diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/local.mk | 4 | ||||
-rw-r--r-- | gnu/packages/image.scm | 11 | ||||
-rw-r--r-- | gnu/packages/patches/jbig2dec-CVE-2016-9601.patch | 906 | ||||
-rw-r--r-- | gnu/packages/patches/jbig2dec-CVE-2017-7885.patch | 38 | ||||
-rw-r--r-- | gnu/packages/patches/jbig2dec-CVE-2017-7975.patch | 40 | ||||
-rw-r--r-- | gnu/packages/patches/jbig2dec-CVE-2017-7976.patch | 122 | ||||
-rw-r--r-- | gnu/packages/patches/jbig2dec-ignore-testtest.patch | 6 |
7 files changed, 6 insertions, 1121 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index eb61fe8d07..d0516f2740 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -749,10 +749,6 @@ dist_patch_DATA = \ %D%/packages/patches/jacal-fix-texinfo.patch \ %D%/packages/patches/java-powermock-fix-java-files.patch \ %D%/packages/patches/jbig2dec-ignore-testtest.patch \ - %D%/packages/patches/jbig2dec-CVE-2016-9601.patch \ - %D%/packages/patches/jbig2dec-CVE-2017-7885.patch \ - %D%/packages/patches/jbig2dec-CVE-2017-7975.patch \ - %D%/packages/patches/jbig2dec-CVE-2017-7976.patch \ %D%/packages/patches/jq-CVE-2015-8863.patch \ %D%/packages/patches/kdbusaddons-kinit-file-name.patch \ %D%/packages/patches/khmer-use-libraries.patch \ diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm index d007aea6f1..bc1ad88c65 100644 --- a/gnu/packages/image.scm +++ b/gnu/packages/image.scm @@ -479,20 +479,15 @@ arithmetic ops.") (define-public jbig2dec (package (name "jbig2dec") - (version "0.13") + (version "0.14") (source (origin (method url-fetch) (uri (string-append "http://downloads.ghostscript.com/public/" name "/" name "-" version ".tar.gz")) (sha256 - (base32 "04akiwab8iy5iy34razcvh9mcja9wy737civ3sbjxk4j143s1b2s")) - (patches (search-patches "jbig2dec-ignore-testtest.patch" - "jbig2dec-CVE-2016-9601.patch" - "jbig2dec-CVE-2017-7885.patch" - "jbig2dec-CVE-2017-7975.patch" - "jbig2dec-CVE-2017-7976.patch")))) - + (base32 "0k01hp0q4275fj4rbr1gy64svfraw5w7wvwl08yjhvsnpb1rid11")) + (patches (search-patches "jbig2dec-ignore-testtest.patch")))) (build-system gnu-build-system) (synopsis "Decoder of the JBIG2 image compression format") (description diff --git a/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch b/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch deleted file mode 100644 index f45209068f..0000000000 --- a/gnu/packages/patches/jbig2dec-CVE-2016-9601.patch +++ /dev/null @@ -1,906 +0,0 @@ -Fix CVE-2016-9601: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9601 -https://bugs.ghostscript.com/show_bug.cgi?id=697457 - -Patch copied from upstream source repository: - -http://git.ghostscript.com/?p=jbig2dec.git;a=commitdiff;h=e698d5c11d27212aa1098bc5b1673a3378563092 - -From e698d5c11d27212aa1098bc5b1673a3378563092 Mon Sep 17 00:00:00 2001 -From: Robin Watts <robin.watts@artifex.com> -Date: Mon, 12 Dec 2016 17:47:17 +0000 -Subject: [PATCH] Squash signed/unsigned warnings in MSVC jbig2 build. - -Also rename "new" to "new_dict", because "new" is a bad -variable name. ---- - jbig2.c | 4 +-- - jbig2.h | 8 +++--- - jbig2_generic.c | 2 +- - jbig2_halftone.c | 24 ++++++++---------- - jbig2_huffman.c | 10 ++++---- - jbig2_huffman.h | 2 +- - jbig2_image.c | 32 +++++++++++------------ - jbig2_mmr.c | 66 +++++++++++++++++++++++++----------------------- - jbig2_page.c | 6 ++--- - jbig2_priv.h | 4 +-- - jbig2_segment.c | 10 ++++---- - jbig2_symbol_dict.c | 73 +++++++++++++++++++++++++++-------------------------- - jbig2_symbol_dict.h | 6 ++--- - jbig2_text.c | 16 ++++++------ - jbig2_text.h | 2 +- - 15 files changed, 134 insertions(+), 131 deletions(-) - -diff --git a/jbig2.c b/jbig2.c -index f729e29..e51380f 100644 ---- a/jbig2.c -+++ b/jbig2.c -@@ -379,7 +379,7 @@ typedef struct { - } Jbig2WordStreamBuf; - - static int --jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t *word) -+jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, size_t offset, uint32_t *word) - { - Jbig2WordStreamBuf *z = (Jbig2WordStreamBuf *) self; - const byte *data = z->data; -@@ -390,7 +390,7 @@ jbig2_word_stream_buf_get_next_word(Jbig2WordStream *self, int offset, uint32_t - else if (offset > z->size) - return -1; - else { -- int i; -+ size_t i; - - result = 0; - for (i = 0; i < z->size - offset; i++) -diff --git a/jbig2.h b/jbig2.h -index d5aa52f..624e0ed 100644 ---- a/jbig2.h -+++ b/jbig2.h -@@ -56,17 +56,19 @@ typedef struct _Jbig2SymbolDictionary Jbig2SymbolDictionary; - */ - - struct _Jbig2Image { -- int width, height, stride; -+ uint32_t width; -+ uint32_t height; -+ uint32_t stride; - uint8_t *data; - int refcount; - }; - --Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, int width, int height); -+Jbig2Image *jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height); - Jbig2Image *jbig2_image_clone(Jbig2Ctx *ctx, Jbig2Image *image); - void jbig2_image_release(Jbig2Ctx *ctx, Jbig2Image *image); - void jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image); - void jbig2_image_clear(Jbig2Ctx *ctx, Jbig2Image *image, int value); --Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height); -+Jbig2Image *jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height); - - /* errors are returned from the library via a callback. If no callback - is provided (a NULL argument is passed ot jbig2_ctx_new) a default -diff --git a/jbig2_generic.c b/jbig2_generic.c -index 02fdbfb..9656198 100644 ---- a/jbig2_generic.c -+++ b/jbig2_generic.c -@@ -718,7 +718,7 @@ jbig2_immediate_generic_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte - byte seg_flags; - int8_t gbat[8]; - int offset; -- int gbat_bytes = 0; -+ uint32_t gbat_bytes = 0; - Jbig2GenericRegionParams params; - int code = 0; - Jbig2Image *image = NULL; -diff --git a/jbig2_halftone.c b/jbig2_halftone.c -index aeab576..acfbc56 100644 ---- a/jbig2_halftone.c -+++ b/jbig2_halftone.c -@@ -257,8 +257,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment, - { - uint8_t **GSVALS = NULL; - size_t consumed_bytes = 0; -- int i, j, code, stride; -- int x, y; -+ uint32_t i, j, stride, x, y; -+ int code; - Jbig2Image **GSPLANES; - Jbig2GenericRegionParams rparams; - Jbig2WordStream *ws = NULL; -@@ -276,9 +276,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment, - if (GSPLANES[i] == NULL) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate %dx%d image for GSPLANES", GSW, GSH); - /* free already allocated */ -- for (j = i - 1; j >= 0; --j) { -- jbig2_image_release(ctx, GSPLANES[j]); -- } -+ for (j = i; j > 0;) -+ jbig2_image_release(ctx, GSPLANES[--j]); - jbig2_free(ctx->allocator, GSPLANES); - return NULL; - } -@@ -323,9 +322,10 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment, - } - - /* C.5 step 2. Set j = GSBPP-2 */ -- j = GSBPP - 2; -+ j = GSBPP - 1; - /* C.5 step 3. decode loop */ -- while (j >= 0) { -+ while (j > 0) { -+ j--; - /* C.5 step 3. (a) */ - if (GSMMR) { - code = jbig2_decode_halftone_mmr(ctx, &rparams, data + consumed_bytes, size - consumed_bytes, GSPLANES[j], &consumed_bytes); -@@ -345,7 +345,6 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment, - GSPLANES[j]->data[i] ^= GSPLANES[j + 1]->data[i]; - - /* C.5 step 3. (c) */ -- --j; - } - - /* allocate GSVALS */ -@@ -359,9 +358,8 @@ jbig2_decode_gray_scale_image(Jbig2Ctx *ctx, Jbig2Segment *segment, - if (GSVALS[i] == NULL) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate GSVALS: %d bytes", GSH * GSW); - /* free already allocated */ -- for (j = i - 1; j >= 0; --j) { -- jbig2_free(ctx->allocator, GSVALS[j]); -- } -+ for (j = i; j > 0;) -+ jbig2_free(ctx->allocator, GSVALS[--j]); - jbig2_free(ctx->allocator, GSVALS); - GSVALS = NULL; - goto cleanup; -@@ -450,7 +448,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, - uint8_t **GI; - Jbig2Image *HSKIP = NULL; - Jbig2PatternDict *HPATS; -- int i; -+ uint32_t i; - uint32_t mg, ng; - int32_t x, y; - uint8_t gray_val; -@@ -476,7 +474,7 @@ jbig2_decode_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, - - /* calculate ceil(log2(HNUMPATS)) */ - HBPP = 0; -- while (HNUMPATS > (1 << ++HBPP)); -+ while (HNUMPATS > (1U << ++HBPP)); - - /* 6.6.5 point 4. decode gray-scale image as mentioned in annex C */ - GI = jbig2_decode_gray_scale_image(ctx, segment, data, size, -diff --git a/jbig2_huffman.c b/jbig2_huffman.c -index 4521b48..f77981b 100644 ---- a/jbig2_huffman.c -+++ b/jbig2_huffman.c -@@ -47,16 +47,16 @@ struct _Jbig2HuffmanState { - is (offset + 4) * 8. */ - uint32_t this_word; - uint32_t next_word; -- int offset_bits; -- int offset; -- int offset_limit; -+ uint32_t offset_bits; -+ uint32_t offset; -+ uint32_t offset_limit; - - Jbig2WordStream *ws; - Jbig2Ctx *ctx; - }; - - static uint32_t --huff_get_next_word(Jbig2HuffmanState *hs, int offset) -+huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset) - { - uint32_t word = 0; - Jbig2WordStream *ws = hs->ws; -@@ -213,7 +213,7 @@ jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset) - /* return the offset of the huffman decode pointer (in bytes) - * from the beginning of the WordStream - */ --int -+uint32_t - jbig2_huffman_offset(Jbig2HuffmanState *hs) - { - return hs->offset + (hs->offset_bits >> 3); -diff --git a/jbig2_huffman.h b/jbig2_huffman.h -index 5d1e6e0..cfda9e0 100644 ---- a/jbig2_huffman.h -+++ b/jbig2_huffman.h -@@ -64,7 +64,7 @@ void jbig2_huffman_skip(Jbig2HuffmanState *hs); - - void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset); - --int jbig2_huffman_offset(Jbig2HuffmanState *hs); -+uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs); - - int32_t jbig2_huffman_get(Jbig2HuffmanState *hs, const Jbig2HuffmanTable *table, bool *oob); - -diff --git a/jbig2_image.c b/jbig2_image.c -index 1ae614e..94e5a4c 100644 ---- a/jbig2_image.c -+++ b/jbig2_image.c -@@ -32,10 +32,10 @@ - - /* allocate a Jbig2Image structure and its associated bitmap */ - Jbig2Image * --jbig2_image_new(Jbig2Ctx *ctx, int width, int height) -+jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height) - { - Jbig2Image *image; -- int stride; -+ uint32_t stride; - int64_t check; - - image = jbig2_new(ctx, Jbig2Image, 1); -@@ -99,7 +99,7 @@ jbig2_image_free(Jbig2Ctx *ctx, Jbig2Image *image) - - /* resize a Jbig2Image */ - Jbig2Image * --jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height) -+jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, uint32_t width, uint32_t height) - { - if (width == image->width) { - /* check for integer multiplication overflow */ -@@ -133,11 +133,11 @@ jbig2_image_resize(Jbig2Ctx *ctx, Jbig2Image *image, int width, int height) - static int - jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op) - { -- int i, j; -- int sw = src->width; -- int sh = src->height; -- int sx = 0; -- int sy = 0; -+ uint32_t i, j; -+ uint32_t sw = src->width; -+ uint32_t sh = src->height; -+ uint32_t sx = 0; -+ uint32_t sy = 0; - - /* clip to the dst image boundaries */ - if (x < 0) { -@@ -200,10 +200,10 @@ jbig2_image_compose_unopt(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x - int - jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int y, Jbig2ComposeOp op) - { -- int i, j; -- int w, h; -- int leftbyte, rightbyte; -- int shift; -+ uint32_t i, j; -+ uint32_t w, h; -+ uint32_t leftbyte, rightbyte; -+ uint32_t shift; - uint8_t *s, *ss; - uint8_t *d, *dd; - uint8_t mask, rightmask; -@@ -226,8 +226,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int - h += y; - y = 0; - } -- w = (x + w < dst->width) ? w : dst->width - x; -- h = (y + h < dst->height) ? h : dst->height - y; -+ w = ((uint32_t)x + w < dst->width) ? w : ((dst->width >= (uint32_t)x) ? dst->width - (uint32_t)x : 0); -+ h = ((uint32_t)y + h < dst->height) ? h : ((dst->height >= (uint32_t)y) ? dst->height - (uint32_t)y : 0); - #ifdef JBIG2_DEBUG - jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "compositing %dx%d at (%d, %d) after clipping\n", w, h, x, y); - #endif -@@ -249,8 +249,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int - } - #endif - -- leftbyte = x >> 3; -- rightbyte = (x + w - 1) >> 3; -+ leftbyte = (uint32_t)x >> 3; -+ rightbyte = ((uint32_t)x + w - 1) >> 3; - shift = x & 7; - - /* general OR case */ -diff --git a/jbig2_mmr.c b/jbig2_mmr.c -index d4cd3a2..390e27c 100644 ---- a/jbig2_mmr.c -+++ b/jbig2_mmr.c -@@ -38,19 +38,21 @@ - #include "jbig2_mmr.h" - - typedef struct { -- int width; -- int height; -+ uint32_t width; -+ uint32_t height; - const byte *data; - size_t size; -- int data_index; -- int bit_index; -+ uint32_t data_index; -+ uint32_t bit_index; - uint32_t word; - } Jbig2MmrCtx; - -+#define MINUS1 ((uint32_t)-1) -+ - static void - jbig2_decode_mmr_init(Jbig2MmrCtx *mmr, int width, int height, const byte *data, size_t size) - { -- int i; -+ size_t i; - uint32_t word = 0; - - mmr->width = width; -@@ -732,14 +734,14 @@ const mmr_table_node jbig2_mmr_black_decode[] = { - #define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 ) - - static int --jbig2_find_changing_element(const byte *line, int x, int w) -+jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w) - { - int a, b; - - if (line == 0) -- return w; -+ return (int)w; - -- if (x == -1) { -+ if (x == MINUS1) { - a = 0; - x = 0; - } else { -@@ -758,7 +760,7 @@ jbig2_find_changing_element(const byte *line, int x, int w) - } - - static int --jbig2_find_changing_element_of_color(const byte *line, int x, int w, int color) -+jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color) - { - if (line == 0) - return w; -@@ -772,9 +774,9 @@ static const byte lm[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0x0F, 0x07, 0x03, 0x01 }; - static const byte rm[8] = { 0x00, 0x80, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC, 0xFE }; - - static void --jbig2_set_bits(byte *line, int x0, int x1) -+jbig2_set_bits(byte *line, uint32_t x0, uint32_t x1) - { -- int a0, a1, b0, b1, a; -+ uint32_t a0, a1, b0, b1, a; - - a0 = x0 >> 3; - a1 = x1 >> 3; -@@ -831,8 +833,8 @@ jbig2_decode_get_run(Jbig2MmrCtx *mmr, const mmr_table_node *table, int initial_ - static int - jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - { -- int a0 = -1; -- int a1, a2, b1, b2; -+ uint32_t a0 = MINUS1; -+ uint32_t a1, a2, b1, b2; - int c = 0; /* 0 is white, black is 1 */ - - while (1) { -@@ -840,7 +842,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - - /* printf ("%08x\n", word); */ - -- if (a0 >= mmr->width) -+ if (a0 != MINUS1 && a0 >= mmr->width) - break; - - if ((word >> (32 - 3)) == 1) { -@@ -848,7 +850,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - - jbig2_decode_mmr_consume(mmr, 3); - -- if (a0 == -1) -+ if (a0 == MINUS1) - a0 = 0; - - if (c == 0) { -@@ -860,7 +862,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - a1 = mmr->width; - if (a2 > mmr->width) - a2 = mmr->width; -- if (a2 < a1 || a1 < 0) -+ if (a1 == MINUS1 || a2 < a1) - return -1; - jbig2_set_bits(dst, a1, a2); - a0 = a2; -@@ -874,7 +876,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - a1 = mmr->width; - if (a2 > mmr->width) - a2 = mmr->width; -- if (a1 < a0 || a0 < 0) -+ if (a0 == MINUS1 || a1 < a0) - return -1; - jbig2_set_bits(dst, a0, a1); - a0 = a2; -@@ -888,7 +890,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); - b2 = jbig2_find_changing_element(ref, b1, mmr->width); - if (c) { -- if (b2 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b2 < a0) - return -1; - jbig2_set_bits(dst, a0, b2); - } -@@ -900,7 +902,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - jbig2_decode_mmr_consume(mmr, 1); - b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); - if (c) { -- if (b1 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 < a0) - return -1; - jbig2_set_bits(dst, a0, b1); - } -@@ -915,7 +917,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - if (b1 + 1 > mmr->width) - break; - if (c) { -- if (b1 + 1 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 + 1 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 + 1); - } -@@ -930,7 +932,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - if (b1 + 2 > mmr->width) - break; - if (c) { -- if (b1 + 2 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 + 2 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 + 2); - } -@@ -942,10 +944,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - /* printf ("VR(3)\n"); */ - jbig2_decode_mmr_consume(mmr, 7); - b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); -- if (b1 + 3 > mmr->width) -+ if (b1 + 3 > (int)mmr->width) - break; - if (c) { -- if (b1 + 3 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 + 3 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 + 3); - } -@@ -957,10 +959,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - /* printf ("VL(1)\n"); */ - jbig2_decode_mmr_consume(mmr, 3); - b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); -- if (b1 - 1 < 0) -+ if (b1 < 1) - break; - if (c) { -- if (b1 - 1 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 - 1 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 - 1); - } -@@ -972,7 +974,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - /* printf ("VL(2)\n"); */ - jbig2_decode_mmr_consume(mmr, 6); - b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); -- if (b1 - 2 < 0) -+ if (b1 < 2) - break; - if (c) { - if (b1 - 2 < a0 || a0 < 0) -@@ -987,10 +989,10 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - /* printf ("VL(3)\n"); */ - jbig2_decode_mmr_consume(mmr, 7); - b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c); -- if (b1 - 3 < 0) -+ if (b1 < 3) - break; - if (c) { -- if (b1 - 3 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 - 3 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 - 3); - } -@@ -1009,10 +1011,10 @@ int - jbig2_decode_generic_mmr(Jbig2Ctx *ctx, Jbig2Segment *segment, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image) - { - Jbig2MmrCtx mmr; -- const int rowstride = image->stride; -+ const uint32_t rowstride = image->stride; - byte *dst = image->data; - byte *ref = NULL; -- int y; -+ uint32_t y; - int code = 0; - - jbig2_decode_mmr_init(&mmr, image->width, image->height, data, size); -@@ -1047,10 +1049,10 @@ int - jbig2_decode_halftone_mmr(Jbig2Ctx *ctx, const Jbig2GenericRegionParams *params, const byte *data, size_t size, Jbig2Image *image, size_t *consumed_bytes) - { - Jbig2MmrCtx mmr; -- const int rowstride = image->stride; -+ const uint32_t rowstride = image->stride; - byte *dst = image->data; - byte *ref = NULL; -- int y; -+ uint32_t y; - int code = 0; - const uint32_t EOFB = 0x001001; - -diff --git a/jbig2_page.c b/jbig2_page.c -index 110ff7c..1ed1c8a 100644 ---- a/jbig2_page.c -+++ b/jbig2_page.c -@@ -155,9 +155,9 @@ int - jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data) - { - Jbig2Page page = ctx->pages[ctx->current_page]; -- int end_row; -+ uint32_t end_row; - -- end_row = jbig2_get_int32(segment_data); -+ end_row = jbig2_get_uint32(segment_data); - if (end_row < page.end_row) { - jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, - "end of stripe segment with non-positive end row advance" " (new end row %d vs current end row %d)", end_row, page.end_row); -@@ -248,7 +248,7 @@ jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image, int x, - - /* grow the page to accomodate a new stripe if necessary */ - if (page->striped) { -- int new_height = y + image->height + page->end_row; -+ uint32_t new_height = y + image->height + page->end_row; - - if (page->image->height < new_height) { - jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "growing page buffer to %d rows " "to accomodate new stripe", new_height); -diff --git a/jbig2_priv.h b/jbig2_priv.h -index 42ba496..3d44b42 100644 ---- a/jbig2_priv.h -+++ b/jbig2_priv.h -@@ -132,7 +132,7 @@ struct _Jbig2Page { - uint32_t x_resolution, y_resolution; /* in pixels per meter */ - uint16_t stripe_size; - bool striped; -- int end_row; -+ uint32_t end_row; - uint8_t flags; - Jbig2Image *image; - }; -@@ -182,7 +182,7 @@ int jbig2_halftone_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segm - typedef struct _Jbig2WordStream Jbig2WordStream; - - struct _Jbig2WordStream { -- int (*get_next_word)(Jbig2WordStream *self, int offset, uint32_t *word); -+ int (*get_next_word)(Jbig2WordStream *self, size_t offset, uint32_t *word); - }; - - Jbig2WordStream *jbig2_word_stream_buf_new(Jbig2Ctx *ctx, const byte *data, size_t size); -diff --git a/jbig2_segment.c b/jbig2_segment.c -index 2e0db67..5b63706 100644 ---- a/jbig2_segment.c -+++ b/jbig2_segment.c -@@ -39,10 +39,10 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t - uint8_t rtscarf; - uint32_t rtscarf_long; - uint32_t *referred_to_segments; -- int referred_to_segment_count; -- int referred_to_segment_size; -- int pa_size; -- int offset; -+ uint32_t referred_to_segment_count; -+ uint32_t referred_to_segment_size; -+ uint32_t pa_size; -+ uint32_t offset; - - /* minimum possible size of a jbig2 segment header */ - if (buf_size < 11) -@@ -83,7 +83,7 @@ jbig2_parse_segment_header(Jbig2Ctx *ctx, uint8_t *buf, size_t buf_size, size_t - - /* 7.2.5 */ - if (referred_to_segment_count) { -- int i; -+ uint32_t i; - - referred_to_segments = jbig2_new(ctx, uint32_t, referred_to_segment_count * referred_to_segment_size); - if (referred_to_segments == NULL) { -diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c -index 2c71a4c..11a2252 100644 ---- a/jbig2_symbol_dict.c -+++ b/jbig2_symbol_dict.c -@@ -88,40 +88,40 @@ jbig2_dump_symbol_dict(Jbig2Ctx *ctx, Jbig2Segment *segment) - - /* return a new empty symbol dict */ - Jbig2SymbolDict * --jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols) -+jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols) - { -- Jbig2SymbolDict *new = NULL; -+ Jbig2SymbolDict *new_dict = NULL; - - if (n_symbols < 0) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols); - return NULL; - } - -- new = jbig2_new(ctx, Jbig2SymbolDict, 1); -- if (new != NULL) { -- new->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); -- new->n_symbols = n_symbols; -+ new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1); -+ if (new_dict != NULL) { -+ new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); -+ new_dict->n_symbols = n_symbols; - } else { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate new empty symbol dict"); - return NULL; - } - -- if (new->glyphs != NULL) { -- memset(new->glyphs, 0, n_symbols * sizeof(Jbig2Image *)); -+ if (new_dict->glyphs != NULL) { -+ memset(new_dict->glyphs, 0, n_symbols * sizeof(Jbig2Image *)); - } else { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "unable to allocate glyphs for new empty symbol dict"); -- jbig2_free(ctx->allocator, new); -+ jbig2_free(ctx->allocator, new_dict); - return NULL; - } - -- return new; -+ return new_dict; - } - - /* release the memory associated with a symbol dict */ - void - jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict) - { -- int i; -+ uint32_t i; - - if (dict == NULL) - return; -@@ -142,12 +142,12 @@ jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id) - } - - /* count the number of dictionary segments referred to by the given segment */ --int -+uint32_t - jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment) - { - int index; - Jbig2Segment *rsegment; -- int n_dicts = 0; -+ uint32_t n_dicts = 0; - - for (index = 0; index < segment->referred_to_segment_count; index++) { - rsegment = jbig2_find_segment(ctx, segment->referred_to_segments[index]); -@@ -166,8 +166,8 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment) - int index; - Jbig2Segment *rsegment; - Jbig2SymbolDict **dicts; -- int n_dicts = jbig2_sd_count_referred(ctx, segment); -- int dindex = 0; -+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment); -+ uint32_t dindex = 0; - - dicts = jbig2_new(ctx, Jbig2SymbolDict *, n_dicts); - if (dicts == NULL) { -@@ -195,10 +195,10 @@ jbig2_sd_list_referred(Jbig2Ctx *ctx, Jbig2Segment *segment) - /* generate a new symbol dictionary by concatenating a list of - existing dictionaries */ - Jbig2SymbolDict * --jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts) -+jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts) - { -- int i, j, k, symbols; -- Jbig2SymbolDict *new = NULL; -+ uint32_t i, j, k, symbols; -+ Jbig2SymbolDict *new_dict = NULL; - - /* count the imported symbols and allocate a new array */ - symbols = 0; -@@ -206,17 +206,17 @@ jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts) - symbols += dicts[i]->n_symbols; - - /* fill a new array with cloned glyph pointers */ -- new = jbig2_sd_new(ctx, symbols); -- if (new != NULL) { -+ new_dict = jbig2_sd_new(ctx, symbols); -+ if (new_dict != NULL) { - k = 0; - for (i = 0; i < n_dicts; i++) - for (j = 0; j < dicts[i]->n_symbols; j++) -- new->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]); -+ new_dict->glyphs[k++] = jbig2_image_clone(ctx, dicts[i]->glyphs[j]); - } else { - jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1, "failed to allocate new symbol dictionary"); - } - -- return new; -+ return new_dict; - } - - /* Decoding routines */ -@@ -431,7 +431,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - - if (REFAGGNINST > 1) { - Jbig2Image *image; -- int i; -+ uint32_t i; - - if (tparams == NULL) { - /* First time through, we need to initialise the */ -@@ -512,7 +512,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - uint32_t ID; - int32_t RDX, RDY; - int BMSIZE = 0; -- int ninsyms = params->SDNUMINSYMS; -+ uint32_t ninsyms = params->SDNUMINSYMS; - int code1 = 0; - int code2 = 0; - int code3 = 0; -@@ -609,8 +609,9 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - if (params->SDHUFF && !params->SDREFAGG) { - /* 6.5.9 */ - Jbig2Image *image; -- int BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code); -- int j, x; -+ uint32_t BMSIZE = jbig2_huffman_get(hs, params->SDHUFFBMSIZE, &code); -+ uint32_t j; -+ int x; - - if (code || (BMSIZE < 0)) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!"); -@@ -700,22 +701,22 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to allocate symbols exported from symbols dictionary"); - goto cleanup4; - } else { -- int i = 0; -- int j = 0; -- int k; -+ uint32_t i = 0; -+ uint32_t j = 0; -+ uint32_t k; - int exflag = 0; -- int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS; -- int32_t exrunlength; -+ uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS; -+ uint32_t exrunlength; - int zerolength = 0; - - while (i < limit) { - if (params->SDHUFF) - exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code); - else -- code = jbig2_arith_int_decode(IAEX, as, &exrunlength); -+ code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength); - /* prevent infinite loop */ - zerolength = exrunlength > 0 ? 0 : zerolength + 1; -- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength > params->SDNUMEXSYMS - j))) { -+ if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { - if (code) - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols"); - else if (exrunlength <= 0) -@@ -797,8 +798,8 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen - { - Jbig2SymbolDictParams params; - uint16_t flags; -- int sdat_bytes; -- int offset; -+ uint32_t sdat_bytes; -+ uint32_t offset; - Jbig2ArithCx *GB_stats = NULL; - Jbig2ArithCx *GR_stats = NULL; - int table_index = 0; -@@ -951,7 +952,7 @@ jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segmen - - /* 7.4.2.2 (2) */ - { -- int n_dicts = jbig2_sd_count_referred(ctx, segment); -+ uint32_t n_dicts = jbig2_sd_count_referred(ctx, segment); - Jbig2SymbolDict **dicts = NULL; - - if (n_dicts > 0) { -diff --git a/jbig2_symbol_dict.h b/jbig2_symbol_dict.h -index d56d62d..30211d4 100644 ---- a/jbig2_symbol_dict.h -+++ b/jbig2_symbol_dict.h -@@ -32,18 +32,18 @@ int jbig2_symbol_dictionary(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *se - Jbig2Image *jbig2_sd_glyph(Jbig2SymbolDict *dict, unsigned int id); - - /* return a new empty symbol dict */ --Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, int n_symbols); -+Jbig2SymbolDict *jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols); - - /* release the memory associated with a symbol dict */ - void jbig2_sd_release(Jbig2Ctx *ctx, Jbig2SymbolDict *dict); - - /* generate a new symbol dictionary by concatenating a list of - existing dictionaries */ --Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, int n_dicts, Jbig2SymbolDict **dicts); -+Jbig2SymbolDict *jbig2_sd_cat(Jbig2Ctx *ctx, uint32_t n_dicts, Jbig2SymbolDict **dicts); - - /* count the number of dictionary segments referred - to by the given segment */ --int jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment); -+uint32_t jbig2_sd_count_referred(Jbig2Ctx *ctx, Jbig2Segment *segment); - - /* return an array of pointers to symbol dictionaries referred - to by a segment */ -diff --git a/jbig2_text.c b/jbig2_text.c -index 5c99640..e77460f 100644 ---- a/jbig2_text.c -+++ b/jbig2_text.c -@@ -55,7 +55,7 @@ - int - jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, - const Jbig2TextRegionParams *params, -- const Jbig2SymbolDict *const *dicts, const int n_dicts, -+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts, - Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws) - { - /* relevent bits of 6.4.4 */ -@@ -476,19 +476,19 @@ cleanup2: - int - jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data) - { -- int offset = 0; -+ uint32_t offset = 0; - Jbig2RegionSegmentInfo region_info; - Jbig2TextRegionParams params; - Jbig2Image *image = NULL; - Jbig2SymbolDict **dicts = NULL; -- int n_dicts = 0; -+ uint32_t n_dicts = 0; - uint16_t flags = 0; - uint16_t huffman_flags = 0; - Jbig2ArithCx *GR_stats = NULL; - int code = 0; - Jbig2WordStream *ws = NULL; - Jbig2ArithState *as = NULL; -- int table_index = 0; -+ uint32_t table_index = 0; - const Jbig2HuffmanParams *huffman_params = NULL; - - /* 7.4.1 */ -@@ -779,7 +779,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unable to retrive symbol dictionaries! previous parsing error?"); - goto cleanup1; - } else { -- int index; -+ uint32_t index; - - if (dicts[0] == NULL) { - code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to find first referenced symbol dictionary!"); -@@ -823,8 +823,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - } - - if (!params.SBHUFF) { -- int SBSYMCODELEN, index; -- int SBNUMSYMS = 0; -+ uint32_t SBSYMCODELEN, index; -+ uint32_t SBNUMSYMS = 0; - - for (index = 0; index < n_dicts; index++) { - SBNUMSYMS += dicts[index]->n_symbols; -@@ -840,7 +840,7 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data - } - - /* Table 31 */ -- for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) { -+ for (SBSYMCODELEN = 0; (1U << SBSYMCODELEN) < SBNUMSYMS; SBSYMCODELEN++) { - } - params.IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN); - params.IARI = jbig2_arith_int_ctx_new(ctx); -diff --git a/jbig2_text.h b/jbig2_text.h -index aec2732..51d242e 100644 ---- a/jbig2_text.h -+++ b/jbig2_text.h -@@ -70,5 +70,5 @@ typedef struct { - int - jbig2_decode_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, - const Jbig2TextRegionParams *params, -- const Jbig2SymbolDict *const *dicts, const int n_dicts, -+ const Jbig2SymbolDict *const *dicts, const uint32_t n_dicts, - Jbig2Image *image, const byte *data, const size_t size, Jbig2ArithCx *GR_stats, Jbig2ArithState *as, Jbig2WordStream *ws); --- -2.9.1 - diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch deleted file mode 100644 index a598392765..0000000000 --- a/gnu/packages/patches/jbig2dec-CVE-2017-7885.patch +++ /dev/null @@ -1,38 +0,0 @@ -Fix CVE-2017-7885: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7885 -https://bugs.ghostscript.com/show_bug.cgi?id=697703 - -Patch copied from upstream source repository: - -https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=258290340bb657c9efb44457f717b0d8b49f4aa3 - -From 258290340bb657c9efb44457f717b0d8b49f4aa3 Mon Sep 17 00:00:00 2001 -From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> -Date: Wed, 3 May 2017 22:06:01 +0100 -Subject: [PATCH] Bug 697703: Prevent integer overflow vulnerability. - -Add extra check for the offset being greater than the size -of the image and hence reading off the end of the buffer. - -Thank you to Dai Ge for finding this issue and suggesting a patch. ---- - jbig2_symbol_dict.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c -index 4acaba9..36225cb 100644 ---- a/jbig2_symbol_dict.c -+++ b/jbig2_symbol_dict.c -@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - byte *dst = image->data; - - /* SumatraPDF: prevent read access violation */ -- if (size - jbig2_huffman_offset(hs) < image->height * stride) { -+ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, - size - jbig2_huffman_offset(hs)); - jbig2_image_release(ctx, image); --- -2.13.0 - diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch deleted file mode 100644 index c83fe9d9f2..0000000000 --- a/gnu/packages/patches/jbig2dec-CVE-2017-7975.patch +++ /dev/null @@ -1,40 +0,0 @@ -Fix CVE-2017-7975: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7975 -https://bugs.ghostscript.com/show_bug.cgi?id=697693 - -Patch copied from upstream source repository: - -https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=f8992b8fe65c170c8624226f127c5c4bfed42c66 - -From f8992b8fe65c170c8624226f127c5c4bfed42c66 Mon Sep 17 00:00:00 2001 -From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> -Date: Wed, 26 Apr 2017 22:12:14 +0100 -Subject: [PATCH] Bug 697693: Prevent SEGV due to integer overflow. - -While building a Huffman table, the start and end points were susceptible -to integer overflow. - -Thank you to Jiaqi for finding this issue and suggesting a patch. ---- - jbig2_huffman.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/jbig2_huffman.c b/jbig2_huffman.c -index 511e461..b4189a1 100644 ---- a/jbig2_huffman.c -+++ b/jbig2_huffman.c -@@ -421,8 +421,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, const Jbig2HuffmanParams *params) - - if (PREFLEN == CURLEN) { - int RANGELEN = lines[CURTEMP].RANGELEN; -- int start_j = CURCODE << shift; -- int end_j = (CURCODE + 1) << shift; -+ uint32_t start_j = CURCODE << shift; -+ uint32_t end_j = (CURCODE + 1) << shift; - byte eflags = 0; - - if (end_j > max_j) { --- -2.13.0 - diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch deleted file mode 100644 index 2fe02358b8..0000000000 --- a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch +++ /dev/null @@ -1,122 +0,0 @@ -Fix CVE-2017-7976: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976 -https://bugs.ghostscript.com/show_bug.cgi?id=697683 - -In order to make the bug-fix patch apply, we also include an earlier commit -that it depends on. - -Patches copied from upstream source repository: - -Earlier commit, creating context for the CVE fix: -https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544 - -CVE-2017-7976 bug fix: -https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6 - -From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001 -From: Tor Andersson <tor.andersson@artifex.com> -Date: Wed, 14 Dec 2016 15:56:31 +0100 -Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always - false. - ---- - jbig2_image.c | 2 +- - jbig2_mmr.c | 2 +- - jbig2_symbol_dict.c | 9 ++------- - 3 files changed, 4 insertions(+), 9 deletions(-) - -diff --git a/jbig2_image.c b/jbig2_image.c -index 94e5a4c..00f966b 100644 ---- a/jbig2_image.c -+++ b/jbig2_image.c -@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int - /* general OR case */ - s = ss; - d = dd = dst->data + y * dst->stride + leftbyte; -- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { -+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); - } - if (leftbyte == rightbyte) { -diff --git a/jbig2_mmr.c b/jbig2_mmr.c -index 390e27c..da54934 100644 ---- a/jbig2_mmr.c -+++ b/jbig2_mmr.c -@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst) - if (b1 < 2) - break; - if (c) { -- if (b1 - 2 < a0 || a0 < 0) -+ if (a0 == MINUS1 || b1 - 2 < a0) - return -1; - jbig2_set_bits(dst, a0, b1 - 2); - } -diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c -index 11a2252..4acaba9 100644 ---- a/jbig2_symbol_dict.c -+++ b/jbig2_symbol_dict.c -@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols) - { - Jbig2SymbolDict *new_dict = NULL; - -- if (n_symbols < 0) { -- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols); -- return NULL; -- } -- - new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1); - if (new_dict != NULL) { - new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols); -@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - uint32_t j; - int x; - -- if (code || (BMSIZE < 0)) { -+ if (code) { - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!"); - goto cleanup4; - } -@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, - code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength); - /* prevent infinite loop */ - zerolength = exrunlength > 0 ? 0 : zerolength + 1; -- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { -+ if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) { - if (code) - jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols"); - else if (exrunlength <= 0) --- -2.13.0 - -From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001 -From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> -Date: Wed, 10 May 2017 17:50:39 +0100 -Subject: [PATCH] Bug 697683: Bounds check before reading from image source - data. - -Add extra check to prevent reading off the end of the image source -data buffer. - -Thank you to Dai Ge for finding this issue and suggesting a patch. ---- - jbig2_image.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/jbig2_image.c b/jbig2_image.c -index 661d0a5..ae161b9 100644 ---- a/jbig2_image.c -+++ b/jbig2_image.c -@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int - /* general OR case */ - s = ss; - d = dd = dst->data + y * dst->stride + leftbyte; -- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { -+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || -+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); - } - if (leftbyte == rightbyte) { --- -2.13.0 - diff --git a/gnu/packages/patches/jbig2dec-ignore-testtest.patch b/gnu/packages/patches/jbig2dec-ignore-testtest.patch index 1efde8628c..7c80c545e9 100644 --- a/gnu/packages/patches/jbig2dec-ignore-testtest.patch +++ b/gnu/packages/patches/jbig2dec-ignore-testtest.patch @@ -1,8 +1,8 @@ -Do not run the "testtest script", it doesn't seem to do anything and reports -failiute. TODO: Actually fix the test instead of ignoring it. +Do not run the test 'test_jbig2dec.py'. It doesn't seem to do anything +and reports failure. TODO: Actually fix the test instead of ignoring it. diff --git a/Makefile.in b/Makefile.in -index 0573592..1a5de77 100644 +index 63982d4..8af1d61 100644 --- a/Makefile.in +++ b/Makefile.in @@ -93,7 +93,7 @@ host_triplet = @host@ |