sparrowwallet/zbar-windows
sparrowwallet/zbar-windows
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add patches for CVE-2023-40890 and CVE-2023-40889
Some checks failed
CI / Mingw-w64 VfW (push) Has been cancelled
Details
CI / Mingw-w64 DShow (push) Has been cancelled
Details
CI / Mac OS (push) Has been cancelled
Details
CI / Ubuntu debuild (push) Has been cancelled
Details
CI / Ubuntu with Gtk2 (push) Has been cancelled
Details
CI / Ubuntu with Gtk3 (push) Has been cancelled
Details
CI / Windows (i686, --with-directshow, 386, MINGW32, DShow) (push) Has been cancelled
Details
CI / Windows (i686, <nil>, 386, MINGW32, VfW) (push) Has been cancelled
Details
CI / Windows (x86_64, --with-directshow, x86-64, MINGW64, DShow) (push) Has been cancelled
Details
CI / Windows (x86_64, <nil>, x86-64, MINGW64, VfW) (push) Has been cancelled
Details
CMake / ubuntu_build (push) Has been cancelled
Details
CMake / windows_build (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Craig Raw 2024-07-16 11:52:14 +02:00
parent d2272a4bf3
commit 0d66020f73
2 changed files with 21 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
zbar/decoder/databar.c
View File

@ -23,6 +23,8 @@
#include "config.h"
#include <zbar.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef DEBUG_DATABAR
#define DEBUG_LEVEL (DEBUG_DATABAR)
@ -626,8 +628,8 @@ static inline zbar_symbol_type_t match_segment(zbar_decoder_t *dcode,
return (ZBAR_DATABAR);
}
static inline unsigned lookup_sequence(databar_segment_t *seg, int fixed,
int seq[22])
static inline signed lookup_sequence(databar_segment_t *seg, int fixed,
int seq[22], const size_t maxsize)
{
unsigned n = seg->data / 211, i;
const unsigned char *p;
@ -637,6 +639,13 @@ static inline unsigned lookup_sequence(databar_segment_t *seg, int fixed,
dbprintf(2, " {%d,%d:", i, n);
p = exp_sequences + i;
if (n >= maxsize-1) {
// The loop below checks i<n and increments i by one within the loop
// when accessing seq[22]. For this to be safe, n needs to be < 21.
// See CVE-2023-40890.
return -1;
}
fixed >>= 1;
seq[0] = 0;
seq[1] = 1;
@ -714,10 +723,15 @@ match_segment_exp(zbar_decoder_t *dcode, databar_segment_t *seg, int dir)
}
if (!i) {
if (!lookup_sequence(seg, fixed, seq)) {
signed int lu = lookup_sequence(seg, fixed, seq, sizeof(seq)/sizeof(seq[0]));
if(!lu) {
dbprintf(2, "[nf]");
continue;
}
if(lu < 0) {
dbprintf(1, " [aborted]\n");
goto abort;
}
width = seg->width;
dbprintf(2, " A00@%d", j);
} else {
@ -787,6 +801,8 @@ match_segment_exp(zbar_decoder_t *dcode, databar_segment_t *seg, int dir)
dcode->direction = (1 - 2 * (seg->side ^ seg->color)) * dir;
dcode->modifiers = MOD(ZBAR_MOD_GS1);
return (ZBAR_DATABAR_EXP);
abort:
return (ZBAR_NONE);
}
#undef IDX

4
zbar/qrcode/qrdec.c
View File

@ -4238,8 +4238,8 @@ void qr_reader_match_centers(qr_reader *_reader, qr_code_data_list *_qrlist,
/*TODO: We might be able to accelerate this step significantly by
considering the remaining finder centers in a more intelligent order,
based on the first finder center we just chose.*/
for (j = i + 1; !mark[i] && j < _ncenters; j++) {
for (k = j + 1; !mark[j] && k < _ncenters; k++)
for (j = i + 1; i < _ncenters && !mark[i] && j < _ncenters; j++) {
for (k = j + 1; j < _ncenters && !mark[j] && k < _ncenters; k++)
if (!mark[k]) {
qr_finder_center *c[3];
qr_code_data qrdata;