shithub: jbig2

Download patch

ref: 52d1e3818910d14fee92aab71859279067e99c18
parent: 56fc4c6af35f144369ff6986d69c0395df9db519
author: Sebastian Rasmussen <sebras@gmail.com>
date: Sun Apr 8 16:34:43 EDT 2018 

jbig2dec: Detect data shortage.


--- a/jbig2_page.c
+++ b/jbig2_page.c
@@ -161,6 +161,8 @@
     Jbig2Page page = ctx->pages[ctx->current_page];
     uint32_t end_row;
 
+    if (segment->data_length < 4)
+        return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "Segment too short");
     end_row = jbig2_get_uint32(segment_data);
     if (end_row < page.end_row) {
         jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
--- a/jbig2_segment.c
+++ b/jbig2_segment.c
@@ -199,11 +199,17 @@
 static int
 jbig2_parse_extension_segment(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
 {
-    uint32_t type = jbig2_get_uint32(segment_data);
-    bool reserved = type & 0x20000000;
+    uint32_t type;
+    bool reserved;
+    bool necessary;
 
-    /* bool dependent = type & 0x40000000; (NYI) */
-    bool necessary = type & 0x80000000;
+    if (segment->data_length < 4)
+        return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "Segment too short");
+
+    type = jbig2_get_uint32(segment_data);
+    reserved = type & 0x20000000;
+    /* dependent = type & 0x40000000; (NYI) */
+    necessary = type & 0x80000000;
 
     if (necessary && !reserved) {
         jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "extension segment is marked 'necessary' but " "not 'reserved' contrary to spec");
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -519,6 +519,8 @@
     offset += 17;
 
     /* 7.4.3.1.1 */
+    if (segment->data_length - offset < 2)
+        goto too_short;
     flags = jbig2_get_uint16(segment_data + offset);
     offset += 2;
 
@@ -547,6 +549,8 @@
 
     if (params.SBHUFF) {        /* Huffman coding */
         /* 7.4.3.1.2 */
+        if (segment->data_length - offset < 2)
+            goto too_short;
         huffman_flags = jbig2_get_uint16(segment_data + offset);
         offset += 2;
 
@@ -555,6 +559,8 @@
     } else {                    /* arithmetic coding */
 
         /* 7.4.3.1.3 */
+        if (segment->data_length - offset < 4)
+            goto too_short;
         if ((params.SBREFINE) && !(params.SBRTEMPLATE)) {
             params.sbrat[0] = segment_data[offset];
             params.sbrat[1] = segment_data[offset + 1];
@@ -565,6 +571,8 @@
     }
 
     /* 7.4.3.1.4 */
+    if (segment->data_length - offset < 4)
+        goto too_short;
     params.SBNUMINSTANCES = jbig2_get_uint32(segment_data + offset);
     offset += 4;
 
@@ -831,6 +839,8 @@
         goto cleanup2;
     }
 
+    if (offset >= segment->data_length)
+        goto too_short;
     ws = jbig2_word_stream_buf_new(ctx, segment_data + offset, segment->data_length - offset);
     if (ws == NULL) {
         code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "couldn't allocate ws in text region image");