diff options
author | Sebastian Rasmussen <sebras@gmail.com> | 2020-03-26 14:20:11 +0800 |
---|---|---|
committer | Sebastian Rasmussen <sebras@gmail.com> | 2020-04-02 22:52:56 +0800 |
commit | f14f35c6e3218554cd351b848447cfa83b3c4256 (patch) | |
tree | 15a382da5f9440169ae34b287b55ff6c82ac8701 /jbig2dec | |
parent | d293095a593f7106e16027fb9782324ee7bb36f8 (diff) | |
download | ghostpdl-f14f35c6e3218554cd351b848447cfa83b3c4256.tar.gz |
jbig2dec: Plug leak of image upon error.
Fixes OSS-Fuzz issue 17513.
Thanks to OSS-fuzz for reporting.
Diffstat (limited to 'jbig2dec')
-rw-r--r-- | jbig2dec/jbig2_text.c | 39 |
1 files changed, 24 insertions, 15 deletions
diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c index 6d983b6dd..61dc815d3 100644 --- a/jbig2dec/jbig2_text.c +++ b/jbig2dec/jbig2_text.c @@ -594,8 +594,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data const Jbig2HuffmanParams *huffman_params = NULL; /* 7.4.1 */ - if (segment->data_length < 17) - goto too_short; + if (segment->data_length < 17) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + goto cleanup2; + } jbig2_get_region_segment_info(®ion_info, segment_data); offset += 17; /* Check for T.88 amendment 3 */ @@ -603,8 +605,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "region segment flags indicate use of colored bitmap (NYI)"); /* 7.4.3.1.1 */ - if (segment->data_length - offset < 2) - goto too_short; + if (segment->data_length - offset < 2) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + goto cleanup2; + } flags = jbig2_get_uint16(segment_data + offset); offset += 2; @@ -633,8 +637,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data if (params.SBHUFF) { /* Huffman coding */ /* 7.4.3.1.2 */ - if (segment->data_length - offset < 2) - goto too_short; + if (segment->data_length - offset < 2) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + goto cleanup2; + } huffman_flags = jbig2_get_uint16(segment_data + offset); offset += 2; @@ -643,8 +649,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data } else { /* arithmetic coding */ /* 7.4.3.1.3 */ - if (segment->data_length - offset < 4) - goto too_short; + if (segment->data_length - offset < 4) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + goto cleanup2; + } if ((params.SBREFINE) && !(params.SBRTEMPLATE)) { params.sbrat[0] = segment_data[offset]; params.sbrat[1] = segment_data[offset + 1]; @@ -655,8 +663,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data } /* 7.4.3.1.4 */ - if (segment->data_length - offset < 4) - goto too_short; + if (segment->data_length - offset < 4) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + goto cleanup2; + } params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset); offset += 4; @@ -922,8 +932,10 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data goto cleanup2; } - if (offset >= segment->data_length) - goto too_short; + if (offset >= segment->data_length) { + code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); + goto cleanup2; + } ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset); if (ws == NULL) { code = jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "failed to allocate word stream when handling text region image"); @@ -1028,7 +1040,4 @@ cleanup1: jbig2_free(ctx->allocator, dicts); return code; - -too_short: - return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "segment too short"); } |