d7b61390b6
- Applied patch to fix CVE-2009-0196 (bug #493379). - Applied patch to fix CVE-2008-6679 (bug #493445).
20 lines
991 B
Diff
20 lines
991 B
Diff
diff -up ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c
|
|
--- ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c.CVE-2009-0196 2007-12-11 08:29:58.000000000 +0000
|
|
+++ ghostscript-8.63/jbig2dec/jbig2_symbol_dict.c 2009-04-15 16:40:13.000000000 +0100
|
|
@@ -699,6 +699,15 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
|
|
exrunlength = params->SDNUMEXSYMS;
|
|
else
|
|
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
|
|
+ if (exrunlength > params->SDNUMEXSYMS - j) {
|
|
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
|
|
+ "runlength too large in export symbol table (%d > %d - %d)\n",
|
|
+ exrunlength, params->SDNUMEXSYMS, j);
|
|
+ jbig2_sd_release(ctx, SDEXSYMS);
|
|
+ /* skip to the cleanup code and return SDEXSYMS = NULL */
|
|
+ SDEXSYMS = NULL;
|
|
+ break;
|
|
+ }
|
|
for(k = 0; k < exrunlength; k++)
|
|
if (exflag) {
|
|
SDEXSYMS->glyphs[j++] = (i < m) ?
|