shithub: jbig2

Download patch

ref: 372463f06054462bff49dae0c9238e8e47c32ec9
parent: bfbbf75212124b91461ed01fcb237e97c15777d2
author: Sebastian Rasmussen <[email protected]>
date: Sat May 26 22:48:56 EDT 2018

jbig2dec: Validate ASCII characters in metadata comments.

--- a/jbig2_metadata.c
+++ b/jbig2_metadata.c
@@ -122,17 +122,21 @@
 int
 jbig2_comment_ascii(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
 {
-    char *s = (char *)(segment_data + 4);
-    char *end = (char *)(segment_data + segment->data_length);
+    char *s, *end;
     Jbig2Metadata *comment;
     char *key, *value;
     int code;
+    char *p;
 
     jbig2_error(ctx, JBIG2_SEVERITY_INFO, segment->number, "ASCII comment data");
 
+    s = (char *)(segment_data + 4);
+    end = (char *)(segment_data + segment->data_length);
+
     comment = jbig2_metadata_new(ctx, JBIG2_ENCODING_ASCII);
     if (comment == NULL)
         return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to allocate comment structure");
+
     /* loop over the segment data pulling out the key,value pairs */
     while (s < end && *s) {
         key = s;
@@ -144,6 +148,20 @@
         if (!s)
             goto too_short;
         s++;
+
+        p = key;
+        while (*p) {
+            if (*p > 127)
+                goto invalid_character;
+            p++;
+        }
+        p = value;
+        while (*p) {
+            if (*p > 127)
+                goto invalid_character;
+            p++;
+        }
+
         code = jbig2_metadata_add(ctx, comment, key, value - key, value, s - value);
         if (code < 0)
             return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to add ascii comment data");
@@ -157,7 +175,11 @@
 
 too_short:
     jbig2_metadata_free(ctx, comment);
-    return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unexpected end of comment segment");
+    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unexpected end of comment segment");
+
+invalid_character:
+    jbig2_metadata_free(ctx, comment);
+    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid character 0x%02x found in ASCII comment", *p);
 }
 
 /* decode a UCS-16 comment segment 7.4.15.2 */