From 2dedc54653165c045db03d093fd45c26a6d50e66 Mon Sep 17 00:00:00 2001 From: dowzyx Date: Sat, 27 Mar 2021 14:57:44 +0800 Subject: [PATCH] fix fuzz test from open source community --- ...-casts-to-silence-a-compiler-warning.patch | 26 ++++++ ...t-searching-for-a-marker-in-a-stream.patch | 82 +++++++++++++++++++ jbig2dec.spec | 11 ++- 3 files changed, 118 insertions(+), 1 deletion(-) create mode 100755 backprot-add-casts-to-silence-a-compiler-warning.patch create mode 100755 backprot-searching-for-a-marker-in-a-stream.patch diff --git a/backprot-add-casts-to-silence-a-compiler-warning.patch b/backprot-add-casts-to-silence-a-compiler-warning.patch new file mode 100755 index 0000000..f6fbbe4 --- /dev/null +++ b/backprot-add-casts-to-silence-a-compiler-warning.patch @@ -0,0 +1,26 @@ +From d8294b25104e9033408c18b68567281ae8e9d5e0 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Sat, 7 Nov 2020 00:33:46 +0800 +Subject: [PATCH] jbig2dec: Add casts to silence a compiler warning. + +--- + jbig2_image.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 2cb1e14..19eef22 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -347,8 +347,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + if (src == NULL) + return 0; + +- if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) || +- (UINT32_MAX - src->height < (y > 0 ? y : -y))) ++ if ((UINT32_MAX - src->width < (uint32_t) (x > 0 ? x : -x)) || ++ (UINT32_MAX - src->height < (uint32_t) (y > 0 ? y : -y))) + { + #ifdef JBIG2_DEBUG + jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, JBIG2_UNKNOWN_SEGMENT_NUMBER, "overflow in compose_image"); +-- +2.27.0 diff --git a/backprot-searching-for-a-marker-in-a-stream.patch b/backprot-searching-for-a-marker-in-a-stream.patch new file mode 100755 index 0000000..d36ae7d --- /dev/null +++ b/backprot-searching-for-a-marker-in-a-stream.patch @@ -0,0 +1,82 @@ +From f93f613aa9873026ccf7b0d625eb86c27b6b42b9 Mon Sep 17 00:00:00 2001 +From: Chris Liddell +Date: Thu, 1 Oct 2020 15:58:25 +0100 +Subject: [PATCH] Searching for a marker in a stream, honor alignment + +When searching for markers in a stream buffer, we were "seeking" to the point +in the buffer, and casting to either a byte, ushort or a uint to make the +value comparison. But we cannot do that on SPARC because of the strict +alignment on that hardware. + +So, we have to "unpack" the individual bytes from the stream to do the value +comparison. + +Note: there are slightly confusing comments in the code that mention being +"on a 16 bit boundary" and "on a 32 bit boundary" - that's referring to the +offset into the buffer, *not* the actual memory address alignment. + +Found in testing on Solaris/SPARC +--- + jbig2_mmr.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/jbig2_mmr.c b/jbig2_mmr.c +index 578754c..5c39903 100644 +--- a/jbig2_mmr.c ++++ b/jbig2_mmr.c +@@ -744,6 +744,16 @@ const mmr_table_node jbig2_mmr_black_decode[] = { + + #define getbit(buf, x) ( ( buf[x >> 3] >> ( 7 - (x & 7) ) ) & 1 ) + ++/* On platforms that enforce aligned memory accesses, we can't just ++ * cast the byte * to the type of object we are accessing, we have ++ * unpack the requisite number of bytes, and deal with it that way. ++ * Note that the comments below about being 16/32 bit boundaries ++ * is referring to offsets into the byte stream, *not* memory ++ * addresses. ++ */ ++#define getword16(b) ((uint16_t)(b[0] | (b[1] << 8))) ++#define getword32(b) ((uint32_t)(getword16(b) | (getword16((b + 2)) << 16))) ++ + static uint32_t + jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w) + { +@@ -817,7 +827,7 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w) + if (w - x < 16) { + goto check8; + } +- if ( ((uint16_t*) line)[ x / 16] != all16) { ++ if ( getword16((line + (x / 8))) != all16) { + goto check8_no_eof; + } + x += 16; /* This will make x a multiple of 32. */ +@@ -835,7 +845,7 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w) + look at the next uint16, then uint8, then last 8 bits. */ + goto check16; + } +- if (((uint32_t*) line)[x/32] != all32) { ++ if ( getword32((line + (x / 8))) != all32) { + goto check16_no_eof; + } + x += 32; +@@ -849,7 +859,7 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w) + } + check16_no_eof: + assert(w - x >= 16); +- if ( ((uint16_t*) line)[x/16] != all16) { ++ if ( getword16((line + (x / 8))) != all16) { + goto check8_no_eof; + } + x += 16; +@@ -890,6 +900,9 @@ jbig2_find_changing_element(const byte *line, uint32_t x, uint32_t w) + return x; + } + ++#undef getword16 ++#undef getword32 ++ + static uint32_t + jbig2_find_changing_element_of_color(const byte *line, uint32_t x, uint32_t w, int color) + { +-- +2.27.0 diff --git a/jbig2dec.spec b/jbig2dec.spec index 10e5647..f472105 100644 --- a/jbig2dec.spec +++ b/jbig2dec.spec @@ -1,12 +1,15 @@ Name: jbig2dec Version: 0.19 -Release: 1 +Release: 2 Summary: A decoder implementation of the JBIG2 image compression format. License: AGPLv3+ URL: https://jbig2dec.com/ Source0: https://github.com/ArtifexSoftware/jbig2dec/archive/%{version}.tar.gz +Patch0: backprot-add-casts-to-silence-a-compiler-warning.patch +Patch1: backprot-searching-for-a-marker-in-a-stream.patch + BuildRequires: gcc libtool chrpath Provides: %{name}-libs = %{version}-%{release} Obsoletes: %{name}-libs < %{version}-%{release} @@ -62,6 +65,12 @@ echo "/usr/lib64" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{_mandir}/man1/%{name}.1* %changelog +* Sat Mar 27 2021 dowzyx - 0.19-2 +- Type:bufix +- ID:NA +- SUG:NA +- DESC:fix fuzz test from open source community + * Thu Jan 28 2021 zhanzhimin - 0.19-1 - update to 0.19