diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2019-10-17 01:48:00 +0200 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2020-03-20 17:56:08 +0800 |
| commit | ea9b3a676a516a603fabb593085d14a67356db6f (patch) | |
| tree | 54c4af5e66ac6e6470a2669140fae3219ba9e249 /jbig2dec | |
| parent | 92faea67b31570e84b978a77b43c8f38bdad7bd4 (diff) | |
| download | ghostpdl-ea9b3a676a516a603fabb593085d14a67356db6f.tar.gz | |
Bug 701721: jbig2dec: Fix under/overflow handling in arithmetic integer decoder.
The previous detection logic caused GCC's -Wlogical-op to trip.
Not only that, but the detection logic never took into account
that underflow is not possible (the worst case is V == INT32_MIN,
but offset is always > 0, so underflow cannot happen), nor take
varying offset values into account (hardcoded limits meant that
the offset was ignored even if it could not cause an overflow),
but instead could cause non-clamped values to be emitted.
This corrected logic adheres to the Annex A. Table A.1 in the specification.
Diffstat (limited to 'jbig2dec')
| -rw-r--r-- | jbig2dec/jbig2_arith_int.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/jbig2dec/jbig2_arith_int.c b/jbig2dec/jbig2_arith_int.c index 7ad47adbf..20b62dfcc 100644 --- a/jbig2dec/jbig2_arith_int.c +++ b/jbig2dec/jbig2_arith_int.c @@ -130,8 +130,11 @@ jbig2_arith_int_decode(Jbig2Ctx *ctx, Jbig2ArithIntCtx *actx, Jbig2ArithState *a V = (V << 1) | bit; } - /* make sure not to underflow/overflow 32 bit value */ - if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436) + /* offset is always >=0, so underflow can't happen. */ + /* avoid overflow by clamping 32 bit value. */ + if (V > INT32_MAX - offset) + V = INT32_MAX; + else V += offset; V = S ? -V : V; *p_result = V; |