ref: 3ad0af209812d2c2f0a7c5735b0cdd0e176efc38
parent: 7ce709fca233bb6a189ee36408cf4920309bb082
author: Simon Bünzli <[email protected]>
date: Mon Oct 27 17:19:44 EDT 2014
replace jbig2_arith_get_offset with jbig2_arith_has_reached_marker The DOS check introduced with 6e1f2259115efac14cd6c7ad9d119b43013a32a1 tries to determine whether arithmetic coding has run out of data and has entered an infinite loop. It does so by checking how many bytes have been read and compares with the number of bytes available. The fix however fails to take into account bytes which have been cached in _Jbig2ArithState::next_word which causes valid images to be rejected. This patch corrects that bug by replacing that check with a generic check as to whether the end of the data stream has been reached (which is the case if the only two remaining cached bytes are 0xFF and a value larger than 0x8F). Signed-off-by: Henry Stiles <[email protected]>
--- a/jbig2_arith.c
+++ b/jbig2_arith.c
@@ -379,10 +379,10 @@
}
}
-int
-jbig2_arith_get_offset(Jbig2ArithState *as)
+bool
+jbig2_arith_has_reached_marker(Jbig2ArithState *as)
{
- return as->offset;
+ return as->next_word_bytes == 2 && (as->next_word >> 16) > 0xFF8F;
}
#ifdef TEST
--- a/jbig2_arith.h
+++ b/jbig2_arith.h
@@ -33,6 +33,6 @@
bool
jbig2_arith_decode (Jbig2ArithState *as, Jbig2ArithCx *pcx);
-/* return the state's offset (for sanity checks) */
-int
-jbig2_arith_get_offset(Jbig2ArithState *as);
+/* returns true if the end of the data stream has been reached (for sanity checks) */
+bool
+jbig2_arith_has_reached_marker(Jbig2ArithState *as);
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -361,7 +361,7 @@
"error or OOB decoding height class delta (%d)\n", code);
}
- if (!params->SDHUFF && jbig2_arith_get_offset(as) >= size) {
+ if (!params->SDHUFF && jbig2_arith_has_reached_marker(as)) {
code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"prevent DOS while decoding height classes");
goto cleanup2;