ref: 873694419b3498708b90c5c36ee0a73795a90c84
parent: 05f5d7ecfe446cb145d82ecd01360e0769ca642e
author: Sebastian Rasmussen <[email protected]>
date: Sun Sep 15 13:31:48 EDT 2019
jbig2dec: Handle under-/overflow detection and messaging better. Previously SYMWIDTH was capped too early in order to prevent underflow Moreover TOTWIDTH was allowed to overflow. Now the value DW is checked compared to SYMWIDTH, preventing over underflow and overflow at the correct limits, and an overflow check has been added for TOTWIDTH.
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -428,14 +428,24 @@
break;
}
+ if (DW < 0 && SYMWIDTH < (uint32_t) -DW) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1);
+ goto cleanup;
+ }
+ if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1);
+ goto cleanup;
+ }
+
SYMWIDTH = SYMWIDTH + DW;
- TOTWIDTH = TOTWIDTH + SYMWIDTH;
- if ((int32_t) SYMWIDTH < 0) {
- code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1);
+ if (SYMWIDTH > UINT32_MAX - TOTWIDTH) {
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1);
goto cleanup;
}
+
+ TOTWIDTH = TOTWIDTH + SYMWIDTH;
#ifdef JBIG2_DEBUG
- jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH);
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH);
#endif
/* 6.5.5 (4c.ii) */
if (!params->SDHUFF || params->SDREFAGG) {