Fix an out of bounds read in _jbig2_get_next_segment()

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38451 Signed-off-by: Uli Schlachter <psychon@znc.in>
author: Uli Schlachter <psychon@znc.in> 2023-01-01 09:43:33 +0100
committer: Uli Schlachter <psychon@znc.in> 2023-01-01 09:43:33 +0100
commit: d623090b32a15df12d09f82c5da2ad65bfd5ec12 (patch)
tree: 8d788cab7ab4f64fe8472f8e81c28431843007f3 /src/cairo-image-info.c
parent: 52e964da69abe87327b77fe4e47b0da239d0e1cf (diff)
download: cairo-d623090b32a15df12d09f82c5da2ad65bfd5ec12.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c
index f207ae887..9b5e2d2e2 100644
--- a/src/cairo-image-info.c
+++ b/src/cairo-image-info.c
@@ -348,6 +348,8 @@ _jbig2_get_next_segment (const unsigned char  *p,
 
     num_segs = p[0] >> 5;
     if (num_segs == 7) {
+	if (p + 4 >= end)
+	    return NULL;
 	num_segs = get_unaligned_be32 (p) & 0x1fffffff;
 	ref_seg_bytes = 4 + ((num_segs + 1)/8);
     } else {
author	Uli Schlachter <psychon@znc.in>	2023-01-01 09:43:33 +0100
committer	Uli Schlachter <psychon@znc.in>	2023-01-01 09:43:33 +0100
commit	d623090b32a15df12d09f82c5da2ad65bfd5ec12 (patch)
tree	8d788cab7ab4f64fe8472f8e81c28431843007f3 /src/cairo-image-info.c
parent	52e964da69abe87327b77fe4e47b0da239d0e1cf (diff)
download	cairo-d623090b32a15df12d09f82c5da2ad65bfd5ec12.tar.gz