From 5d82ba678166e528131e96f756546aebf3a3fc20 Mon Sep 17 00:00:00 2001 From: censl <9940002368@qq.com> Date: Tue, 17 Jan 2023 19:42:08 +0800 Subject: [PATCH 1/2] =?UTF-8?q?CVE-2022-38784=20=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=9B=B4=E6=96=B0=EF=BC=9Ainteger=20overflow=20in=20the=20JBIG?= =?UTF-8?q?2=20decoder?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- poppler/JBIG2Stream.cc | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index a861da2..ac3311a 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -2099,7 +2099,12 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, for (i = 0; i < nRefSegs; ++i) { if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { - numSyms += ((JBIG2SymbolDict *)seg)->getSize(); + const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize(); + if(unlikely(checkedAdd(numSyms, segSize, &numSyms))){ + error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region"); + return; + } + } else if (seg->getType() == jbig2SegCodeTable) { codeTables->push_back(seg); } @@ -2196,6 +2201,11 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, } huffRDHTable = ((JBIG2CodeTable *)(*codeTables)[i++])->getHuffTable(); } + if (huffRDX == 0) { + huffRDXTable = huffTableN; + } else if (huffRDX == 1) { + huffRDXTable = huffTableO; + } else { if (huffRDX == 0) { huffRDXTable = huffTableN; } else if (huffRDX == 1) { @@ -4344,8 +4354,3 @@ bool JBIG2Stream::readLong(int *x) { return false; } *x = ((c0 << 24) | (c1 << 16) | (c2 << 8) | c3); - if (c0 & 0x80) { - *x |= -1 - (int)0xffffffff; - } - return true; -} -- Gitee From 5406105f5edebefed3456fd122a9386471e0a259 Mon Sep 17 00:00:00 2001 From: censl <9940002368@qq.com> Date: Mon, 13 Feb 2023 23:06:10 +0800 Subject: [PATCH 2/2] =?UTF-8?q?CVE-2022-38784=20=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=9B=B4=E6=96=B0=EF=BC=9Ainteger=20overflow=20in=20the=20JBIG?= =?UTF-8?q?2=20decoder=20[updated]?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- debian/changelog | 6 ++++++ poppler/JBIG2Stream.cc | 17 ++++++++--------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index 8932671..94165da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +poppler (0.86.1-ok3) yangtze; urgency=medium + + * CVE-2022-38784 安全更新:interger overflow in the JBIG2 decoder + + -- censl <994002368@qq.com> Mon, 13 Feb 2023 22:59:18 +0800 + poppler (0.86.1-ok2) yangtze; urgency=medium * update version info diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index ac3311a..3f6c26f 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -2100,11 +2100,10 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, if ((seg = findSegment(refSegs[i]))) { if (seg->getType() == jbig2SegSymbolDict) { const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize(); - if(unlikely(checkedAdd(numSyms, segSize, &numSyms))){ - error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region"); + if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) { + error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region"); return; - } - + } } else if (seg->getType() == jbig2SegCodeTable) { codeTables->push_back(seg); } @@ -2201,11 +2200,6 @@ void JBIG2Stream::readTextRegionSeg(unsigned int segNum, bool imm, } huffRDHTable = ((JBIG2CodeTable *)(*codeTables)[i++])->getHuffTable(); } - if (huffRDX == 0) { - huffRDXTable = huffTableN; - } else if (huffRDX == 1) { - huffRDXTable = huffTableO; - } else { if (huffRDX == 0) { huffRDXTable = huffTableN; } else if (huffRDX == 1) { @@ -4354,3 +4348,8 @@ bool JBIG2Stream::readLong(int *x) { return false; } *x = ((c0 << 24) | (c1 << 16) | (c2 << 8) | c3); + if (c0 & 0x80) { + *x |= -1 - (int)0xffffffff; + } + return true; +} -- Gitee