diff options
author | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-03 19:11:02 +0800 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-08-03 20:29:55 +0800 |
commit | 06d82c1d8b0c625f5bb8db8acd7113ff0b8179d8 (patch) | |
tree | 17294997b5058c0b61f5f55e58b7c183ffd6be26 /jbig2dec/jbig2_symbol_dict.c | |
parent | d20a98cb7d3e10a68c7d288318f216db70db610c (diff) | |
download | ghostpdl-06d82c1d8b0c625f5bb8db8acd7113ff0b8179d8.tar.gz |
jbig2dec: Prevent underflow when checking if enough data for bitmap.
When decoding the symbol dictionary the bitmap size field
determines the size of the bitmap. The bitmap size is however
restricted to the size of the segment's data region. This was
checked previously, but the check itself may underflow, so
another check was introduced to prevent this from happening.
Diffstat (limited to 'jbig2dec/jbig2_symbol_dict.c')
-rw-r--r-- | jbig2dec/jbig2_symbol_dict.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c index 26ccbe844..5b2e11903 100644 --- a/jbig2dec/jbig2_symbol_dict.c +++ b/jbig2dec/jbig2_symbol_dict.c @@ -532,7 +532,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, BMSIZE = jbig2_huffman_get(hs, tparams.SBHUFFRSIZE, &code4); code5 = jbig2_huffman_skip(hs); } else { - code1 = jbig2_arith_iaid_decode(ctx, tparams.IAID, as, (int32_t *) & ID); + code1 = jbig2_arith_iaid_decode(ctx, tparams.IAID, as, (int32_t *) &ID); code2 = jbig2_arith_int_decode(ctx, tparams.IARDX, as, &RDX); code3 = jbig2_arith_int_decode(ctx, tparams.IARDY, as, &RDY); } @@ -663,7 +663,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, byte *dst = image->data; /* SumatraPDF: prevent read access violation */ - if ((size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) { + if (size < jbig2_huffman_offset(hs) || (size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding uncompressed (%d/%d)", image->height * stride, size - jbig2_huffman_offset(hs)); goto cleanup; @@ -682,7 +682,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, Jbig2GenericRegionParams rparams; /* SumatraPDF: prevent read access violation */ - if (size - jbig2_huffman_offset(hs) < BMSIZE) { + if (size < jbig2_huffman_offset(hs) || size < BMSIZE || size - jbig2_huffman_offset(hs) < BMSIZE) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", BMSIZE, size - jbig2_huffman_offset(hs)); goto cleanup; } |