ref: 3effe5c33cb3f2013216e960b4f4d8d2822b15fc
parent: 17246f7e4d281334b4f185e157e23491cd70f73e
author: Sebastian Rasmussen <sebras@gmail.com>
date: Wed Oct 16 21:48:00 EDT 2019
Bug 701721: jbig2dec: Fix under/overflow handling in arithmetic integer decoder. The previous detection logic caused GCC's -Wlogical-op to trip. Not only that, but the detection logic never took into account that underflow is not possible (the worst case is V == INT32_MIN, but offset is always > 0, so underflow cannot happen), nor take varying offset values into account (hardcoded limits meant that the offset was ignored even if it could not cause an overflow), but instead could cause non-clamped values to be emitted. This corrected logic adheres to the Annex A. Table A.1 in the specification.
--- a/jbig2_arith_int.c
+++ b/jbig2_arith_int.c
@@ -130,8 +130,11 @@
V = (V << 1) | bit;
}
- /* make sure not to underflow/overflow 32 bit value */
- if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436)
+ /* offset is always >=0, so underflow can't happen. */
+ /* avoid overflow by clamping 32 bit value. */
+ if (V > INT32_MAX - offset)
+ V = INT32_MAX;
+ else
V += offset;
V = S ? -V : V;
*p_result = V;