diff options
| -rw-r--r-- | jbig2dec/jbig2_page.c | 2 | ||||
| -rw-r--r-- | jbig2dec/jbig2_segment.c | 14 | ||||
| -rw-r--r-- | jbig2dec/jbig2_text.c | 10 |
3 files changed, 22 insertions, 4 deletions
diff --git a/jbig2dec/jbig2_page.c b/jbig2dec/jbig2_page.c index fa057a17b..c7cc99155 100644 --- a/jbig2dec/jbig2_page.c +++ b/jbig2dec/jbig2_page.c @@ -161,6 +161,8 @@ jbig2_end_of_stripe(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment Jbig2Page page = ctx->pages[ctx->current_page]; uint32_t end_row; + if (segment->data_length < 4) + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "Segment too short"); end_row = jbig2_get_uint32(segment_data); if (end_row < page.end_row) { jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, diff --git a/jbig2dec/jbig2_segment.c b/jbig2dec/jbig2_segment.c index 74aeb375c..a92eb3aca 100644 --- a/jbig2dec/jbig2_segment.c +++ b/jbig2dec/jbig2_segment.c @@ -199,11 +199,17 @@ jbig2_get_region_segment_info(Jbig2RegionSegmentInfo *info, const uint8_t *segme static int jbig2_parse_extension_segment(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data) { - uint32_t type = jbig2_get_uint32(segment_data); - bool reserved = type & 0x20000000; + uint32_t type; + bool reserved; + bool necessary; - /* bool dependent = type & 0x40000000; (NYI) */ - bool necessary = type & 0x80000000; + if (segment->data_length < 4) + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "Segment too short"); + + type = jbig2_get_uint32(segment_data); + reserved = type & 0x20000000; + /* dependent = type & 0x40000000; (NYI) */ + necessary = type & 0x80000000; if (necessary && !reserved) { jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "extension segment is marked 'necessary' but " "not 'reserved' contrary to spec"); diff --git a/jbig2dec/jbig2_text.c b/jbig2dec/jbig2_text.c index 69e1ceab3..f66b2cc7a 100644 --- a/jbig2dec/jbig2_text.c +++ b/jbig2dec/jbig2_text.c @@ -519,6 +519,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data offset += 17; /* 7.4.3.1.1 */ + if (segment->data_length - offset < 2) + goto too_short; flags = jbig2_get_uint16(segment_data + offset); offset += 2; @@ -547,6 +549,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data if (params.SBHUFF) { /* Huffman coding */ /* 7.4.3.1.2 */ + if (segment->data_length - offset < 2) + goto too_short; huffman_flags = jbig2_get_uint16(segment_data + offset); offset += 2; @@ -555,6 +559,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data } else { /* arithmetic coding */ /* 7.4.3.1.3 */ + if (segment->data_length - offset < 4) + goto too_short; if ((params.SBREFINE) && !(params.SBRTEMPLATE)) { params.sbrat[0] = segment_data[offset]; params.sbrat[1] = segment_data[offset + 1]; @@ -565,6 +571,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data } /* 7.4.3.1.4 */ + if (segment->data_length - offset < 4) + goto too_short; params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset); offset += 4; @@ -831,6 +839,8 @@ jbig2_text_region(Jbig2Ctx *ctx, Jbig2Segment *segment, const byte *segment_data goto cleanup2; } + if (offset >= segment->data_length) + goto too_short; ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset); if (ws == NULL) { code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "couldn't allocate ws in text region image"); |