forked from pool/mupdf
1369417c55
CVE-2017-7976.patch to fix CVE-2016-10221, CVE-2016-8728, CVE-2016-8729 and CVE-2017-7976 bsc#1032140 bsc#1039850 bsc#1052029 OBS-URL: https://build.opensuse.org/package/show/Publishing/mupdf?expand=0&rev=56
15 lines
930 B
Diff
15 lines
930 B
Diff
Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
|
|
===================================================================
|
|
--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
|
|
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
|
|
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2
|
|
/* general OR case */
|
|
s = ss;
|
|
d = dd = dst->data + y * dst->stride + leftbyte;
|
|
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
|
|
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
|
|
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
|
|
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
|
|
}
|
|
if (leftbyte == rightbyte) {
|