fix fuzz test from open source community

2021-03-27 14:57:44 +08:00 · 2021-03-27 14:57:44 +08:00 · 2dedc54653
commit 2dedc54653
parent 64ce456617
3 changed files with 118 additions and 1 deletions
--- a/backprot-add-casts-to-silence-a-compiler-warning.patch
+++ b/backprot-add-casts-to-silence-a-compiler-warning.patch
@ -0,0 +1,26 @@
 From d8294b25104e9033408c18b68567281ae8e9d5e0 Mon Sep 17 00:00:00 2001
 From: Sebastian Rasmussen <sebras@gmail.com>
 Date: Sat, 7 Nov 2020 00:33:46 +0800
 Subject: [PATCH] jbig2dec: Add casts to silence a compiler warning.
 ---
 jbig2_image.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/jbig2_image.c b/jbig2_image.c
 index 2cb1e14..19eef22 100644
 --- a/jbig2_image.c
 +++ b/jbig2_image.c
@@ -347,8 +347,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
     if (src == NULL)
         return 0;
 -    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
 -        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
 +    if ((UINT32_MAX - src->width  < (uint32_t) (x > 0 ? x : -x)) ||
 +        (UINT32_MAX - src->height < (uint32_t) (y > 0 ? y : -y)))
     {
 #ifdef JBIG2_DEBUG
         jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, JBIG2_UNKNOWN_SEGMENT_NUMBER, "overflow in compose_image");
 --
 2.27.0
--- a/backprot-searching-for-a-marker-in-a-stream.patch
+++ b/backprot-searching-for-a-marker-in-a-stream.patch
@ -0,0 +1,82 @@
 From f93f613aa9873026ccf7b0d625eb86c27b6b42b9 Mon Sep 17 00:00:00 2001
 From: Chris Liddell <chris.liddell@artifex.com>
 Date: Thu, 1 Oct 2020 15:58:25 +0100
 Subject: [PATCH] Searching for a marker in a stream, honor alignment
 When searching for markers in a stream buffer, we were "seeking" to the point
 in the buffer, and casting to either a byte, ushort or a uint to make the
 value comparison. But we cannot do that on SPARC because of the strict
 alignment on that hardware.
 So, we have to "unpack" the individual bytes from the stream to do the value
 comparison.
 Note: there are slightly confusing comments in the code that mention being
 "on a 16 bit boundary" and "on a 32 bit boundary" - that's referring to the
 offset into the buffer, *not* the actual memory address alignment.
 Found in testing on Solaris/SPARC
 ---
 jbig2_mmr.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)
 diff --git a/jbig2_mmr.c b/jbig2_mmr.c
 index 578754c..5c39903 100644
 --- a/jbig2_mmr.c
 +++ b/jbig2_mmr.c
@@ -744,6 +744,16 @@ const mmr_table_node jbig2_mmr_black_decode[] = {
 #define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 )
 +/* On platforms that enforce aligned memory accesses, we can't just
 + * cast the byte * to the type of object we are accessing, we have
 + * unpack the requisite number of bytes, and deal with it that way.
 + * Note that the comments below about being 16/32 bit boundaries
 + * is referring to offsets into the byte stream, *not* memory
 + * addresses.
 + */
 +#define getword16(b)  ((uint16_t)(b[0] | (b[1] << 8)))
 +#define getword32(b)  ((uint32_t)(getword16(b) | (getword16((b + 2)) << 16)))
 +
 static uint32_t
 jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
 {
@@ -817,7 +827,7 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
         if (w - x < 16) {
             goto check8;
         }
 -        if ( ((uint16_t*) line)[ x / 16] != all16) {
 +        if ( getword16((line + (x / 8))) != all16) {
             goto check8_no_eof;
         }
         x += 16; /* This will make x a multiple of 32. */
@@ -835,7 +845,7 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
             look at the next uint16, then uint8, then last 8 bits. */
             goto check16;
         }
 -        if (((uint32_t*) line)[x/32] != all32) {
 +        if ( getword32((line + (x / 8))) != all32) {
             goto check16_no_eof;
         }
         x += 32;
@@ -849,7 +859,7 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
     }
 check16_no_eof:
     assert(w - x >= 16);
 -    if ( ((uint16_t*) line)[x/16] != all16) {
 +    if ( getword16((line + (x / 8))) != all16) {
         goto check8_no_eof;
     }
     x += 16;
@@ -890,6 +900,9 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w)
     return x;
 }
 +#undef getword16
 +#undef getword32
 +
 static uint32_t
 jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color)
 {
 --
 2.27.0
--- a/jbig2dec.spec
+++ b/jbig2dec.spec
@ -1,12 +1,15 @@
 Name:           jbig2dec
 Version:        0.19
-Release:        1
+Release:        2
 Summary:        A decoder implementation of the JBIG2 image compression format.
 License:        AGPLv3+
 URL:            https://jbig2dec.com/
 Source0:        https://github.com/ArtifexSoftware/jbig2dec/archive/%{version}.tar.gz
 Patch0:         backprot-add-casts-to-silence-a-compiler-warning.patch
 Patch1:         backprot-searching-for-a-marker-in-a-stream.patch
 BuildRequires:  gcc libtool chrpath
 Provides:       %{name}-libs = %{version}-%{release}
 Obsoletes:      %{name}-libs < %{version}-%{release}
@ -62,6 +65,12 @@ echo "/usr/lib64" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{_mandir}/man1/%{name}.1*
 %changelog
 * Sat Mar 27 2021 dowzyx  <zhaoyuxing2@huawei.com> - 0.19-2
 - Type:bufix
 - ID:NA
 - SUG:NA
 - DESC:fix fuzz test from open source community
 * Thu Jan 28 2021 zhanzhimin <zhanzhimin@huawei.com> - 0.19-1
 - update to 0.19