diff options
author | Sebastian Rasmussen <sebras@gmail.com> | 2019-09-15 17:31:48 +0200 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2020-03-20 17:54:14 +0800 |
commit | 716560bf5f2bc4b821ca6924ec648ca4949826bb (patch) | |
tree | eb49d0c6ed9cf6f2a5f72150e6fcd4789711ab43 /jbig2dec | |
parent | cf43daf9f8381a9accf36d12bad2324d021ec8c6 (diff) | |
download | ghostpdl-716560bf5f2bc4b821ca6924ec648ca4949826bb.tar.gz |
jbig2dec: Handle under-/overflow detection and messaging better.
Previously SYMWIDTH was capped too early in order to prevent underflow
Moreover TOTWIDTH was allowed to overflow.
Now the value DW is checked compared to SYMWIDTH, preventing over
underflow and overflow at the correct limits, and an overflow
check has been added for TOTWIDTH.
Diffstat (limited to 'jbig2dec')
-rw-r--r-- | jbig2dec/jbig2_symbol_dict.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c index e606529d8..bc6e98c3e 100644 --- a/jbig2dec/jbig2_symbol_dict.c +++ b/jbig2dec/jbig2_symbol_dict.c @@ -428,14 +428,24 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, break; } + if (DW < 0 && SYMWIDTH < (uint32_t) -DW) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) negative at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); + goto cleanup; + } + if (DW > 0 && DW > UINT32_MAX - SYMWIDTH) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "DW value (%d) would make SYMWIDTH (%u) too large at symbol %u", DW, SYMWIDTH, NSYMSDECODED + 1); + goto cleanup; + } + SYMWIDTH = SYMWIDTH + DW; - TOTWIDTH = TOTWIDTH + SYMWIDTH; - if ((int32_t) SYMWIDTH < 0) { - code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid SYMWIDTH value (%d) at symbol %d", SYMWIDTH, NSYMSDECODED + 1); + if (SYMWIDTH > UINT32_MAX - TOTWIDTH) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "SYMWIDTH value (%u) would make TOTWIDTH (%u) too large at symbol %u", SYMWIDTH, TOTWIDTH, NSYMSDECODED + 1); goto cleanup; } + + TOTWIDTH = TOTWIDTH + SYMWIDTH; #ifdef JBIG2_DEBUG - jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %d TOTWIDTH = %d", SYMWIDTH, TOTWIDTH); + jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number, "SYMWIDTH = %u TOTWIDTH = %u", SYMWIDTH, TOTWIDTH); #endif /* 6.5.5 (4c.ii) */ if (!params->SDHUFF || params->SDREFAGG) { |