1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
|
From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 1 Apr 2021 09:37:58 -0400
Subject: CVE-2021-23158, CVE-2021-23191, CVE-2021-26252
Fix JPEG error handling (Issue #415)
Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
Bug: https://github.com/michaelrsweet/htmldoc/issues/412
Bug: https://github.com/michaelrsweet/htmldoc/issues/414
Bug: https://github.com/michaelrsweet/htmldoc/issues/415
Bug-Debian: https://bugs.debian.org/989437
---
htmldoc/file.c | 9 ++++++++-
htmldoc/image.cxx | 38 +++++++++++++++++++++++++++++++-------
htmldoc/ps-pdf.cxx | 5 +++++
3 files changed, 44 insertions(+), 8 deletions(-)
diff --git a/htmldoc/file.c b/htmldoc/file.c
index 20229c1..9f017de 100644
--- a/htmldoc/file.c
+++ b/htmldoc/file.c
@@ -1000,8 +1000,15 @@ file_rlookup(const char *filename) /* I - Filename */
for (i = web_files, wc = web_cache; i > 0; i --, wc ++)
+ {
if (!strcmp(wc->name, filename))
- return (wc->url);
+ {
+ if (!strncmp(wc->url, "data:", 5))
+ return ("data URL");
+ else
+ return (wc->url);
+ }
+ }
return (filename);
}
diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
index 8f53050..74abfac 100644
--- a/htmldoc/image.cxx
+++ b/htmldoc/image.cxx
@@ -1336,6 +1336,15 @@ image_load_gif(image_t *img, /* I - Image pointer */
}
+typedef struct hd_jpeg_err_s // JPEG error manager extension
+{
+ struct jpeg_error_mgr jerr; // JPEG error manager information
+ jmp_buf retbuf; // setjmp() return buffer
+ char message[JMSG_LENGTH_MAX];
+ // Last error message
+} hd_jpeg_err_t;
+
+
/*
* 'image_load_jpeg()' - Load a JPEG image file.
*/
@@ -1347,14 +1356,21 @@ image_load_jpeg(image_t *img, /* I - Image pointer */
int load_data)/* I - 1 = load image data, 0 = just info */
{
struct jpeg_decompress_struct cinfo; /* Decompressor info */
- struct jpeg_error_mgr jerr; /* Error handler info */
- JSAMPROW row; /* Sample row pointer */
+ hd_jpeg_err_t jerr; // JPEG error handler
+JSAMPROW row; /* Sample row pointer */
- jpeg_std_error(&jerr);
- jerr.error_exit = jpeg_error_handler;
+ jpeg_std_error(&jerr.jerr);
+ jerr.jerr.error_exit = jpeg_error_handler;
- cinfo.err = &jerr;
+ if (setjmp(jerr.retbuf))
+ {
+ progress_error(HD_ERROR_BAD_FORMAT, "%s (%s)", jerr.message, file_rlookup(img->filename));
+ jpeg_destroy_decompress(&cinfo);
+ return (-1);
+ }
+
+ cinfo.err = (struct jpeg_error_mgr *)&jerr;
jpeg_create_decompress(&cinfo);
jpeg_stdio_src(&cinfo, fp);
jpeg_read_header(&cinfo, (boolean)1);
@@ -1797,9 +1813,17 @@ image_unload(image_t *img) // I - Image
*/
static void
-jpeg_error_handler(j_common_ptr)
+jpeg_error_handler(j_common_ptr p) // Common JPEG data
{
- return;
+ hd_jpeg_err_t *jerr = (hd_jpeg_err_t *)p->err;
+ // JPEG error handler
+
+
+ // Save the error message in the string buffer...
+ (jerr->jerr.format_message)(p, jerr->message);
+
+ // Return to the point we called setjmp()...
+ longjmp(jerr->retbuf, 1);
}
diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
index af1a55e..499f487 100644
--- a/htmldoc/ps-pdf.cxx
+++ b/htmldoc/ps-pdf.cxx
@@ -1404,6 +1404,8 @@ pspdf_prepare_page(int page) /* I - Page number */
DEBUG_printf(("pspdf_prepare_page(%d)\n", page));
+ if (page < 0 || page >= num_pages)
+ return;
/*
* Make a page number; use roman numerals for the table of contents
@@ -12258,6 +12260,9 @@ write_trailer(FILE *out, /* I - Output file */
for (j = 1; j <= TocDocCount; j ++)
{
+ if (chapter_starts[j] < 0)
+ continue;
+
page = pages + chapter_starts[j];
start = chapter_starts[j] - chapter_starts[1] + 1;
type = 'D';
|