From b18b853cf9809c1b68a9a1b375dd7d847d584fdc Mon Sep 17 00:00:00 2001 From: Leo Date: Fri, 11 Dec 2020 01:09:07 -0300 Subject: main/jbig2dec: fix CVE-2020-12268 See: #11525 --- main/jbig2dec/APKBUILD | 13 ++++++++--- main/jbig2dec/CVE-2020-12268.patch | 44 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 3 deletions(-) create mode 100644 main/jbig2dec/CVE-2020-12268.patch diff --git a/main/jbig2dec/APKBUILD b/main/jbig2dec/APKBUILD index 4b3ae405c3b..ccdcfb56de0 100644 --- a/main/jbig2dec/APKBUILD +++ b/main/jbig2dec/APKBUILD @@ -3,7 +3,7 @@ pkgname=jbig2dec pkgver=0.16 _gsver="gs927" -pkgrel=0 +pkgrel=1 pkgdesc="JBIG2 image compression format decoder" url="https://www.ghostscript.com/jbig2dec.html" arch="all" @@ -11,7 +11,13 @@ license="GPL-2.0-or-later" makedepends="autoconf automake libtool" checkdepends="python2" subpackages="$pkgname-dev $pkgname-doc" -source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/$_gsver/jbig2dec-$pkgver.tar.gz" +source="https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/$_gsver/jbig2dec-$pkgver.tar.gz + CVE-2020-12268.patch + " + +# secfixes: +# 0.16-r1: +# - CVE-2020-12268 builddir="$srcdir/$pkgname-$pkgver" @@ -45,4 +51,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="1c1a9b9fc46d40ef3bd6133fd95b02163456e4d9fb271f57c75f4dcc4ace726ec54b8d22f984e4804bbad7f1d018566e522c1924bc8ad2e807d48d57a8851949 jbig2dec-0.16.tar.gz" +sha512sums="1c1a9b9fc46d40ef3bd6133fd95b02163456e4d9fb271f57c75f4dcc4ace726ec54b8d22f984e4804bbad7f1d018566e522c1924bc8ad2e807d48d57a8851949 jbig2dec-0.16.tar.gz +e33c6a942af79dfb98c8160bccb0d7e6965d90b77f4e8e370787a9c0af0273001f02d5591b92d4285b901182ea335eb09854ce2fa995266837156b568747aa24 CVE-2020-12268.patch" diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch new file mode 100644 index 00000000000..773515ae2dc --- /dev/null +++ b/main/jbig2dec/CVE-2020-12268.patch @@ -0,0 +1,44 @@ +From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001 +From: Robin Watts +Date: Mon, 27 Jan 2020 10:12:24 -0800 +Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in + jbig2_image_compose. + +With extreme values of x/y/w/h we can get overflow. Test for this +and exit safely. + +Thanks for OSS-Fuzz for reporting. +--- + jbig2_image.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 22e21ef..100263d 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -33,6 +33,9 @@ + #if !defined (INT32_MAX) + #define INT32_MAX 0x7fffffff + #endif ++#if !defined (UINT32_MAX) ++#define UINT32_MAX 0xffffffffu ++#endif + + /* allocate a Jbig2Image structure and its associated bitmap */ + Jbig2Image * +@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + if (src == NULL) + return 0; + ++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) || ++ (UINT32_MAX - src->height < (y > 0 ? y : -y))) ++ { ++#ifdef JBIG2_DEBUG ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image"); ++#endif ++ return 0; ++ } ++ + /* The optimized code for the OR operator below doesn't + handle the source image partially placed outside the + destination (above and/or to the left). The affected -- cgit v1.2.3