From b1f656596c7035cfaa96affa344522031a8e6498 Mon Sep 17 00:00:00 2001
From: Kevin Mihelich <kevin@archlinuxarm.org>
Date: Thu, 9 May 2024 02:31:10 +0000
Subject: [PATCH] extra/jbigkit to 2.1-8

---
 extra/jbigkit/.SRCINFO                        |  24 ++++
 extra/jbigkit/.nvchecker.toml                 |   4 +
 ...-s-maxmem-maximum-decoded-image-size.patch | 113 ++++++++++++++++++
 ...-for-end-of-file-within-MARKER_NEWLE.patch |  28 +++++
 extra/jbigkit/PKGBUILD                        |  68 +++++------
 5 files changed, 202 insertions(+), 35 deletions(-)
 create mode 100644 extra/jbigkit/.SRCINFO
 create mode 100644 extra/jbigkit/.nvchecker.toml
 create mode 100644 extra/jbigkit/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch
 create mode 100644 extra/jbigkit/0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch

diff --git a/extra/jbigkit/.SRCINFO b/extra/jbigkit/.SRCINFO
new file mode 100644
index 000000000..2a0f2a3fe
--- /dev/null
+++ b/extra/jbigkit/.SRCINFO
@@ -0,0 +1,24 @@
+pkgbase = jbigkit
+	pkgdesc = Data compression library/utilities for bi-level high-resolution images
+	pkgver = 2.1
+	pkgrel = 8
+	url = https://www.cl.cam.ac.uk/~mgk25/jbigkit/
+	arch = x86_64
+	license = GPL-2.0-or-later
+	depends = glibc
+	source = https://www.cl.cam.ac.uk/~mgk25/download/jbigkit-2.1.tar.gz
+	source = jbigkit-2.1-shared_lib.patch
+	source = jbigkit-2.1-build_warnings.patch
+	source = jbigkit-2.1-ldflags.patch
+	source = jbigkit-2.1-coverity.patch
+	source = 0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch
+	source = 0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch
+	sha256sums = de7106b6bfaf495d6865c7dd7ac6ca1381bd12e0d81405ea81e7f2167263d932
+	sha256sums = cb404e8c1d67d0788368a58f2c3da83bcf5c7049139461b16c144d1018e83174
+	sha256sums = e9616f9eccfa567738b0c470708d60b086b4e0c5c6017449c7f09d0ba9335e28
+	sha256sums = dc44325606c1c22f075e87e81091fbf1543c6792dda311c071b0d50d7786ff17
+	sha256sums = 6abe6e18d830e811ff6d386e899f9a6bce1da7f5ed5613930e8e0c79d16c52ea
+	sha256sums = 6dcddabc07864435a3c65227309e43cb66c27e08cb33851d7a7ef123fda08e29
+	sha256sums = bc3924f03446dba996a192deab7c4dddd1293ef2bcc7aef61edcbc3223fc10a0
+
+pkgname = jbigkit
diff --git a/extra/jbigkit/.nvchecker.toml b/extra/jbigkit/.nvchecker.toml
new file mode 100644
index 000000000..620c2fd93
--- /dev/null
+++ b/extra/jbigkit/.nvchecker.toml
@@ -0,0 +1,4 @@
+[jbigkit]
+source = "regex"
+url = "https://www.cl.cam.ac.uk/~mgk25/jbigkit/download/"
+regex = "jbigkit-([^\"]*).tar.gz"
diff --git a/extra/jbigkit/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch b/extra/jbigkit/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch
new file mode 100644
index 000000000..dbc20d2a3
--- /dev/null
+++ b/extra/jbigkit/0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch
@@ -0,0 +1,113 @@
+From bc3293299bc4981e83b7f37f3615a6b9b27b6837 Mon Sep 17 00:00:00 2001
+From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
+Date: Mon, 3 Aug 2020 21:09:39 +0100
+Subject: [PATCH 13/15] new jbig.c limit s->maxmem: maximum decoded image size
+ (default: 2 GB)
+
+this helps users to reduce denial-of-service risks, as in CVE-2017-9937
+---
+ CHANGES          |  9 +++++++++
+ libjbig/jbig.c   |  5 +++++
+ libjbig/jbig.h   |  2 ++
+ libjbig/jbig.txt | 39 ++++++++++++++++++++++++++++-----------
+ 4 files changed, 44 insertions(+), 11 deletions(-)
+
+diff --git a/libjbig/jbig.c b/libjbig/jbig.c
+index fe54946..e9938e5 100644
+--- a/libjbig/jbig.c
++++ b/libjbig/jbig.c
+@@ -2051,6 +2051,7 @@ void jbg_dec_init(struct jbg_dec_state *s)
+   s->xmax = 4294967295UL;
+   s->ymax = 4294967295UL;
+   s->dmax = 256;
++  s->maxmem = 2000000000;  /* no final image larger than 2 GB by default */
+   s->s = NULL;
+ 
+   return;
+@@ -2640,6 +2641,10 @@ int jbg_dec_in(struct jbg_dec_state *s, unsigned char *data, size_t len,
+       return JBG_EIMPL | 5;
+     s->options = s->buffer[19];
+ 
++    /* will the final image require more bytes than permitted by s->maxmem? */
++    if (s->maxmem / s->planes / s->yd / jbg_ceil_half(s->xd, 3) == 0)
++      return JBG_ENOMEM;   /* increase s->maxmem if needed */
++
+     /* calculate number of stripes that will be required */
+     s->stripes = jbg_stripes(s->l0, s->yd, s->d);
+ 
+diff --git a/libjbig/jbig.h b/libjbig/jbig.h
+index 81c1adc..2577399 100644
+--- a/libjbig/jbig.h
++++ b/libjbig/jbig.h
+@@ -181,6 +181,8 @@ struct jbg_dec_state {
+   unsigned long xmax, ymax;         /* if possible abort before image gets *
+ 				     * larger than this size */
+   int dmax;                                      /* abort after this layer */
++  size_t maxmem;               /* return JBG_ENOMEM if final image layer D
++                                  would require more than maxmem bytes     */
+ };
+ 
+ 
+diff --git a/libjbig/jbig.txt b/libjbig/jbig.txt
+index 70ca464..4547b12 100644
+--- a/libjbig/jbig.txt
++++ b/libjbig/jbig.txt
+@@ -2,7 +2,7 @@
+ Using the JBIG-KIT library
+ --------------------------
+ 
+-Markus Kuhn -- 2013-09-10
++Markus Kuhn -- 2020-08-03
+ 
+ 
+ This text explains how to use the functions provided by the JBIG-KIT
+@@ -735,19 +735,36 @@ None of the above limitations can be exceeded by a JBIG data stream
+ that conforms to the ITU-T T.85 application profile for the use of
+ JBIG1 in fax machines.
+ 
+-The current implementation of the jbig.c decoder does not impose any
+-limits on the image size that it will process, as long as malloc() is
+-able to allocate enough heap space for the resulting bitmaps. The only
+-exception is that jbg_dec_in() will return "Input data stream uses
++The maximum image size that a BIE header (BIH) can indicate is X_D =
++2^32-1 pixels wide, Y_D = 2^32-1 lines high, with P = 255 bits per
++pixel. Such an image would, in uncompressed form, require about 588
++exabytes. Once jbg_dec_in() has received the 20-byte long BIH at the
++start of the BIE, it will call malloc() to allocate enough memory to
++hold the uncompressed image planes. Users may, therefore, want to
++defend their application against excessive image-size parameters in a
++received BIH, by checking X_D, Y_D, and P against appropriate safety
++limits before handing over the BIE header to jbg_dec_in(). BIE headers
++indicating too large images might be abused for denial of service
++attacks, to exhaust the memory of a system (e.g., CVE-2017-9937). To
++manage this risk, the jbig.c decoder will now, by default, return "Not
++enough memory available" (JBG_ENOMEM) if the resulting final image
++layer would occupy more than 2 gigabytes. Users can adjust this limit
++by changing sd->maxmem right after having called jbg_dec_init(&sd).
++The actual amount of memory allocated with malloc() calls during the
++decoding process is somewhat higher (at least 25%) than the limit set
++in sd->maxmem, as the decoder requires additional heap memory that
++depends on the image dimensions.
++
++The jbg_dec_in() function will return "Input data stream uses
+ unimplemented JBIG features" (JBG_EIMPL | 1) if Y_D equals 0xffffffff,
+ which is an extreme value commonly used to encode images according to
+ ITU-T T.85 where the height was unknown when the BIH was emitted.
+-After jbg_dec_in() received the 20-byte long BIH at the start of the
+-BIE, it will malloc() to allocate enough memory to hold the requested
+-image planes and layers. If you want to defend your application
+-against excessive image-size parameters in a received BIH, then do
+-make sure that you check X_D, Y_D, and P against appropriate safety
+-limits before handing over the BIH to jbg_dec_in().
++
++All malloc(), realloc() and free() functions called by jbig.c are
++wrapped by the functions checked_malloc(), checked_realloc() and
++checked_free(). These simply call abort() when memory allocation
++fails. Developpers of embedded systems may want to replace them with
++alternative forms of exception handling.
+ 
+ There are two more limitations of the current implementation of the
+ jbig.c decoder that might cause problems with processing JBIG data
+-- 
+2.45.0
+
diff --git a/extra/jbigkit/0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch b/extra/jbigkit/0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch
new file mode 100644
index 000000000..1afffaa74
--- /dev/null
+++ b/extra/jbigkit/0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch
@@ -0,0 +1,28 @@
+From 7d3c1bea895d910907e2501fe9165e353eceabae Mon Sep 17 00:00:00 2001
+From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
+Date: Mon, 15 Feb 2021 18:27:47 +0000
+Subject: [PATCH 15/15] jbg_newlen(): check for end-of-file within
+ MARKER_NEWLEN
+
+fixes https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969593
+reported by Casper Sun
+---
+ libjbig/jbig.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libjbig/jbig.c b/libjbig/jbig.c
+index e9938e5..289b6d8 100644
+--- a/libjbig/jbig.c
++++ b/libjbig/jbig.c
+@@ -3272,6 +3272,8 @@ int jbg_newlen(unsigned char *bie, size_t len)
+     else if (p[0] == MARKER_ESC)
+       switch (p[1]) {
+       case MARKER_NEWLEN:
++        if (p + 5 >= bie + len)
++          return JBG_EAGAIN;
+ 	y = (((long) bie[ 8] << 24) | ((long) bie[ 9] << 16) |
+ 	     ((long) bie[10] <<  8) |  (long) bie[11]);
+ 	yn = (((long) p[2] << 24) | ((long) p[3] << 16) |
+-- 
+2.45.0
+
diff --git a/extra/jbigkit/PKGBUILD b/extra/jbigkit/PKGBUILD
index 078ca28db..ffaf97d42 100644
--- a/extra/jbigkit/PKGBUILD
+++ b/extra/jbigkit/PKGBUILD
@@ -1,4 +1,4 @@
-# Maintainer:
+# Maintainer: Balló György <ballogyor+arch at gmail dot com>
 # Contributor: Sergej Pupykin <pupykin.s+arch@gmail.com>
 # Contributor: Angel 'angvp' Velasquez <angvp[at]archlinux.com.ve>
 # Contributor: Frank Ickstadt (frank dot ickstadt at gmail dot com)
@@ -8,54 +8,52 @@
 
 pkgname=jbigkit
 pkgver=2.1
-pkgrel=7
-pkgdesc="Data compression library/utilities for bi-level high-resolution images"
-arch=(x86_64)
-url="https://www.cl.cam.ac.uk/~mgk25/jbigkit/"
-license=(GPL-2.0-or-later)
-depends=(glibc)
-provides=(
-  libjbig85.so
-  libjbig.so
-)
-source=(
-  https://www.cl.cam.ac.uk/~mgk25/download/$pkgname-$pkgver.tar.gz
-  $pkgname-2.1-shared_lib.patch
-  $pkgname-2.1-build_warnings.patch
-  $pkgname-2.1-ldflags.patch
-  $pkgname-2.1-coverity.patch
-)
-sha512sums=('c4127480470ef90db1ef3bd2caa444df10b50ed8df0bc9997db7612cb48b49278baf44965028f1807a21028eb965d677e015466306b44683c4ec75a23e1922cf'
-            '9f46ee24f8b5eb57935c9b2cd9bd3d61b422c2352143c59a68adee8880511dd0bba0a057f0ed070dd0111c9eb0504df060343261c824c5a5734c06a1aedb14c8'
-            '9be32ccec414de5c5de7d508ff14e1f1f3a40f81a2de252ca66e0f2844a8546d353d6a7abe36895ac798816165b2c5d8a9d043ea3f0c832fecdd9170dd6f92bf'
-            'fb0c1f35ba5469dd4f7f6bd2a933d3484191d2ecd8367ea865fd2396bc99825b3afa7fcd09fbf8e841acbf92ed01cf743a83df7991e7e03f9e6cf8fbe0925ae6'
-            '10f4f154c4f824c9361266f27bea231b35ed4cac680587c8659b6e12c0c06141f04a22cf72dd847abcb833578d25dfe5142d10d757f8c14c70d943c8eb3d5612')
-b2sums=('7bd82f0e10a2d3794739ee85b77c5407d58753a00e014e937735f9af3043347de88a6e567609bc26de488887a6d61b0a162387fb72732b9be7e550e3f9b9539e'
-        '52c5f7384f499e15a636b8e0089153750ac02da4ac850260a3243ee06d1194133f1264abc3457e52c5a15ee1a4bfad0b31042975d80273bf741b75e634845745'
-        '6114609e5186e5fae1678de00f8c7336970c18923d3d3c01fbc431e95387bfe5696fe7914947ea3903c972eb54dfd24efe0d9ac3c7f4512de26f6ab138ce590c'
-        'a8e36381543c0f701a589c115577da2509f02f3002926ab86b62e29e9f8a12db65b5d56387a61aa7a053e49d59e79e968c477ce096c73aa24ad3f94e28dff6b5'
-        '2650020ba8ef433a3b935917297c034f01f0296a2a7c9c23c47521b823cc79ac32df8a3695f57e885b91604b138fedc1fcfea1cda8d2a79e9fd3c9680f0c06a8')
+pkgrel=8
+pkgdesc='Data compression library/utilities for bi-level high-resolution images'
+arch=('x86_64')
+url='https://www.cl.cam.ac.uk/~mgk25/jbigkit/'
+license=('GPL-2.0-or-later')
+depends=('glibc')
+source=("https://www.cl.cam.ac.uk/~mgk25/download/$pkgname-$pkgver.tar.gz"
+        'jbigkit-2.1-shared_lib.patch'
+        'jbigkit-2.1-build_warnings.patch'
+        'jbigkit-2.1-ldflags.patch'
+        'jbigkit-2.1-coverity.patch'
+        '0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch'
+        '0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch')
+sha256sums=('de7106b6bfaf495d6865c7dd7ac6ca1381bd12e0d81405ea81e7f2167263d932'
+            'cb404e8c1d67d0788368a58f2c3da83bcf5c7049139461b16c144d1018e83174'
+            'e9616f9eccfa567738b0c470708d60b086b4e0c5c6017449c7f09d0ba9335e28'
+            'dc44325606c1c22f075e87e81091fbf1543c6792dda311c071b0d50d7786ff17'
+            '6abe6e18d830e811ff6d386e899f9a6bce1da7f5ed5613930e8e0c79d16c52ea'
+            '6dcddabc07864435a3c65227309e43cb66c27e08cb33851d7a7ef123fda08e29'
+            'bc3924f03446dba996a192deab7c4dddd1293ef2bcc7aef61edcbc3223fc10a0')
 
 prepare() {
+  cd $pkgname-$pkgver
   # instead of a static library, create a shared library
-  patch -Np1 -d $pkgname-$pkgver -i ../$pkgname-2.1-shared_lib.patch
+  patch -Np1 -i ../jbigkit-2.1-shared_lib.patch
   # fix build warnings
-  patch -Np1 -d $pkgname-$pkgver -i ../$pkgname-2.1-build_warnings.patch
+  patch -Np1 -i ../jbigkit-2.1-build_warnings.patch
   # apply distribution LDFLAGS
-  patch -Np1 -d $pkgname-$pkgver -i ../$pkgname-2.1-ldflags.patch
+  patch -Np1 -i ../jbigkit-2.1-ldflags.patch
   # fix coverity issues
-  patch -Np1 -d $pkgname-$pkgver -i ../$pkgname-2.1-coverity.patch
+  patch -Np1 -i ../jbigkit-2.1-coverity.patch
+  # security fixes from upstream
+  patch -Np1 -i ../0013-new-jbig.c-limit-s-maxmem-maximum-decoded-image-size.patch
+  patch -Np1 -i ../0015-jbg_newlen-check-for-end-of-file-within-MARKER_NEWLE.patch
 }
 
 build() {
+  cd $pkgname-$pkgver
   CFLAGS+=" -fPIC"
-  export EXTRA_CFLAGS="$CFLAGS"
-  make -C $pkgname-$pkgver
+  make EXTRA_CFLAGS="$CFLAGS"
 }
 
 check() {
+  cd $pkgname-$pkgver
   # NOTE: tests can not be parallelized
-  make test -C $pkgname-$pkgver -j1
+  make test -j1
 }
 
 package() {