shithub: jbig2

Download patch

ref: e8f1a6cc38bac9b1b132a0641fa858965b39af28
parent: dc8f364a1289bb8235afec4dae78a08e5d6d6155
author: Sebastian Rasmussen <[email protected]>
date: Fri Aug 3 15:11:02 EDT 2018

jbig2dec: Prevent underflow when checking if enough data for bitmap.

When decoding the symbol dictionary the bitmap size field
determines the size of the bitmap. The bitmap size is however
restricted to the size of the segment's data region. This was
checked previously, but the check itself may underflow, so
another check was introduced to prevent this from happening.

--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -532,7 +532,7 @@
                             BMSIZE = jbig2_huffman_get(hs, tparams.SBHUFFRSIZE, &code4);
                             code5 = jbig2_huffman_skip(hs);
                         } else {
-                            code1 = jbig2_arith_iaid_decode(ctx, tparams.IAID, as, (int32_t *) & ID);
+                            code1 = jbig2_arith_iaid_decode(ctx, tparams.IAID, as, (int32_t *) &ID);
                             code2 = jbig2_arith_int_decode(ctx, tparams.IARDX, as, &RDX);
                             code3 = jbig2_arith_int_decode(ctx, tparams.IARDY, as, &RDY);
                         }
@@ -663,7 +663,7 @@
                 byte *dst = image->data;
 
                 /* SumatraPDF: prevent read access violation */
-                if ((size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                if (size < jbig2_huffman_offset(hs) || (size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding uncompressed (%d/%d)", image->height * stride,
                                 size - jbig2_huffman_offset(hs));
                     goto cleanup;
@@ -682,7 +682,7 @@
                 Jbig2GenericRegionParams rparams;
 
                 /* SumatraPDF: prevent read access violation */
-                if (size - jbig2_huffman_offset(hs) < BMSIZE) {
+                if (size < jbig2_huffman_offset(hs) || size < BMSIZE || size - jbig2_huffman_offset(hs) < BMSIZE) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", BMSIZE, size - jbig2_huffman_offset(hs));
                     goto cleanup;
                 }