ref: 3e6c1b0670740be3b138228dcc134bf5e6c1eceb
parent: 35d45096bf79e58948d41c6c54095b71ea906a26
author: Alex Cherepanov <alex.cherepanov@artifex.com>
date: Mon Jan 28 12:32:15 EST 2013
Bug 693284: Prevent read access violation. Check whether there's enough data.
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -692,6 +692,13 @@
((image->width & 7) ? 1 : 0);
byte *dst = image->data;
+ /* SumatraPDF: prevent read access violation */
+ if (size - jbig2_huffman_offset(hs) < image->height * stride) {+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, size - jbig2_huffman_offset(hs));
+ jbig2_image_release(ctx, image);
+ goto cleanup4;
+ }
+
BMSIZE = image->height * stride;
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
"reading %dx%d uncompressed bitmap"
@@ -705,6 +712,13 @@
}
} else {Jbig2GenericRegionParams rparams;
+
+ /* SumatraPDF: prevent read access violation */
+ if (size - jbig2_huffman_offset(hs) < BMSIZE) {+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", BMSIZE, size - jbig2_huffman_offset(hs));
+ jbig2_image_release(ctx, image);
+ goto cleanup4;
+ }
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
"reading %dx%d collective bitmap for %d symbols (%d bytes)",