← Back to branch summary

~ubuntu-branches/debian/squeeze/ghostscript/squeeze

« back to all changes in this revision

Viewing changes to debian/patches/74_CVE-2009-0196.dpatch

  • Committer: Bazaar Package Importer
  • Author(s): Nico Golde
  • Date: 2009-04-22 00:19:51 UTC
  • Revision ID: james.westby@ubuntu.com-20090422001951-d4ret0g0hainvwor
Tags: 8.64~dfsg-1+squeeze1
http://bugs.debian.org/524915
http://bugs.debian.org/522416
http://bugs.debian.org/524803
* Non-maintainer upload by the Security Team.
* This update fixes various security issues:
  - CVE-2009-0792: multiple integer overflows in the icc library
    can cause a heap-based buffer overflow possibly leading to arbitray
    code execution.
  - CVE-2009-0584/CVE-2009-0583: Multiple integer overflows causing an
    application crash or possibly arbitrary code execution.
  - CVE-2009-0196: heap-based buffer overflow in big2_decode_symbol_dict()
    leading to arbitrary code execution via a crafted JBIG2 symbol
    dictionary segment.
    .
    (Closes: #524915, #522416, #524803)

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/74_CVE-2009-0196.dpatch
 
1
#! /bin/sh /usr/share/dpatch/dpatch-run
 
2
## 74_CVE-2009-0196.dpatch by Nico Golde <nion@debian.org>
 
3
##
 
4
## All lines beginning with `## DP:' are a description of the patch.
 
5
## DP: CVE-2009-0196
 
6
 
 
7
@DPATCH@
 
8
diff -urNad ghostscript-8.64~dfsg~/jbig2dec/jbig2_symbol_dict.c ghostscript-8.64~dfsg/jbig2dec/jbig2_symbol_dict.c
 
9
--- ghostscript-8.64~dfsg~/jbig2dec/jbig2_symbol_dict.c 2007-12-11 09:29:58.000000000 +0100
 
10
+++ ghostscript-8.64~dfsg/jbig2dec/jbig2_symbol_dict.c  2009-04-21 23:57:26.000000000 +0200
 
11
@@ -699,6 +699,15 @@
 
12
         exrunlength = params->SDNUMEXSYMS;
 
13
       else
 
14
         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
 
15
+      if (exrunlength > params->SDNUMEXSYMS - j) {
 
16
+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
 
17
+          "runlength too large in export symbol table (%d > %d - %d)\n",
 
18
+          exrunlength, params->SDNUMEXSYMS, j);
 
19
+        jbig2_sd_release(ctx, SDEXSYMS);
 
20
+        /* skip to the cleanup code and return SDEXSYMS = NULL */
 
21
+        SDEXSYMS = NULL;
 
22
+        break;
 
23
+      }
 
24
       for(k = 0; k < exrunlength; k++)
 
25
         if (exflag) {
 
26
           SDEXSYMS->glyphs[j++] = (i < m) ?