$NetBSD: patch-aa,v 1.4.2.2 2009/04/17 21:43:51 spz Exp $

Patch for CVE-2009-0196 taken from Redhat's Bugzilla:

https://bugzilla.redhat.com/attachment.cgi?id=337747

--- jbig2dec/jbig2_symbol_dict.c.orig	2007-12-11 08:29:58.000000000 +0000
+++ jbig2dec/jbig2_symbol_dict.c	2009-04-14 20:19:01.000000000 +0100
@@ -699,6 +699,15 @@
         exrunlength = params->SDNUMEXSYMS;
       else
         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+      if (exrunlength > params->SDNUMEXSYMS - j) {
+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+          "runlength too large in export symbol table (%d > %d - %d)\n",
+          exrunlength, params->SDNUMEXSYMS, j);
+        jbig2_sd_release(ctx, SDEXSYMS);
+        /* skip to the cleanup code and return SDEXSYMS = NULL */
+        SDEXSYMS = NULL;
+        break;
+      }
       for(k = 0; k < exrunlength; k++)
         if (exflag) {
           SDEXSYMS->glyphs[j++] = (i < m) ? 
