shithub: jbig2

Download patch

ref: 3e6c1b0670740be3b138228dcc134bf5e6c1eceb
parent: 35d45096bf79e58948d41c6c54095b71ea906a26
author: Alex Cherepanov <[email protected]>
date: Mon Jan 28 12:32:15 EST 2013

Bug 693284: Prevent read access violation. Check whether there's enough data.


--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -692,6 +692,13 @@
 		((image->width & 7) ? 1 : 0);
 	  byte *dst = image->data;
 
+	  /* SumatraPDF: prevent read access violation */
+	  if (size - jbig2_huffman_offset(hs) < image->height * stride) {
+	    jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, size - jbig2_huffman_offset(hs));
+	    jbig2_image_release(ctx, image);
+	    goto cleanup4;
+	  }
+
 	  BMSIZE = image->height * stride;
 	  jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
 	    "reading %dx%d uncompressed bitmap"
@@ -705,6 +712,13 @@
 	  }
 	} else {
 	  Jbig2GenericRegionParams rparams;
+
+	  /* SumatraPDF: prevent read access violation */
+	  if (size - jbig2_huffman_offset(hs) < BMSIZE) {
+	    jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", BMSIZE, size - jbig2_huffman_offset(hs));
+	    jbig2_image_release(ctx, image);
+	    goto cleanup4;
+	  }
 
 	  jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
 	    "reading %dx%d collective bitmap for %d symbols (%d bytes)",