File zbar-CVE-2023-40890.patch of Package zbar.31954
https://salsa.debian.org/debian/zbar/-/blob/master/debian/patches/0004-Add-bounds-check-for-CVE-2023-40890.patch
Index: zbar-0.23.1/zbar/decoder/databar.c
===================================================================
--- zbar-0.23.1.orig/zbar/decoder/databar.c
+++ zbar-0.23.1/zbar/decoder/databar.c
@@ -23,6 +23,8 @@
#include <config.h>
#include <zbar.h>
+#include <stdlib.h>
+#include <stdio.h>
#ifdef DEBUG_DATABAR
# define DEBUG_LEVEL (DEBUG_DATABAR)
@@ -663,10 +665,11 @@ match_segment (zbar_decoder_t *dcode,
return(ZBAR_DATABAR);
}
-static inline unsigned
+static inline signed
lookup_sequence (databar_segment_t *seg,
int fixed,
- int seq[22])
+ int seq[22],
+ const size_t maxsize)
{
unsigned n = seg->data / 211, i;
const unsigned char *p;
@@ -676,6 +679,13 @@ lookup_sequence (databar_segment_t *seg,
dbprintf(2, " {%d,%d:", i, n);
p = exp_sequences + i;
+ if (n >= maxsize-1) {
+ // The loop below checks i<n and increments i by one within the loop
+ // when accessing seq[22]. For this to be safe, n needs to be < 21.
+ // See CVE-2023-40890.
+ return -1;
+ }
+
fixed >>= 1;
seq[0] = 0;
seq[1] = 1;
@@ -755,10 +765,15 @@ match_segment_exp (zbar_decoder_t *dcode
}
if(!i) {
- if(!lookup_sequence(seg, fixed, seq)) {
+ signed int lu = lookup_sequence(seg, fixed, seq, sizeof(seq)/sizeof(seq[0]));
+ if(!lu) {
dbprintf(2, "[nf]");
continue;
}
+ if(lu < 0) {
+ dbprintf(1, " [aborted]\n");
+ goto abort;
+ }
width = seg->width;
dbprintf(2, " A00@%d", j);
}
@@ -829,6 +844,8 @@ match_segment_exp (zbar_decoder_t *dcode
dcode->direction = (1 - 2 * (seg->side ^ seg->color)) * dir;
dcode->modifiers = MOD(ZBAR_MOD_GS1);
return(ZBAR_DATABAR_EXP);
+abort:
+ return (ZBAR_NONE);
}
#undef IDX
