shithub: jbig2

Download patch

ref: 46d6b40803cb7a68ceb06b2f71db8cf3f384c2ee
parent: fe6f6e359a5c13dd744712d4e633425feb9b2ee1
author: Alex Cherepanov <alex.cherepanov@artifex.com>
date: Tue Apr 9 20:56:15 EDT 2013

Bug 693798: Fix buffer overrun.

When jbig2dec detects that a run of pixels exceeds the image width,
it clamps the beginning and end of the run to the image width+1.
Probably, this is done to make runs that are entirely outside of the
image to leave no marks. This patch adds 1 byte to the image
buffer to ensure that writing 1 byte beyond the image line is valid.

--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -57,7 +57,8 @@
             jbig2_free(ctx->allocator, image);
             return NULL;
         }
-        image->data = jbig2_new(ctx, uint8_t, (int)check);
+        /* Add 1 to accept runs that exceed image width and clamped to width+1 */
+        image->data = jbig2_new(ctx, uint8_t, (int)check + 1);
 	if (image->data == NULL) {
         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
             "could not allocate image data buffer! [stride(%d)*height(%d) bytes]",