ref: 0726320a4b55078e9d8deb590e477d598b3da66e
parent: b2686b34d8bcd890424b2670d5884b44001e07a2
author: Robin Watts <[email protected]>
date: Mon Jan 27 05:12:24 EST 2020
Fix OSS-Fuzz issue 20332: buffer overflow in jbig2_image_compose. With extreme values of x/y/w/h we can get overflow. Test for this and exit safely. Thanks for OSS-Fuzz for reporting.
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -33,6 +33,9 @@
#if !defined (INT32_MAX)
#define INT32_MAX 0x7fffffff
#endif
+#if !defined (UINT32_MAX)
+#define UINT32_MAX 0xffffffffu
+#endif
/* allocate a Jbig2Image structure and its associated bitmap */
Jbig2Image *
@@ -350,6 +353,15 @@
if (src == NULL)
return 0;
+
+ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
+ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
+ {
+#ifdef JBIG2_DEBUG
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
+#endif
+ return 0;
+ }
/* This code takes a src image and combines it onto dst at offset (x,y), with operation op. */