shithub: jbig2

Download patch

ref: 9cf138eae6a1ac6554ecc3414224fecb0ba2ec2b
parent: 1c933c8c1d2beb7b6c6747c29fec58c6d6b8a02c
author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
date: Fri Jun 15 15:22:52 EDT 2012 

Bug 693050 : Fixes CERT reported issues labelled DestAv


--- a/jbig2.c
+++ b/jbig2.c
@@ -55,9 +55,14 @@
 };
 
 void *
-jbig2_alloc (Jbig2Allocator *allocator, size_t size)
+jbig2_alloc (Jbig2Allocator *allocator, size_t size, size_t num)
 {
-  return allocator->alloc (allocator, size);
+    /* check for integer multiplication overflow */
+    int64_t check = ((int64_t)num)*((int64_t)size);
+    if (check != (int)check)
+      return NULL;
+    else
+      return allocator->alloc (allocator, (int)check);
 }
 
 void
@@ -67,9 +72,14 @@
 }
 
 void *
-jbig2_realloc (Jbig2Allocator *allocator, void *p, size_t size)
+jbig2_realloc (Jbig2Allocator *allocator, void *p, size_t size, size_t num)
 {
-  return allocator->realloc (allocator, p, size);
+    /* check for integer multiplication overflow */
+    int64_t check = ((int64_t)num)*((int64_t)size);
+    if (check != (int)check)
+      return NULL;
+    else
+      return allocator->realloc (allocator, p, (int)check);
 }
 
 static int
@@ -121,7 +131,7 @@
   if (error_callback == NULL)
       error_callback = &jbig2_default_error;
 
-  result = (Jbig2Ctx*)jbig2_alloc(allocator, sizeof(Jbig2Ctx));
+  result = (Jbig2Ctx*)jbig2_alloc(allocator, sizeof(Jbig2Ctx), 1);
   if (result == NULL) {
     error_callback(error_callback_data, "initial context allocation failed!",
                     JBIG2_SEVERITY_FATAL, -1);
--- a/jbig2_priv.h
+++ b/jbig2_priv.h
@@ -87,17 +87,17 @@
 
 /* dynamic memory management */
 void *
-jbig2_alloc (Jbig2Allocator *allocator, size_t size);
+jbig2_alloc (Jbig2Allocator *allocator, size_t size, size_t num);
 
 void
 jbig2_free (Jbig2Allocator *allocator, void *p);
 
 void *
-jbig2_realloc (Jbig2Allocator *allocator, void *p, size_t size);
+jbig2_realloc (Jbig2Allocator *allocator, void *p, size_t size, size_t num);
 
-#define jbig2_new(ctx, t, size) ((t *)jbig2_alloc(ctx->allocator, (size) * sizeof(t)))
+#define jbig2_new(ctx, t, size) ((t *)jbig2_alloc(ctx->allocator, size, sizeof(t)))
 
-#define jbig2_renew(ctx, p, t, size) ((t *)jbig2_realloc(ctx->allocator, (p), (size) * sizeof(t)))
+#define jbig2_renew(ctx, p, t, size) ((t *)jbig2_realloc(ctx->allocator, (p), size, sizeof(t)))
 
 int
 jbig2_error (Jbig2Ctx *ctx, Jbig2Severity severity, int32_t seg_idx,
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -43,7 +43,7 @@
 typedef struct {
   bool SDHUFF;
   bool SDREFAGG;
-  int32_t SDNUMINSYMS;
+  uint32_t SDNUMINSYMS;
   Jbig2SymbolDict *SDINSYMS;
   uint32_t SDNUMNEWSYMS;
   uint32_t SDNUMEXSYMS;
@@ -228,7 +228,7 @@
 {
   Jbig2SymbolDict *SDNEWSYMS = NULL;
   Jbig2SymbolDict *SDEXSYMS = NULL;
-  int32_t HCHEIGHT;
+  uint32_t HCHEIGHT;
   uint32_t NSYMSDECODED;
   uint32_t SYMWIDTH, TOTWIDTH;
   uint32_t HCFIRSTSYM;
@@ -285,7 +285,7 @@
           goto cleanup1;
       }
       if (params->SDREFAGG) {
-          int tmp = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
+          int64_t tmp = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
           for (SBSYMCODELEN = 0; (1 << SBSYMCODELEN) < tmp; SBSYMCODELEN++);
           IAID = jbig2_arith_iaid_ctx_new(ctx, SBSYMCODELEN);
           IARDX = jbig2_arith_int_ctx_new(ctx);
@@ -313,7 +313,8 @@
 	  SDNEWSYMWIDTHS = jbig2_new(ctx, uint32_t, params->SDNUMNEWSYMS);
 	  if (SDNEWSYMWIDTHS == NULL) {
 	    jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
-            "could not allocate storage for symbol widths");
+              "could not allocate storage for (%u) symbol widths",
+              params->SDNUMNEWSYMS);
 	    goto cleanup2;
 	  }
       }
@@ -322,7 +323,8 @@
   SDNEWSYMS = jbig2_sd_new(ctx, params->SDNUMNEWSYMS);
   if (SDNEWSYMS == NULL) {
       jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
-          "could not allocate storage for symbols");
+          "could not allocate storage for (%u) new symbols",
+          params->SDNUMNEWSYMS);
       goto cleanup2;
   }
 
@@ -629,7 +631,7 @@
 	  }
 
 	  jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
-            "decoded symbol %d of %d (%dx%d)",
+            "decoded symbol %u of %u (%ux%u)",
 		NSYMSDECODED, params->SDNUMNEWSYMS,
 		SYMWIDTH, HCHEIGHT);
 
@@ -997,7 +999,7 @@
   offset += 8;
 
   jbig2_error(ctx, JBIG2_SEVERITY_INFO, segment->number,
-	      "symbol dictionary, flags=%04x, %d exported syms, %d new syms",
+              "symbol dictionary, flags=%04x, %u exported syms, %u new syms",
 	      flags, params.SDNUMEXSYMS, params.SDNUMNEWSYMS);
 
   /* 7.4.2.2 (2) */
--- a/jbig2_symbol_dict.h
+++ b/jbig2_symbol_dict.h
@@ -17,7 +17,7 @@
 
 /* the results of decoding a symbol dictionary */
 typedef struct {
-    int n_symbols;
+    uint32_t n_symbols;
     Jbig2Image **glyphs;
 } Jbig2SymbolDict;