)) == 1) {
+@@ -848,7 +850,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+ 
+             jbig2_decode_mmr_consume(mmr, 3);
+ 
+-            if (a0 == -1)
++            if (a0 == MINUS1)
+                 a0 = 0;
+ 
+             if (c == 0) {
+@@ -860,7 +862,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+                     a1 = mmr->width;
+                 if (a2 > mmr->width)
+                     a2 = mmr->width;
+-                if (a2 < a1 || a1 < 0)
++                if (a1 == MINUS1 || a2 < a1)
+                     return -1;
+                 jbig2_set_bits(dst, a1, a2);
+                 a0 = a2;
+@@ -874,7 +876,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+                     a1 = mmr->width;
+                 if (a2 > mmr->width)
+                     a2 = mmr->width;
+-                if (a1 < a0 || a0 < 0)
++                if (a0 == MINUS1 || a1 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, a1);
+                 a0 = a2;
+@@ -888,7 +890,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
+             b2 = jbig2_find_changing_element(ref, b1, mmr->width);
+             if (c) {
+-                if (b2 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b2 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b2);
+             }
+@@ -900,7 +902,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             jbig2_decode_mmr_consume(mmr, 1);
+             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
+             if (c) {
+-                if (b1 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1);
+             }
+@@ -915,7 +917,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             if (b1 + 1 > mmr->width)
+                 break;
+             if (c) {
+-                if (b1 + 1 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 + 1 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 + 1);
+             }
+@@ -930,7 +932,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             if (b1 + 2 > mmr->width)
+                 break;
+             if (c) {
+-                if (b1 + 2 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 + 2 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 + 2);
+             }
+@@ -942,10 +944,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             /* printf ("VR(3)\n"); */
+             jbig2_decode_mmr_consume(mmr, 7);
+             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
+-            if (b1 + 3 > mmr->width)
++            if (b1 + 3 > (int)mmr->width)
+                 break;
+             if (c) {
+-                if (b1 + 3 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 + 3 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 + 3);
+             }
+@@ -957,10 +959,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             /* printf ("VL(1)\n"); */
+             jbig2_decode_mmr_consume(mmr, 3);
+             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
+-            if (b1 - 1 < 0)
++            if (b1 < 1)
+                 break;
+             if (c) {
+-                if (b1 - 1 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 - 1 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 - 1);
+             }
+@@ -972,7 +974,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             /* printf ("VL(2)\n"); */
+             jbig2_decode_mmr_consume(mmr, 6);
+             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
+-            if (b1 - 2 < 0)
++            if (b1 < 2)
+                 break;
+             if (c) {
+                 if (b1 - 2 < a0 || a0 < 0)
+@@ -987,10 +989,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             /* printf ("VL(3)\n"); */
+             jbig2_decode_mmr_consume(mmr, 7);
+             b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
+-            if (b1 - 3 < 0)
++            if (b1 < 3)
+                 break;
+             if (c) {
+-                if (b1 - 3 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 - 3 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 - 3);
+             }
+@@ -1009,10 +1011,10 @@ int
+ jbig2_decode_generic_mmr(Jbig2Ctx *ctx, Jbig2Segment *segment, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image)
+ {
+     Jbig2MmrCtx mmr;
+-    const int rowstride = image->stride;
++    const uint32_t rowstride = image->stride;
+     byte *dst = image->data;
+     byte *ref = NULL;
+-    int y;
++    uint32_t y;
+     int code = 0;
+ 
+     jbig2_decode_mmr_init(&mmr, image->width, image->height, data, size);
+@@ -1047,10 +1049,10 @@ int
+ jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image, size_t *consumed_bytes)
+ {
+     Jbig2MmrCtx mmr;
+-    const int rowstride = image->stride;
++    const uint32_t rowstride = image->stride;
+     byte *dst = image->data;
+     byte *ref = NULL;
+-    int y;
++    uint32_t y;
+     int code = 0;
+     const uint32_t EOFB = 0x001001;
+ 
+diff --git a/jbig2_page.c b/jbig2_page.c
+index 110ff7c..1ed1c8a 100644
+--- a/jbig2_page.c
++++ b/jbig2_page.c
+@@ -155,9 +155,9 @@ int
+ jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
+ {
+     Jbig2Page page = ctx->pages[ctx->current_page];
+-    int end_row;
++    uint32_t end_row;
+ 
+-    end_row = jbig2_get_int32(segment_data);
++    end_row = jbig2_get_uint32(segment_data);
+     if (end_row < page.end_row) {
+         jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
+                     "end of stripe segment with non-positive end row advance" " (new end row %d vs current end row %d)", end_row, page.end_row);
+@@ -248,7 +248,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, int x,
+ 
+     /* grow the page to accomodate a new stripe if necessary */
+     if (page->striped) {
+-        int new_height = y + image->height + page->end_row;
++        uint32_t new_height = y + image->height + page->end_row;
+ 
+         if (page->image->height < new_height) {
+             jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "growing page buffer to %d rows " "to accomodate new stripe", new_height);
+diff --git a/jbig2_priv.h b/jbig2_priv.h
+index 42ba496..3d44b42 100644
+--- a/jbig2_priv.h
++++ b/jbig2_priv.h
+@@ -132,7 +132,7 @@ struct _Jbig2Page {
+     uint32_t x_resolution, y_resolution;        /* in pixels per meter */
+     uint16_t stripe_size;
+     bool striped;
+-    int end_row;
++    uint32_t end_row;
+     uint8_t flags;
+     Jbig2Image *image;
+ };
+@@ -182,7 +182,7 @@ int jbig2_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segm
+ typedef struct _Jbig2WordStream Jbig2WordStream;
+ 
+ struct _Jbig2WordStream {
+-    int (*get_next_word)(Jbig2WordStream *self, int offset, uint32_t *word);
++    int (*get_next_word)(Jbig2WordStream *self, size_t offset, uint32_t *word);
+ };
+ 
+ Jbig2WordStream *jbig2_word_stream_buf_new(Jbig2Ctx *ctx, const byte *data, size_t size);
+diff --git a/jbig2_segment.c b/jbig2_segment.c
+index 2e0db67..5b63706 100644
+--- a/jbig2_segment.c
++++ b/jbig2_segment.c
+@@ -39,10 +39,10 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
+     uint8_t rtscarf;
+     uint32_t rtscarf_long;
+     uint32_t *referred_to_segments;
+-    int referred_to_segment_count;
+-    int referred_to_segment_size;
+-    int pa_size;
+-    int offset;
++    uint32_t referred_to_segment_count;
++    uint32_t referred_to_segment_size;
++    uint32_t pa_size;
++    uint32_t offset;
+ 
+     /* minimum possible size of a jbig2 segment header */
+     if (buf_size < 11)
+@@ -83,7 +83,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t
+ 
+     /* 7.2.5 */
+     if (referred_to_segment_count) {
+-        int i;
++        uint32_t i;
+ 
+         referred_to_segments = jbig2_new(ctx, uint32_t, referred_to_segment_count * referred_to_segment_size);
+         if (referred_to_segments == NULL) {
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 2c71a4c..11a2252 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -88,40 +88,40 @@ jbig2_dump_symbol_dict(Jbig2Ctx *ctx, Jbig2Segment *segment)
+ 
+ /* return a new empty symbol dict */
+ Jbig2SymbolDict *
+-jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols)
++jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
+ {
+-    Jbig2SymbolDict *new = NULL;
++    Jbig2SymbolDict *new_dict = NULL;
+ 
+     if (n_symbols < 0) {
+         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
+         return NULL;
+     }
+ 
+-    new = jbig2_new(ctx, Jbig2SymbolDict, 1);
+-    if (new != NULL) {
+-        new->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+-        new->n_symbols = n_symbols;
++    new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
++    if (new_dict != NULL) {
++        new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
++        new_dict->n_symbols = n_symbols;
+     } else {
+         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate new empty symbol dict");
+         return NULL;
+     }
+ 
+-    if (new->glyphs != NULL) {
+-        memset(new->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
++    if (new_dict->glyphs != NULL) {
++        memset(new_dict->glyphs, 0, n_symbols * sizeof(Jbig2Image *));
+     } else {
+         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate glyphs for new empty symbol dict");
+-        jbig2_free(ctx->allocator, new);
++        jbig2_free(ctx->allocator, new_dict);
+         return NULL;
+     }
+ 
+-    return new;
++    return new_dict;
+ }
+ 
+ /* release the memory associated with a symbol dict */
+ void
+ jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict)
+ {
+-    int i;
++    uint32_t i;
+ 
+     if (dict == NULL)
+         return;
+@@ -142,12 +142,12 @@ jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id)
+ }
+ 
+ /* count the number of dictionary segments referred to by the given segment */
+-int
++uint32_t
+ jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
+ {
+     int index;
+     Jbig2Segment *rsegment;
+-    int n_dicts = 0;
++    uint32_t n_dicts = 0;
+ 
+     for (index = 0; index < segment->referred_to_segment_count; index++) {
+         rsegment = jbig2_find_segment(ctx, segment->referred_to_segments[index]);
+@@ -166,8 +166,8 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
+     int index;
+     Jbig2Segment *rsegment;
+     Jbig2SymbolDict **dicts;
+-    int n_dicts = jbig2_sd_count_referred(ctx, segment);
+-    int dindex = 0;
++    uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
++    uint32_t dindex = 0;
+ 
+     dicts = jbig2_new(ctx, Jbig2SymbolDict *, n_dicts);
+     if (dicts == NULL) {
+@@ -195,10 +195,10 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment)
+ /* generate a new symbol dictionary by concatenating a list of
+    existing dictionaries */
+ Jbig2SymbolDict *
+-jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
++jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts)
+ {
+-    int i, j, k, symbols;
+-    Jbig2SymbolDict *new = NULL;
++    uint32_t i, j, k, symbols;
++    Jbig2SymbolDict *new_dict = NULL;
+ 
+     /* count the imported symbols and allocate a new array */
+     symbols = 0;
+@@ -206,17 +206,17 @@ jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts)
+         symbols += dicts[i]->n_symbols;
+ 
+     /* fill a new array with cloned glyph pointers */
+-    new = jbig2_sd_new(ctx, symbols);
+-    if (new != NULL) {
++    new_dict = jbig2_sd_new(ctx, symbols);
++    if (new_dict != NULL) {
+         k = 0;
+         for (i = 0; i < n_dicts; i++)
+             for (j = 0; j < dicts[i]->n_symbols; j++)
+-                new->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
++                new_dict->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]);
+     } else {
+         jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1, "failed to allocate new symbol dictionary");
+     }
+ 
+-    return new;
++    return new_dict;
+ }
+ 
+ /* Decoding routines */
+@@ -431,7 +431,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+ 
+                     if (REFAGGNINST > 1) {
+                         Jbig2Image *image;
+-                        int i;
++                        uint32_t i;
+ 
+                         if (tparams == NULL) {
+                             /* First time through, we need to initialise the */
+@@ -512,7 +512,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                         uint32_t ID;
+                         int32_t RDX, RDY;
+                         int BMSIZE = 0;
+-                        int ninsyms = params->SDNUMINSYMS;
++                        uint32_t ninsyms = params->SDNUMINSYMS;
+                         int code1 = 0;
+                         int code2 = 0;
+                         int code3 = 0;
+@@ -609,8 +609,9 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+         if (params->SDHUFF && !params->SDREFAGG) {
+             /* 6.5.9 */
+             Jbig2Image *image;
+-            int BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
+-            int j, x;
++            uint32_t BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code);
++            uint32_t j;
++            int x;
+ 
+             if (code || (BMSIZE < 0)) {
+                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
+@@ -700,22 +701,22 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate symbols exported from symbols dictionary");
+         goto cleanup4;
+     } else {
+-        int i = 0;
+-        int j = 0;
+-        int k;
++        uint32_t i = 0;
++        uint32_t j = 0;
++        uint32_t k;
+         int exflag = 0;
+-        int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
+-        int32_t exrunlength;
++        uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
++        uint32_t exrunlength;
+         int zerolength = 0;
+ 
+         while (i < limit) {
+             if (params->SDHUFF)
+                 exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
+             else
+-                code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
++                code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
+             /* prevent infinite loop */
+             zerolength = exrunlength > 0 ? 0 : zerolength + 1;
+-            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
++            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+                 if (code)
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
+                 else if (exrunlength <= 0)
+@@ -797,8 +798,8 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
+ {
+     Jbig2SymbolDictParams params;
+     uint16_t flags;
+-    int sdat_bytes;
+-    int offset;
++    uint32_t sdat_bytes;
++    uint32_t offset;
+     Jbig2ArithCx *GB_stats = NULL;
+     Jbig2ArithCx *GR_stats = NULL;
+     int table_index = 0;
+@@ -951,7 +952,7 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen
+ 
+     /* 7.4.2.2 (2) */
+     {
+-        int n_dicts = jbig2_sd_count_referred(ctx, segment);
++        uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment);
+         Jbig2SymbolDict **dicts = NULL;
+ 
+         if (n_dicts > 0) {
+diff --git a/jbig2_symbol_dict.h b/jbig2_symbol_dict.h
+index d56d62d..30211d4 100644
+--- a/jbig2_symbol_dict.h
++++ b/jbig2_symbol_dict.h
+@@ -32,18 +32,18 @@ int jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *se
+ Jbig2Image *jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id);
+ 
+ /* return a new empty symbol dict */
+-Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols);
++Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols);
+ 
+ /* release the memory associated with a symbol dict */
+ void jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict);
+ 
+ /* generate a new symbol dictionary by concatenating a list of
+    existing dictionaries */
+-Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts);
++Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts);
+ 
+ /* count the number of dictionary segments referred
+    to by the given segment */
+-int jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
++uint32_t jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment);
+ 
+ /* return an array of pointers to symbol dictionaries referred
+    to by a segment */
+diff --git a/jbig2_text.c b/jbig2_text.c
+index 5c99640..e77460f 100644
+--- a/jbig2_text.c
++++ b/jbig2_text.c
+@@ -55,7 +55,7 @@
+ int
+ jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
+                          const Jbig2TextRegionParams *params,
+-                         const Jbig2SymbolDict *const *dicts, const int n_dicts,
++                         const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
+                          Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws)
+ {
+     /* relevent bits of 6.4.4 */
+@@ -476,19 +476,19 @@ cleanup2:
+ int
+ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data)
+ {
+-    int offset = 0;
++    uint32_t offset = 0;
+     Jbig2RegionSegmentInfo region_info;
+     Jbig2TextRegionParams params;
+     Jbig2Image *image = NULL;
+     Jbig2SymbolDict **dicts = NULL;
+-    int n_dicts = 0;
++    uint32_t n_dicts = 0;
+     uint16_t flags = 0;
+     uint16_t huffman_flags = 0;
+     Jbig2ArithCx *GR_stats = NULL;
+     int code = 0;
+     Jbig2WordStream *ws = NULL;
+     Jbig2ArithState *as = NULL;
+-    int table_index = 0;
++    uint32_t table_index = 0;
+     const Jbig2HuffmanParams *huffman_params = NULL;
+ 
+     /* 7.4.1 */
+@@ -779,7 +779,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
+         code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unable to retrive symbol dictionaries! previous parsing error?");
+         goto cleanup1;
+     } else {
+-        int index;
++        uint32_t index;
+ 
+         if (dicts[0] == NULL) {
+             code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to find first referenced symbol dictionary!");
+@@ -823,8 +823,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
+     }
+ 
+     if (!params.SBHUFF) {
+-        int SBSYMCODELEN, index;
+-        int SBNUMSYMS = 0;
++        uint32_t SBSYMCODELEN, index;
++        uint32_t SBNUMSYMS = 0;
+ 
+         for (index = 0; index < n_dicts; index++) {
+             SBNUMSYMS += dicts[index]->n_symbols;
+@@ -840,7 +840,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data
+         }
+ 
+         /* Table 31 */
+-        for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
++        for (SBSYMCODELEN = 0; (1U << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) {
+         }
+         params.IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN);
+         params.IARI = jbig2_arith_int_ctx_new(ctx);
+diff --git a/jbig2_text.h b/jbig2_text.h
+index aec2732..51d242e 100644
+--- a/jbig2_text.h
++++ b/jbig2_text.h
+@@ -70,5 +70,5 @@ typedef struct {
+ int
+ jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment,
+                          const Jbig2TextRegionParams *params,
+-                         const Jbig2SymbolDict *const *dicts, const int n_dicts,
++                         const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts,
+                          Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws);
+-- 
+2.9.1
+