ref: b6c58d62f2a0b4af079622afad099a06f045ab1a
parent: 693e5e957326786cb30e5b0c0b8a7fdbbcc3ca42
author: Sebastian Rasmussen <sebras@gmail.com>
date: Sat May 13 23:34:57 EDT 2017
Bug 697866: Do bounds checking of read data. Credit to Ken for suggesting what bounds to check.
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -349,6 +349,11 @@
/* 6.4.11 (6) */
IBO = IB;
+ if (((int32_t) IBO->width) + RDW < 0 || ((int32_t) IBO->height) + RDH < 0) {+ jbig2_image_release(ctx, IBO);
+ code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "reference image dimensions negative");
+ goto cleanup2;
+ }
refimage = jbig2_image_new(ctx, IBO->width + RDW, IBO->height + RDH);
if (refimage == NULL) {jbig2_image_release(ctx, IBO);