ref: 3eff8ef1daf4de5232cb432fd685f6befdac1906
parent: 08bc90379a7bd5d8eead94ae872f6fc6cc93a6fb
author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
date: Wed Jun 6 13:16:53 EDT 2012
Bug 693050 : Fixes CERT reported issue labelled HeapError
--- a/jbig2.c
+++ b/jbig2.c
@@ -301,7 +301,7 @@
{if (ctx->buf_wr_ix - ctx->buf_rd_ix < 13)
return 0;
- ctx->n_pages = jbig2_get_int32(ctx->buf + ctx->buf_rd_ix + 9);
+ ctx->n_pages = jbig2_get_uint32(ctx->buf + ctx->buf_rd_ix + 9);
ctx->buf_rd_ix += 13;
if (ctx->n_pages == 1)
jbig2_error(ctx, JBIG2_SEVERITY_INFO, -1, "file header indicates a single page document");
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -98,8 +98,17 @@
int width, int height)
{ if (width == image->width) {+ /* check for integer multiplication overflow */
+ int64_t check = ((int64_t)image->stride)*((int64_t)height);
+ if (check != (int)check)
+ {+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
+ "integer multiplication overflow during resize stride(%d)*height(%d)",
+ image->stride, height);
+ return NULL;
+ }
/* use the same stride, just change the length */
- image->data = jbig2_renew(ctx, image->data, uint8_t, image->stride*height);
+ image->data = jbig2_renew(ctx, image->data, uint8_t, (int)check);
if (image->data == NULL) {jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
"could not resize image buffer!");
--- a/jbig2_metadata.c
+++ b/jbig2_metadata.c
@@ -87,7 +87,7 @@
/* grow the array if necessary */
if (md->entries == md->max_entries) {- md->max_entries >>= 2;
+ md->max_entries <<= 1;
keys = jbig2_renew(ctx, md->keys, char*, md->max_entries);
values = jbig2_renew(ctx, md->values, char*, md->max_entries);
if (keys == NULL || values == NULL) {--- a/jbig2_priv.h
+++ b/jbig2_priv.h
@@ -59,7 +59,7 @@
Jbig2FileState state;
uint8_t file_header_flags;
- int32_t n_pages;
+ uint32_t n_pages;
int n_segments_max;
Jbig2Segment **segments;
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -361,19 +361,12 @@
"decoding height class %d with %d syms decoded", HCHEIGHT, NSYMSDECODED);
for (;;) {- /* check for broken symbol table */
- if (NSYMSDECODED > params->SDNUMNEWSYMS)
- {- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
- "No OOB signalling end of height class %d", HCHEIGHT);
- goto cleanup4;
- }
/* 6.5.7 */
if (params->SDHUFF) {DW = jbig2_huffman_get(hs, params->SDHUFFDW, &code);
} else {code = jbig2_arith_int_decode(IADW, as, &DW);
- if (code < 0) goto cleanup4;
+ if (code < 0) goto cleanup4;
}
/* 6.5.5 (4c.i) */
@@ -382,6 +375,15 @@
" OOB signals end of height class %d", HCHEIGHT);
break;
}
+
+ /* check for broken symbol table */
+ if (NSYMSDECODED >= params->SDNUMNEWSYMS)
+ {+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "No OOB signalling end of height class %d", HCHEIGHT);
+ goto cleanup4;
+ }
+
SYMWIDTH = SYMWIDTH + DW;
TOTWIDTH = TOTWIDTH + SYMWIDTH;
if (SYMWIDTH < 0) {--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -248,6 +248,11 @@
CURS = FIRSTS;
first_symbol = FALSE;
} else {+ if (NINSTANCES > params->SBNUMINSTANCES) {+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "too many NINSTANCES (%d) decoded", NINSTANCES);
+ break;
+ }
/* (3c.ii) / 6.4.8 */
if (params->SBHUFF) {IDS = jbig2_huffman_get(hs, params->SBHUFFDS, &code);
@@ -255,7 +260,7 @@
code = jbig2_arith_int_decode(params->IADS, as, &IDS);
}
if (code) {- /* decoded an OOB, reached end of stripe */
+ /* decoded an OOB, reached end of strip */
break;
}
CURS += IDS + params->SBDSOFFSET;
@@ -268,7 +273,7 @@
CURT = jbig2_huffman_get_bits(hs, params->LOGSBSTRIPS);
} else {code = jbig2_arith_int_decode(params->IAIT, as, &CURT);
- if (code < 0) goto cleanup2;
+ if (code < 0) goto cleanup2;
}
T = STRIPT + CURT;
@@ -406,7 +411,8 @@
ID, IB->width, IB->height, x, y, NINSTANCES + 1,
params->SBNUMINSTANCES);
#endif
- jbig2_image_compose(ctx, image, IB, x, y, params->SBCOMBOP);
+ code = jbig2_image_compose(ctx, image, IB, x, y, params->SBCOMBOP);
+ if (code < 0) goto cleanup2;
/* (3c.x) */
if ((!params->TRANSPOSED) && (params->REFCORNER < 2)) {