shithub: jbig2

Download patch

ref: 31e0aec4ef57166e8cbdc549e92435bc487ba9bb
parent: 861e081b86b9e4d6c8bf4ff6231025c7a950f6bf
author: Sebastian Rasmussen <[email protected]>
date: Mon Apr 23 10:02:46 EDT 2018

jbig2dec: Handle get_next_word() returning error/less than a word.

This includes propagating the error handling to all callers.

--- a/jbig2_arith.c
+++ b/jbig2_arith.c
@@ -61,6 +61,7 @@
 static void
 jbig2_arith_bytein(Jbig2ArithState *as)
 {
+    int new_bytes;
     byte B;
 
     /* invariant: as->next_word_bytes > 0 */
@@ -73,8 +74,10 @@
         if (as->next_word_bytes == 1) {
             Jbig2WordStream *ws = as->ws;
 
-            ws->get_next_word(ws, as->offset, &as->next_word);
-            as->offset += 4;
+            new_bytes = ws->get_next_word(ws, as->offset, &as->next_word);
+            as->next_word_bytes = new_bytes;
+            as->offset += new_bytes;
+
             B1 = (byte)((as->next_word >> 24) & 0xFF);
             if (B1 > 0x8F) {
 #ifdef JBIG2_DEBUG_ARITH
@@ -84,8 +87,9 @@
                 as->C += 0xFF00;
 #endif
                 as->CT = 8;
-                as->next_word = (0xFF00 | B1) << 16;
-                as->next_word_bytes = 2;
+                as->next_word = 0xFF000000 | (as->next_word >> 8);
+                as->next_word_bytes = 4;
+                as->offset--;
             } else {
 #ifdef JBIG2_DEBUG_ARITH
                 fprintf(stderr, "read %02x (a)\n", B);
@@ -96,7 +100,6 @@
                 as->C += B1 << 9;
 #endif
                 as->CT = 7;
-                as->next_word_bytes = 4;
             }
         } else {
             B1 = (byte)((as->next_word >> 16) & 0xFF);
@@ -133,9 +136,9 @@
         if (as->next_word_bytes == 0) {
             Jbig2WordStream *ws = as->ws;
 
-            ws->get_next_word(ws, as->offset, &as->next_word);
-            as->offset += 4;
-            as->next_word_bytes = 4;
+            new_bytes = ws->get_next_word(ws, as->offset, &as->next_word);
+            as->offset += new_bytes;
+            as->next_word_bytes = new_bytes;
         }
         B = (byte)((as->next_word >> 24) & 0xFF);
 #ifdef SOFTWARE_CONVENTION
@@ -162,6 +165,7 @@
 jbig2_arith_new(Jbig2Ctx *ctx, Jbig2WordStream *ws)
 {
     Jbig2ArithState *result;
+    int new_bytes;
 
     result = jbig2_new(ctx, Jbig2ArithState, 1);
     if (result == NULL) {
@@ -171,9 +175,9 @@
 
     result->ws = ws;
 
-    ws->get_next_word(ws, 0, &result->next_word);
-    result->next_word_bytes = 4;
-    result->offset = 4;
+    new_bytes = ws->get_next_word(ws, 0, &result->next_word);
+    result->next_word_bytes = new_bytes;
+    result->offset = new_bytes;
 
     /* Figure E.20 */
 #ifdef SOFTWARE_CONVENTION
@@ -348,7 +352,7 @@
     if (self == NULL || word == NULL)
         return -1;
     if (offset >= sizeof (test_stream))
-        return -1;
+        return 0;
 
     if (offset < sizeof(test_stream)) {
         val |= test_stream[offset] << 24;
--- a/jbig2_huffman.c
+++ b/jbig2_huffman.c
@@ -57,14 +57,14 @@
     Jbig2Ctx *ctx;
 };
 
-static uint32_t
-huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset)
+static int
+huff_get_next_word(Jbig2HuffmanState *hs, uint32_t offset, uint32_t *word)
 {
-    uint32_t word = 0;
     Jbig2WordStream *ws = hs->ws;
 
-    ws->get_next_word(ws, offset, &word);
-    return word;
+    if (word == NULL)
+        return -1;
+    return ws->get_next_word(ws, offset, word);
 }
 
 /** Allocate and initialize a new huffman coding state
@@ -75,6 +75,7 @@
 jbig2_huffman_new(Jbig2Ctx *ctx, Jbig2WordStream *ws)
 {
     Jbig2HuffmanState *result = NULL;
+    int code;
 
     result = jbig2_new(ctx, Jbig2HuffmanState, 1);
 
@@ -84,8 +85,18 @@
         result->offset_limit = 0;
         result->ws = ws;
         result->ctx = ctx;
-        result->this_word = huff_get_next_word(result, 0);
-        result->next_word = huff_get_next_word(result, 4);
+        code = huff_get_next_word(result, 0, &result->this_word);
+        if (code < 0) {
+            jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed read first huffman word");
+            jbig2_huffman_free(ctx, result);
+            return NULL;
+        }
+        code = huff_get_next_word(result, 4, &result->next_word);
+        if (code < 0) {
+            jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed read second huffman word");
+            jbig2_huffman_free(ctx, result);
+            return NULL;
+        }
     } else {
         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed to allocate new huffman coding state");
     }
@@ -170,10 +181,11 @@
 
 /** Skip bits up to the next byte boundary
  */
-void
+int
 jbig2_huffman_skip(Jbig2HuffmanState *hs)
 {
     int bits = hs->offset_bits & 7;
+    int code;
 
     if (bits) {
         bits = 8 - bits;
@@ -184,19 +196,24 @@
     if (hs->offset_bits >= 32) {
         hs->this_word = hs->next_word;
         hs->offset += 4;
-        hs->next_word = huff_get_next_word(hs, hs->offset + 4);
+        code = huff_get_next_word(hs, hs->offset + 4, &hs->next_word);
+        if (code < 0) {
+            return jbig2_error(hs->ctx, JBIG2_SEVERITY_WARNING, -1, "failed to read next huffman word when skipping");
+        }
         hs->offset_bits -= 32;
         if (hs->offset_bits) {
             hs->this_word = (hs->this_word << hs->offset_bits) | (hs->next_word >> (32 - hs->offset_bits));
         }
     }
+    return 0;
 }
 
 /* skip ahead a specified number of bytes in the word stream
  */
-void
+int
 jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
 {
+    int code;
     hs->offset += offset & ~3;
     hs->offset_bits += (offset & 3) << 3;
     if (hs->offset_bits >= 32) {
@@ -203,10 +220,17 @@
         hs->offset += 4;
         hs->offset_bits -= 32;
     }
-    hs->this_word = huff_get_next_word(hs, hs->offset);
-    hs->next_word = huff_get_next_word(hs, hs->offset + 4);
+    code = huff_get_next_word(hs, hs->offset, &hs->this_word);
+    if (code < 0) {
+        return jbig2_error(hs->ctx, JBIG2_SEVERITY_WARNING, -1, "failed to get first huffman word after advancing");
+    }
+    code = huff_get_next_word(hs, hs->offset + 4, &hs->next_word);
+    if (code < 0) {
+        return jbig2_error(hs->ctx, JBIG2_SEVERITY_WARNING, -1, "failed to get second huffman word after advancing");
+    }
     if (hs->offset_bits > 0)
         hs->this_word = (hs->this_word << hs->offset_bits) | (hs->next_word >> (32 - hs->offset_bits));
+    return 0;
 }
 
 /* return the offset of the huffman decode pointer (in bytes)
@@ -226,6 +250,7 @@
 {
     uint32_t this_word = hs->this_word;
     int32_t result;
+    int code;
 
     if (hs->offset_limit && hs->offset >= hs->offset_limit) {
         *err = -1;
@@ -238,7 +263,10 @@
         hs->offset += 4;
         hs->offset_bits -= 32;
         hs->this_word = hs->next_word;
-        hs->next_word = huff_get_next_word(hs, hs->offset + 4);
+        code = huff_get_next_word(hs, hs->offset + 4, &hs->next_word);
+        if (code < 0) {
+            return jbig2_error(hs->ctx, JBIG2_SEVERITY_WARNING, -1, "failed to get next huffman word");
+        }
         if (hs->offset_bits) {
             hs->this_word = (hs->this_word << hs->offset_bits) | (hs->next_word >> (32 - hs->offset_bits));
         } else {
@@ -271,6 +299,7 @@
     for (;;) {
         int log_table_size = table->log_table_size;
         int PREFLEN;
+        int code;
 
         /* SumatraPDF: shifting by the size of the operand is undefined */
         entry = &table->entries[log_table_size > 0 ? this_word >> (32 - log_table_size) : 0];
@@ -287,7 +316,10 @@
         if (offset_bits >= 32) {
             this_word = next_word;
             hs->offset += 4;
-            next_word = huff_get_next_word(hs, hs->offset + 4);
+            code = huff_get_next_word(hs, hs->offset + 4, &next_word);
+            if (code < 0) {
+                return jbig2_error(hs->ctx, JBIG2_SEVERITY_WARNING, -1, "failed to get next huffman word");
+            }
             offset_bits -= 32;
             hs->next_word = next_word;
             PREFLEN = offset_bits;
@@ -303,6 +335,7 @@
     RANGELEN = entry->RANGELEN;
     if (RANGELEN > 0) {
         int32_t HTOFFSET;
+        int code;
 
         HTOFFSET = this_word >> (32 - RANGELEN);
         if (flags & JBIG2_HUFFMAN_FLAGS_ISLOW)
@@ -314,7 +347,10 @@
         if (offset_bits >= 32) {
             this_word = next_word;
             hs->offset += 4;
-            next_word = huff_get_next_word(hs, hs->offset + 4);
+            code = huff_get_next_word(hs, hs->offset + 4, &next_word);
+            if (code < 0) {
+                return jbig2_error(hs->ctx, JBIG2_SEVERITY_WARNING, -1, "failed to get next huffman word");
+            }
             offset_bits -= 32;
             hs->next_word = next_word;
             RANGELEN = offset_bits;
--- a/jbig2_huffman.h
+++ b/jbig2_huffman.h
@@ -60,9 +60,9 @@
 
 void jbig2_huffman_free(Jbig2Ctx *ctx, Jbig2HuffmanState *hs);
 
-void jbig2_huffman_skip(Jbig2HuffmanState *hs);
+int jbig2_huffman_skip(Jbig2HuffmanState *hs);
 
-void jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
+int jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
 
 uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
 
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -553,14 +553,15 @@
                         int code2 = 0;
                         int code3 = 0;
                         int code4 = 0;
+                        int code5 = 0;
 
                         /* 6.5.8.2.2 (2, 3, 4, 5) */
                         if (params->SDHUFF) {
-                            ID = jbig2_huffman_get_bits(hs, SBSYMCODELEN, &code4);
-                            RDX = jbig2_huffman_get(hs, SDHUFFRDX, &code1);
-                            RDY = jbig2_huffman_get(hs, SDHUFFRDX, &code2);
-                            BMSIZE = jbig2_huffman_get(hs, SBHUFFRSIZE, &code3);
-                            jbig2_huffman_skip(hs);
+                            ID = jbig2_huffman_get_bits(hs, SBSYMCODELEN, &code1);
+                            RDX = jbig2_huffman_get(hs, SDHUFFRDX, &code2);
+                            RDY = jbig2_huffman_get(hs, SDHUFFRDX, &code3);
+                            BMSIZE = jbig2_huffman_get(hs, SBHUFFRSIZE, &code4);
+                            code5 = jbig2_huffman_skip(hs);
                         } else {
                             code1 = jbig2_arith_iaid_decode(ctx, IAID, as, (int32_t *) & ID);
                             code2 = jbig2_arith_int_decode(ctx, IARDX, as, &RDX);
@@ -567,11 +568,11 @@
                             code3 = jbig2_arith_int_decode(ctx, IARDY, as, &RDY);
                         }
 
-                        if (code1 < 0 || code2 < 0 || code3 < 0 || code4 < 0) {
+                        if (code1 < 0 || code2 < 0 || code3 < 0 || code4 < 0 || code5 < 0) {
                             code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to decode data");
                             goto cleanup4;
                         }
-                        if (code1 > 0 || code2 > 0 || code3 > 0 || code4 > 0) {
+                        if (code1 > 0 || code2 > 0 || code3 > 0 || code4 > 0 || code5 > 0) {
                             code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "OOB in single refinement/aggregate coded symbol data");
                             goto cleanup4;
                         }
@@ -615,7 +616,11 @@
                         if (params->SDHUFF) {
                             if (BMSIZE == 0)
                                 BMSIZE = image->height * image->stride;
-                            jbig2_huffman_advance(hs, BMSIZE);
+                            code = jbig2_huffman_advance(hs, BMSIZE);
+                            if (code < 0) {
+                                jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to advance after huffman decoding in refinement region");
+                                goto cleanup4;
+                            }
                         }
                     }
                 }
@@ -671,7 +676,10 @@
             }
 
             /* skip any bits before the next byte boundary */
-            jbig2_huffman_skip(hs);
+            code = jbig2_huffman_skip(hs);
+            if (code < 0) {
+                jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to skip to next byte when decoding collective bitmap");
+            }
 
             image = jbig2_image_new(ctx, TOTWIDTH, HCHEIGHT);
             if (image == NULL) {
@@ -725,7 +733,12 @@
             }
 
             /* advance past the data we've just read */
-            jbig2_huffman_advance(hs, BMSIZE);
+            code = jbig2_huffman_advance(hs, BMSIZE);
+            if (code < 0) {
+                jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to advance after huffman decoding MMR bitmap image");
+                jbig2_image_release(ctx, image);
+                goto cleanup4;
+            }
 
             /* copy the collective bitmap into the symbol dictionary */
             x = 0;
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -202,7 +202,12 @@
         symcodeparams.n_lines = SBNUMSYMS;
 
         /* skip to byte boundary */
-        jbig2_huffman_skip(hs);
+        err = jbig2_huffman_skip(hs);
+        if (err < 0)
+        {
+            jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to skip to next byte when building huffman table");
+            goto cleanup1;
+        }
 
         /* finally, construct the symbol id huffman table itself */
         SBSYMCODES = jbig2_build_huffman_table(ctx, &symcodeparams);
@@ -383,6 +388,7 @@
                 int code3 = 0;
                 int code4 = 0;
                 int code5 = 0;
+                int code6 = 0;
 
                 /* 6.4.11 (1, 2, 3, 4) */
                 if (!params->SBHUFF) {
@@ -396,15 +402,15 @@
                     RDX = jbig2_huffman_get(hs, params->SBHUFFRDX, &code3);
                     RDY = jbig2_huffman_get(hs, params->SBHUFFRDY, &code4);
                     BMSIZE = jbig2_huffman_get(hs, params->SBHUFFRSIZE, &code5);
-                    jbig2_huffman_skip(hs);
+                    code6 = jbig2_huffman_skip(hs);
                 }
 
-                if (code1 < 0 || code2 < 0 || code3 < 0 || code4 < 0 || code5 < 0) {
+                if (code1 < 0 || code2 < 0 || code3 < 0 || code4 < 0 || code5 < 0 || code6 < 0) {
                     jbig2_image_release(ctx, IB);
                     code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to decode data");
                     goto cleanup2;
                 }
-                if (code1 > 0 || code2 > 0 || code3 > 0 || code4 > 0 || code5 > 0) {
+                if (code1 > 0 || code2 > 0 || code3 > 0 || code4 > 0 || code5 > 0 || code6 > 0) {
                     jbig2_image_release(ctx, IB);
                     code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "OOB obtained when decoding symbol instance refinement data");
                     goto cleanup2;
@@ -447,7 +453,13 @@
 
                 /* 6.4.11 (7) */
                 if (params->SBHUFF) {
-                    jbig2_huffman_advance(hs, BMSIZE);
+                    code = jbig2_huffman_advance(hs, BMSIZE);
+                    if (code < 0) {
+                        jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to advance after huffman decoding refinement region");
+                        jbig2_image_release(ctx, refimage);
+                        jbig2_image_release(ctx, IBO);
+                        goto cleanup2;
+                    }
                 }
             }