ref: 9926ce15e8bd9ff8e807f36029ae99954588a9cc
parent: 63436cac56cd1fcbb242b9bffaf64e12343deb69
author: Sebastian Rasmussen <[email protected]>
date: Mon Jun 18 21:30:34 EDT 2018
jbig2dec: Remove unnecessary limitation of EXRUNLENGTH. Due to missing boundary checks in other code bug 693285 was resolved by limiting the number of times EXRUNLENGTH may be zero. This limit is actually not according to the specification. Now that the missing boundary checks have been introduced the limitation may be removed.
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -745,7 +745,6 @@
int exflag = 0;
uint32_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
uint32_t EXRUNLENGTH;
- int zerolength = 0;
while (i < limit) {
if (params->SDHUFF)
@@ -768,8 +767,7 @@
}
/* prevent infinite loop */
- zerolength = EXRUNLENGTH > 0 ? 0 : zerolength + 1;
- if (EXRUNLENGTH > limit - i || zerolength > 4 || (exflag && (EXRUNLENGTH + j > params->SDNUMEXSYMS))) {
+ if (EXRUNLENGTH > limit - i || (exflag && (EXRUNLENGTH + j > params->SDNUMEXSYMS))) {
if (EXRUNLENGTH <= 0)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "runlength too small in export symbol table (%d <= 0)", EXRUNLENGTH);
else