File zbar-CVE-2023-40890.patch of Package zbar.31954

Overview Repositories Revisions Requests Users Attributes Meta

File zbar-CVE-2023-40890.patch of Package zbar.31954

https://salsa.debian.org/debian/zbar/-/blob/master/debian/patches/0004-Add-bounds-check-for-CVE-2023-40890.patch
Index: zbar-0.23.1/zbar/decoder/databar.c
===================================================================
--- zbar-0.23.1.orig/zbar/decoder/databar.c
+++ zbar-0.23.1/zbar/decoder/databar.c
@@ -23,6 +23,8 @@
 
 #include <config.h>
 #include <zbar.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 #ifdef DEBUG_DATABAR
 # define DEBUG_LEVEL (DEBUG_DATABAR)
@@ -663,10 +665,11 @@ match_segment (zbar_decoder_t *dcode,
     return(ZBAR_DATABAR);
 }
 
-static inline unsigned
+static inline signed
 lookup_sequence (databar_segment_t *seg,
                  int fixed,
-                 int seq[22])
+                 int seq[22],
+                 const size_t maxsize)
 {
     unsigned n = seg->data / 211, i;
     const unsigned char *p;
@@ -676,6 +679,13 @@ lookup_sequence (databar_segment_t *seg,
     dbprintf(2, " {%d,%d:", i, n);
     p = exp_sequences + i;
 
+    if (n >= maxsize-1) {
+	// The loop below checks i<n and increments i by one within the loop
+	// when accessing seq[22]. For this to be safe, n needs to be < 21.
+	// See CVE-2023-40890.
+	return -1;
+    }
+
     fixed >>= 1;
     seq[0] = 0;
     seq[1] = 1;
@@ -755,10 +765,15 @@ match_segment_exp (zbar_decoder_t *dcode
             }
 
             if(!i) {
-                if(!lookup_sequence(seg, fixed, seq)) {
+                signed int lu = lookup_sequence(seg, fixed, seq, sizeof(seq)/sizeof(seq[0]));
+                if(!lu) {
                     dbprintf(2, "[nf]");
                     continue;
                 }
+                if(lu < 0) {
+                    dbprintf(1, " [aborted]\n");
+                    goto abort;
+                }
                 width = seg->width;
                 dbprintf(2, " A00@%d", j);
             }
@@ -829,6 +844,8 @@ match_segment_exp (zbar_decoder_t *dcode
     dcode->direction = (1 - 2 * (seg->side ^ seg->color)) * dir;
     dcode->modifiers = MOD(ZBAR_MOD_GS1);
     return(ZBAR_DATABAR_EXP);
+abort:
+    return (ZBAR_NONE);
 }
 #undef IDX

Places

File zbar-CVE-2023-40890.patch of Package zbar.31954

Places