shithub: jbig2

Download patch

ref: 4e62b3968d0d897bb9a24ba7f75504f476e33ba6
parent: 86e0b052dc32de4e0f9a3cbc7dbf27211a2b3182
author: Ralph Giles <giles@ghostscript.com>
date: Wed Apr 1 11:52:17 EDT 2009

Bounds check exported symbol run-lengths. CVE-2009-0196.

The final symbol dictionary is built from a combination of symbols
from referenced dictionaries and new symbols coded in the current
segment. Because the symbols can be composed and refined, not all
coded symbols are necessarily exported.

The list of symbols to export from those constructed by the decoding
process is coded as a series of on/off run-lengths. Previously we
accepted the value read as the run-length, even though this could
result in writing off the end of the exported symbol array. This
commit checks the read value against the number of elements remaining
in the export array and throws a fatal error if there is an overflow.

Thanks for Alin Rad Pop of Secunia Research for pointing out the issue.

--- a/jbig2_symbol_dict.c

+++ b/jbig2_symbol_dict.c

@@ -696,6 +696,15 @@

         exrunlength = params->SDNUMEXSYMS;

       else

         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);

+      if (exrunlength > params->SDNUMEXSYMS - j) {

+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,

+          "runlength too large in export symbol table (%d > %d - %d)\n",

+          exrunlength, params->SDNUMEXSYMS, j);

+        jbig2_sd_release(ctx, SDEXSYMS);

+        /* skip to the cleanup code and return SDEXSYMS = NULL */

+        SDEXSYMS = NULL;

+        break;

+      }

       for(k = 0; k < exrunlength; k++)

         if (exflag) {

           SDEXSYMS->glyphs[j++] = (i < m) ?