shithub: jbig2

Download patch

ref: d663f59b034d429d850cca7e84d0017eb6e5cda3
parent: d379be4ca803bf0bdd43d00b89da320c29d393c4
author: zeniko <[email protected]>
date: Tue Jun 11 18:04:00 EDT 2013

Bug 694121: prevent heap overflow

jbig2_decode_symbol_dict checks whether more glyphs are requested than
are available (SDNUMINSYMS + SDNUMNEWSYMS) but has so far failed check
whether there are more than expected (SDNUMEXSYMS); fixes
3324.pdf.asan.3.2585

--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -777,7 +777,6 @@
     int exflag = 0;
     int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
     int32_t exrunlength;
-    /* SumatraPDF: prevent infinite loop */
     int zerolength = 0;
 
     while (i < limit) {
@@ -785,13 +784,13 @@
         exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
       else
         code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
-      /* SumatraPDF: prevent infinite loop */
+      /* prevent infinite loop */
       zerolength = exrunlength > 0 ? 0 : zerolength + 1;
-      if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4)) {
+      if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) ||
+          (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
         if (code)
           jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
             "failed to decode exrunlength for exported symbols");
-        /* SumatraPDF: prevent infinite loop */
         else if (exrunlength <= 0)
           jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
             "runlength too small in export symbol table (%d <= 0)\n", exrunlength);