ref: 24abb9d7fe77897f576e68e0473e0d6be22d2628
parent: b2fb8f740bd1a88af47aa6875848049094d9cd84
author: Sebastian Rasmussen <[email protected]>
date: Wed Jun 12 14:55:16 EDT 2019
jbig2dec: Avoid extending page image beyond INT_MAX pixels high. Detected by Coverity in CID 95080.
--- a/jbig2_page.c
+++ b/jbig2_page.c
@@ -34,6 +34,10 @@
#include "jbig2_page.h"
#include "jbig2_segment.h"
+#if !defined (UINT32_MAX)
+#define UINT32_MAX 0xffffffff
+#endif
+
/* dump the page struct info */
static void
dump_page_info(Jbig2Ctx *ctx, Jbig2Segment *segment, Jbig2Page *page)
@@ -268,7 +272,12 @@
/* grow the page to accommodate a new stripe if necessary */
if (page->striped && page->height == 0xFFFFFFFF) {
- uint32_t new_height = y + image->height;
+ uint32_t new_height;
+
+ if (y > UINT32_MAX - image->height)
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "adding image at coordinate would grow page out of bounds");
+ new_height = y + image->height;
+
if (page->image->height < new_height) {
Jbig2Image *resized_image = NULL;