diff options
author | Sebastian Rasmussen <sebras@gmail.com> | 2018-04-08 20:34:43 +0800 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-04-11 11:45:12 +0800 |
commit | 890e637bf7a1d8a5e3438c2aab4e0eef33d795f1 (patch) | |
tree | 90aff7be8d90a8997f935f46601dfdfdf13a18bb /jbig2dec | |
parent | 44ff6900ac97d53101c8585880acb9a73631cefe (diff) | |
download | ghostpdl-890e637bf7a1d8a5e3438c2aab4e0eef33d795f1.tar.gz |
jbig2dec: Detect data shortage.
Diffstat (limited to 'jbig2dec')
-rw-r--r-- | jbig2dec/jbig2_page.c | 2 | ||||
-rw-r--r-- | jbig2dec/jbig2_segment.c | 14 | ||||
-rw-r--r-- | jbig2dec/jbig2_text.c | 10 |
3 files changed, 22 insertions, 4 deletions
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c index fa057a17b..c7cc99155 100644 --- a/jbig2dec/jbig2_page.c +++ b/jbig2dec/jbig2_page.c @@ -161,6 +161,8 @@ jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment Jbig2Page page = ctx->pages[ctx->current_page]; uint32_t end_row; + if (segment->data_length < 4) + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "Segment too short"); end_row = jbig2_get_uint32(segment_data); if (end_row < page.end_row) { jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c index 74aeb375c..a92eb3aca 100644 --- a/jbig2dec/jbig2_segment.c +++ b/jbig2dec/jbig2_segment.c @@ -199,11 +199,17 @@ jbig2_get_region_segment_info(Jbig2RegionSegmentInfo *info, const uint8_t *segme static int jbig2_parse_extension_segment(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data) { - uint32_t type = jbig2_get_uint32(segment_data); - bool reserved = type & 0x20000000; + uint32_t type; + bool reserved; + bool necessary; - /* bool dependent = type & 0x40000000; (NYI) */ - bool necessary = type & 0x80000000; + if (segment->data_length < 4) + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "Segment too short"); + + type = jbig2_get_uint32(segment_data); + reserved = type & 0x20000000; + /* dependent = type & 0x40000000; (NYI) */ + necessary = type & 0x80000000; if (necessary && !reserved) { jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "extension segment is marked 'necessary' but " "not 'reserved' contrary to spec"); diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c index 69e1ceab3..f66b2cc7a 100644 --- a/jbig2dec/jbig2_text.c +++ b/jbig2dec/jbig2_text.c @@ -519,6 +519,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data offset += 17; /* 7.4.3.1.1 */ + if (segment->data_length - offset < 2) + goto too_short; flags = jbig2_get_uint16(segment_data + offset); offset += 2; @@ -547,6 +549,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data if (params.SBHUFF) { /* Huffman coding */ /* 7.4.3.1.2 */ + if (segment->data_length - offset < 2) + goto too_short; huffman_flags = jbig2_get_uint16(segment_data + offset); offset += 2; @@ -555,6 +559,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data } else { /* arithmetic coding */ /* 7.4.3.1.3 */ + if (segment->data_length - offset < 4) + goto too_short; if ((params.SBREFINE) && !(params.SBRTEMPLATE)) { params.sbrat[0] = segment_data[offset]; params.sbrat[1] = segment_data[offset + 1]; @@ -565,6 +571,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data } /* 7.4.3.1.4 */ + if (segment->data_length - offset < 4) + goto too_short; params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset); offset += 4; @@ -831,6 +839,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data goto cleanup2; } + if (offset >= segment->data_length) + goto too_short; ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset); if (ws == NULL) { code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "couldn't allocate ws in text region image"); |