diff options
author | Sebastian Rasmussen <sebras@gmail.com> | 2019-09-15 17:07:27 +0200 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2020-03-20 17:56:07 +0800 |
commit | 4239ceeb4dd39e2ac183a01877b62761ae13bae4 (patch) | |
tree | 5c3c7dfee8e1b3b6a5b4c7d4f12a724e30ce3200 /jbig2dec | |
parent | cd1ef5475a3bda7a97851abc679c75e2ee64dec3 (diff) | |
download | ghostpdl-4239ceeb4dd39e2ac183a01877b62761ae13bae4.tar.gz |
jbig2dec: Avoid artificially limiting jbig2dec.
Commit 7366747076f3b75def52079bd4d5021539a16394 fixes bug 694949 by
adding an artificial limit (that does not come from the JBIG2
specification) to the sizes of generic regions compared with the image
they will be composed onto. A problem with such artificial limits is
that they are arbitrary. This is exemplified by the changes in
0d21a58ab12b9584faa54baa48ce0dab350af53e to make jbig2dec not error
out on commonly occurring images. It is impossible to know whether
this updated limit is enough, or whether an even large generic region
in a JBIG2 image will be found in the future.
Instead of imposing these kinds of limits, jbig2dec should attempt to
decode any JBIG2 image given to it. If the user wants to limit the
amount of memory jbig2dec may use for decoding any JBIG2 image, this
is a better way of implicitly limiting image sizes.
Diffstat (limited to 'jbig2dec')
-rw-r--r-- | jbig2dec/configure.ac.in | 1 | ||||
-rw-r--r-- | jbig2dec/jbig2_generic.c | 5 | ||||
-rw-r--r-- | jbig2dec/snprintf.c | 163 |
3 files changed, 0 insertions, 169 deletions
diff --git a/jbig2dec/configure.ac.in b/jbig2dec/configure.ac.in index 972d08185..72622765e 100644 --- a/jbig2dec/configure.ac.in +++ b/jbig2dec/configure.ac.in @@ -132,7 +132,6 @@ AC_C_BIGENDIAN AC_FUNC_MEMCMP dnl we use realloc() but don't depend on the zero-length behavior dnl tested by AC_FUNC_REALLOC -AC_REPLACE_FUNCS([snprintf]) AC_CHECK_FUNCS([memset strdup]) diff --git a/jbig2dec/jbig2_generic.c b/jbig2dec/jbig2_generic.c index 844bd092b..6820d7db2 100644 --- a/jbig2dec/jbig2_generic.c +++ b/jbig2dec/jbig2_generic.c @@ -1346,11 +1346,6 @@ jbig2_decode_generic_region(Jbig2Ctx *ctx, { const int8_t *gbat = params->gbat; - if (image->stride * image->height > (1 << 26) && segment->data_length < image->stride * image->height / (1 << 16)) { - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, - "region is far larger than data provided (%li << %d), aborting to prevent DOS", (long) segment->data_length, image->stride * image->height); - } - if (!params->MMR && params->TPGDON) return jbig2_decode_generic_region_TPGDON(ctx, segment, params, as, image, GB_stats); diff --git a/jbig2dec/snprintf.c b/jbig2dec/snprintf.c deleted file mode 100644 index 025396dd9..000000000 --- a/jbig2dec/snprintf.c +++ /dev/null @@ -1,163 +0,0 @@ -/* - * Revision 12: http://theos.com/~deraadt/snprintf.c - * - * Copyright (c) 1997 Theo de Raadt - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifdef __VMS -#include <param.h> -#else -#include <sys/param.h> -#endif -#include <sys/types.h> -#include <sys/mman.h> -#include <signal.h> -#include <stdio.h> -#if __STDC__ -#include <stdarg.h> -#include <stdlib.h> -#else -#include <varargs.h> -#endif -#include <setjmp.h> -#include <unistd.h> -#include <string.h> - -#ifndef roundup -#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) -#endif - -#ifdef __sgi -#define size_t ssize_t -#endif - -static int pgsize; -static char *curobj; -static int caught; -static sigjmp_buf bail; - -#define EXTRABYTES 2 /* XXX: why 2? you don't want to know */ - -static char * -msetup(str, n) -char *str; -size_t n; -{ - char *e; - - if (n == 0) - return NULL; - if (pgsize == 0) - pgsize = getpagesize(); - curobj = (char *)malloc(n + EXTRABYTES + pgsize * 2); - if (curobj == NULL) - return NULL; - e = curobj + n + EXTRABYTES; - e = (char *)roundup((unsigned long)e, pgsize); - if (mprotect(e, pgsize, PROT_NONE) == -1) { - free(curobj); - curobj = NULL; - return NULL; - } - e = e - n - EXTRABYTES; - *e = '\0'; - return (e); -} - -static void -mcatch(int a) -{ - siglongjmp(bail, 1); -} - -static void -mcleanup(str, n, p) -char *str; -size_t n; -char *p; -{ - strncpy(str, p, n - 1); - str[n - 1] = '\0'; - if (mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, PROT_READ | PROT_WRITE | PROT_EXEC) == -1) - mprotect((caddr_t)(p + n + EXTRABYTES), pgsize, PROT_READ | PROT_WRITE); - free(curobj); -} - -int -#if __STDC__ -vsnprintf(char *str, size_t n, char const *fmt, va_list ap) -#else -vsnprintf(str, n, fmt, ap) -char *str; -size_t n; -char *fmt; -char *ap; -#endif -{ - struct sigaction osa, nsa; - char *p; - int ret = n + 1; /* if we bail, indicated we overflowed */ - - memset(&nsa, 0, sizeof nsa); - nsa.sa_handler = mcatch; - sigemptyset(&nsa.sa_mask); - - p = msetup(str, n); - if (p == NULL) { - *str = '\0'; - return 0; - } - if (sigsetjmp(bail, 1) == 0) { - if (sigaction(SIGSEGV, &nsa, &osa) == -1) { - mcleanup(str, n, p); - return (0); - } - ret = vsprintf(p, fmt, ap); - } - mcleanup(str, n, p); - (void)sigaction(SIGSEGV, &osa, NULL); - return (ret); -} - -int -#if __STDC__ -snprintf(char *str, size_t n, char const *fmt, ...) -#else -snprintf(str, n, fmt, va_alist) -char *str; -size_t n; -char *fmt; -va_dcl -#endif -{ - va_list ap; - -#if __STDC__ - va_start(ap, fmt); -#else - va_start(ap); -#endif - - return (vsnprintf(str, n, fmt, ap)); - va_end(ap); -} |