shithub: jbig2

Download patch

ref: 2b69772201628cfc44af64e35f900e2efd4b66e7
parent: 002101876a97ca621b6d98839fa09f3c0a8ddee9
author: Ken Sharp <ken.sharp@artifex.com>
date: Fri Mar 24 07:47:33 EDT 2017

jbig2dec - refine test for "Denial of Service" images

Bug 697682 "Incorrectly displayed a PDF file on GSView, MuPDF and GhostScript"

In commit 7366747076f3b75def52079bd4d5021539a16394 Simon introduced a
test to try and detect a JBIG2 compressed image which would take an
unreasonable amount of time to process. Unfortunately, the test also trips
up this real world (if rather extreme) example.

The test looks for an image to be > 16MB and for the segment being
processed to contain less than 1/256 of the image data. However, since
we use this same section for symbol decoding, the segment size can be
considerably smaller than that, and still be legal.

This commit alters the image size to 64MB (as this is, frankly, ridiculously
large for a JBIG2 image) and for the segment size to be less than
1/65536 of the total image data. This means that images less than 64MB,
with segments larger than ~1KB might still cause a DOS, but this seems
to be simply a problem we have to accept.

Since the DOS time is dependent on the size of the data, and the size
of the segment, this is a compromise.

--- a/jbig2_generic.c
+++ b/jbig2_generic.c
@@ -637,7 +637,7 @@
 {
     const int8_t *gbat = params->gbat;
 
-    if (image->stride * image->height > (1 << 24) && segment->data_length < image->stride * image->height / 256) {
+    if (image->stride * image->height > (1 << 26) && segment->data_length < image->stride * image->height / (1 << 16)) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
                            "region is far larger than data provided (%d << %d), aborting to prevent DOS", segment->data_length, image->stride * image->height);
     }