ref: 372463f06054462bff49dae0c9238e8e47c32ec9
parent: bfbbf75212124b91461ed01fcb237e97c15777d2
author: Sebastian Rasmussen <sebras@gmail.com>
date: Sat May 26 22:48:56 EDT 2018
jbig2dec: Validate ASCII characters in metadata comments.
--- a/jbig2_metadata.c
+++ b/jbig2_metadata.c
@@ -122,17 +122,21 @@
int
jbig2_comment_ascii(Jbig2Ctx *ctx, Jbig2Segment *segment, const uint8_t *segment_data)
{- char *s = (char *)(segment_data + 4);
- char *end = (char *)(segment_data + segment->data_length);
+ char *s, *end;
Jbig2Metadata *comment;
char *key, *value;
int code;
+ char *p;
jbig2_error(ctx, JBIG2_SEVERITY_INFO, segment->number, "ASCII comment data");
+ s = (char *)(segment_data + 4);
+ end = (char *)(segment_data + segment->data_length);
+
comment = jbig2_metadata_new(ctx, JBIG2_ENCODING_ASCII);
if (comment == NULL)
return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to allocate comment structure");
+
/* loop over the segment data pulling out the key,value pairs */
while (s < end && *s) {key = s;
@@ -144,6 +148,20 @@
if (!s)
goto too_short;
s++;
+
+ p = key;
+ while (*p) {+ if (*p > 127)
+ goto invalid_character;
+ p++;
+ }
+ p = value;
+ while (*p) {+ if (*p > 127)
+ goto invalid_character;
+ p++;
+ }
+
code = jbig2_metadata_add(ctx, comment, key, value - key, value, s - value);
if (code < 0)
return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unable to add ascii comment data");
@@ -157,7 +175,11 @@
too_short:
jbig2_metadata_free(ctx, comment);
- return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number, "unexpected end of comment segment");
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "unexpected end of comment segment");
+
+invalid_character:
+ jbig2_metadata_free(ctx, comment);
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "invalid character 0x%02x found in ASCII comment", *p);
}
/* decode a UCS-16 comment segment 7.4.15.2 */