gnu: jbig2dec: Fix CVE-2017-{7885,7975,7976}.

* gnu/packages/patches/jbig2dec-CVE-2017-7885.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7975.patch,
gnu/packages/patches/jbig2dec-CVE-2017-7976.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/image.scm (jbig2dec)[source]: Use them.

1 files changed, 122 insertions, 0 deletions

diff --git a/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
new file mode 100644
index 0000000000..2fe02358b8
--- /dev/null
+++ b/gnu/packages/patches/jbig2dec-CVE-2017-7976.patch
@@ -0,0 +1,122 @@
+Fix CVE-2017-7976:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7976
+https://bugs.ghostscript.com/show_bug.cgi?id=697683
+
+In order to make the bug-fix patch apply, we also include an earlier commit
+that it depends on.
+
+Patches copied from upstream source repository:
+
+Earlier commit, creating context for the CVE fix:
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=9d2c4f3bdb0bd003deae788e7187c0f86e624544
+
+CVE-2017-7976 bug fix:
+https://git.ghostscript.com/?p=jbig2dec.git;a=commit;h=cfa054925de49675ac5445515ebf036fa9379ac6
+
+From 9d2c4f3bdb0bd003deae788e7187c0f86e624544 Mon Sep 17 00:00:00 2001
+From: Tor Andersson <tor.andersson@artifex.com>
+Date: Wed, 14 Dec 2016 15:56:31 +0100
+Subject: [PATCH] Fix warnings: remove unsigned < 0 tests that are always
+ false.
+
+---
+ jbig2_image.c       | 2 +-
+ jbig2_mmr.c         | 2 +-
+ jbig2_symbol_dict.c | 9 ++-------
+ 3 files changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 94e5a4c..00f966b 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
+diff --git a/jbig2_mmr.c b/jbig2_mmr.c
+index 390e27c..da54934 100644
+--- a/jbig2_mmr.c
++++ b/jbig2_mmr.c
+@@ -977,7 +977,7 @@ jbig2_decode_mmr_line(Jbig2MmrCtx *mmr, const byte *ref, byte *dst)
+             if (b1 < 2)
+                 break;
+             if (c) {
+-                if (b1 - 2 < a0 || a0 < 0)
++                if (a0 == MINUS1 || b1 - 2 < a0)
+                     return -1;
+                 jbig2_set_bits(dst, a0, b1 - 2);
+             }
+diff --git a/jbig2_symbol_dict.c b/jbig2_symbol_dict.c
+index 11a2252..4acaba9 100644
+--- a/jbig2_symbol_dict.c
++++ b/jbig2_symbol_dict.c
+@@ -92,11 +92,6 @@ jbig2_sd_new(Jbig2Ctx *ctx, uint32_t n_symbols)
+ {
+     Jbig2SymbolDict *new_dict = NULL;
+ 
+-    if (n_symbols < 0) {
+-        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "Negative number of symbols in symbol dict: %d", n_symbols);
+-        return NULL;
+-    }
+-
+     new_dict = jbig2_new(ctx, Jbig2SymbolDict, 1);
+     if (new_dict != NULL) {
+         new_dict->glyphs = jbig2_new(ctx, Jbig2Image *, n_symbols);
+@@ -613,7 +608,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+             uint32_t j;
+             int x;
+ 
+-            if (code || (BMSIZE < 0)) {
++            if (code) {
+                 jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "error decoding size of collective bitmap!");
+                 goto cleanup4;
+             }
+@@ -716,7 +711,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
+                 code = jbig2_arith_int_decode(IAEX, as, (int32_t *)&exrunlength);
+             /* prevent infinite loop */
+             zerolength = exrunlength > 0 ? 0 : zerolength + 1;
+-            if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
++            if (code || (exrunlength > limit - i) || (zerolength > 4) || (exflag && (exrunlength + j > params->SDNUMEXSYMS))) {
+                 if (code)
+                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "failed to decode exrunlength for exported symbols");
+                 else if (exrunlength <= 0)
+-- 
+2.13.0
+
+From cfa054925de49675ac5445515ebf036fa9379ac6 Mon Sep 17 00:00:00 2001
+From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
+Date: Wed, 10 May 2017 17:50:39 +0100
+Subject: [PATCH] Bug 697683: Bounds check before reading from image source
+ data.
+
+Add extra check to prevent reading off the end of the image source
+data buffer.
+
+Thank you to Dai Ge for finding this issue and suggesting a patch.
+---
+ jbig2_image.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 661d0a5..ae161b9 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     /* general OR case */
+     s = ss;
+     d = dd = dst->data + y * dst->stride + leftbyte;
+-    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
++    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
++        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
+         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
+     }
+     if (leftbyte == rightbyte) {
+-- 
+2.13.0
+