shithub: jbig2

Download patch

ref: 1369359f21a1c8a055cc745f920b17fbc3f30efd
parent: e740c549e59a3a58dca615478dc5dcee3fb915d8
author: Mistry <[email protected]>
date: Wed May 18 17:36:43 EDT 2016

Bug 696786 : Prevent checking too early for buffer overrun

The code has reached near the end of the buffer so you can not just take the
last 4 bytes, in this case you have to read any remaining bytes and make a
return value based on that, in this edge case you have no bytes to read so the
return value is zero.

--- a/jbig2.c
+++ b/jbig2.c
@@ -387,7 +387,7 @@
 
     if (offset + 4 < z->size)
         result = (data[offset] << 24) | (data[offset + 1] << 16) | (data[offset + 2] << 8) | data[offset + 3];
-    else if (offset >= z->size)
+    else if (offset > z->size)
         return -1;
     else {
         int i;