shithub: jbig2

Download patch

ref: 24abb9d7fe77897f576e68e0473e0d6be22d2628
parent: b2fb8f740bd1a88af47aa6875848049094d9cd84
author: Sebastian Rasmussen <[email protected]>
date: Wed Jun 12 14:55:16 EDT 2019

jbig2dec: Avoid extending page image beyond INT_MAX pixels high.

Detected by Coverity in CID 95080.

--- a/jbig2_page.c
+++ b/jbig2_page.c
@@ -34,6 +34,10 @@
 #include "jbig2_page.h"
 #include "jbig2_segment.h"
 
+#if !defined (UINT32_MAX)
+#define UINT32_MAX 0xffffffff
+#endif
+
 /* dump the page struct info */
 static void
 dump_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, Jbig2Page *page)
@@ -268,7 +272,12 @@
 
     /* grow the page to accommodate a new stripe if necessary */
     if (page->striped && page->height == 0xFFFFFFFF) {
-        uint32_t new_height = y + image->height;
+        uint32_t new_height;
+
+        if (y > UINT32_MAX - image->height)
+                return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "adding image at coordinate would grow page out of bounds");
+        new_height = y + image->height;
+
         if (page->image->height < new_height) {
             Jbig2Image *resized_image = NULL;