shithub: jbig2

Download patch

ref: 258290340bb657c9efb44457f717b0d8b49f4aa3
parent: f8992b8fe65c170c8624226f127c5c4bfed42c66
author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
date: Wed May 3 18:06:01 EDT 2017 

Bug 697703: Prevent integer overflow vulnerability.

Add extra check for the offset being greater than the size
of the image and hence reading off the end of the buffer.

Thank you to Dai Ge for finding this issue and suggesting a patch.


--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -629,7 +629,7 @@
                 byte *dst = image->data;
 
                 /* SumatraPDF: prevent read access violation */
-                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
+                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
                                 size - jbig2_huffman_offset(hs));
                     jbig2_image_release(ctx, image);