blob: 1a7e748972209bda4a1bf200989fb51890eb0ab8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
$NetBSD: patch-aa,v 1.4 2009/04/14 19:32:54 tron Exp $
Patch for CVE-2009-0196 taken from Redhat's Bugzilla:
https://bugzilla.redhat.com/attachment.cgi?id=337747
--- jbig2dec/jbig2_symbol_dict.c.orig 2007-12-11 08:29:58.000000000 +0000
+++ jbig2dec/jbig2_symbol_dict.c 2009-04-14 20:19:01.000000000 +0100
@@ -699,6 +699,15 @@
exrunlength = params->SDNUMEXSYMS;
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ if (exrunlength > params->SDNUMEXSYMS - j) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "runlength too large in export symbol table (%d > %d - %d)\n",
+ exrunlength, params->SDNUMEXSYMS, j);
+ jbig2_sd_release(ctx, SDEXSYMS);
+ /* skip to the cleanup code and return SDEXSYMS = NULL */
+ SDEXSYMS = NULL;
+ break;
+ }
for(k = 0; k < exrunlength; k++)
if (exflag) {
SDEXSYMS->glyphs[j++] = (i < m) ?
|