jbig2dec: Prevent underflow when checking if enough data for bitmap.

When decoding the symbol dictionary the bitmap size field determines the size of the bitmap. The bitmap size is however restricted to the size of the segment's data region. This was checked previously, but the check itself may underflow, so another check was introduced to prevent this from happening.
author: Sebastian Rasmussen <sebras@gmail.com> 2018-08-03 19:11:02 +0800
committer: Sebastian Rasmussen <sebras@gmail.com> 2018-08-03 20:29:55 +0800
commit: 06d82c1d8b0c625f5bb8db8acd7113ff0b8179d8 (patch)
tree: 17294997b5058c0b61f5f55e58b7c183ffd6be26 /jbig2dec/jbig2_symbol_dict.c
parent: d20a98cb7d3e10a68c7d288318f216db70db610c (diff)
download: ghostpdl-06d82c1d8b0c625f5bb8db8acd7113ff0b8179d8.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
index 26ccbe844..5b2e11903 100644
--- a/jbig2dec/jbig2_symbol_dict.c
+++ b/jbig2dec/jbig2_symbol_dict.c
@@ -532,7 +532,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
                             BMSIZE = jbig2_huffman_get(hs, tparams.SBHUFFRSIZE, &code4);
                             code5 = jbig2_huffman_skip(hs);
                         } else {
-                            code1 = jbig2_arith_iaid_decode(ctx, tparams.IAID, as, (int32_t *) & ID);
+                            code1 = jbig2_arith_iaid_decode(ctx, tparams.IAID, as, (int32_t *) &ID);
                             code2 = jbig2_arith_int_decode(ctx, tparams.IARDX, as, &RDX);
                             code3 = jbig2_arith_int_decode(ctx, tparams.IARDY, as, &RDY);
                         }
@@ -663,7 +663,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
                 byte *dst = image->data;
 
                 /* SumatraPDF: prevent read access violation */
-                if ((size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                if (size < jbig2_huffman_offset(hs) || (size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding uncompressed (%d/%d)", image->height * stride,
                                 size - jbig2_huffman_offset(hs));
                     goto cleanup;
@@ -682,7 +682,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
                 Jbig2GenericRegionParams rparams;
 
                 /* SumatraPDF: prevent read access violation */
-                if (size - jbig2_huffman_offset(hs) < BMSIZE) {
+                if (size < jbig2_huffman_offset(hs) || size < BMSIZE || size - jbig2_huffman_offset(hs) < BMSIZE) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", BMSIZE, size - jbig2_huffman_offset(hs));
                     goto cleanup;
                 }
author	Sebastian Rasmussen <sebras@gmail.com>	2018-08-03 19:11:02 +0800
committer	Sebastian Rasmussen <sebras@gmail.com>	2018-08-03 20:29:55 +0800
commit	06d82c1d8b0c625f5bb8db8acd7113ff0b8179d8 (patch)
tree	17294997b5058c0b61f5f55e58b7c183ffd6be26 /jbig2dec/jbig2_symbol_dict.c
parent	d20a98cb7d3e10a68c7d288318f216db70db610c (diff)
download	ghostpdl-06d82c1d8b0c625f5bb8db8acd7113ff0b8179d8.tar.gz