shithub: jbig2

Download patch

ref: 29f7b09614a4a98b09c4b6255f0f0fea5a65378f
parent: 1c60d10318a37e1e2e1d343cf9bf89b530f6518c
author: Alex Cherepanov <[email protected]>
date: Mon Jan 28 08:34:01 EST 2013

Bug 693284: Break an infinite loop.


--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -754,6 +754,8 @@
     int exflag = 0;
     int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
     int32_t exrunlength;
+    /* SumatraPDF: prevent infinite loop */
+    int zerolength = 0;
 
     while (i < limit) {
       if (params->SDHUFF)
@@ -760,10 +762,16 @@
         exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
       else
         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
-      if (code || (exrunlength > limit - i)) {
+      /* SumatraPDF: prevent infinite loop */
+      zerolength = exrunlength > 0 ? 0 : zerolength + 1;
+      if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4)) {
         if (code)
           jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
             "failed to decode exrunlength for exported symbols");
+        /* SumatraPDF: prevent infinite loop */
+        else if (exrunlength <= 0)
+          jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+            "runlength too small in export symbol table (%d <= 0)\n", exrunlength);
         else
           jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
             "runlength too large in export symbol table (%d > %d - %d)\n",