ref: e20979d9e27342a2e5d54f12702e038df015de01
parent: 834b90bd62de11f0b5483bc8d449eb110eb3c493
author: Robin Watts <Robin.Watts@artifex.com>
date: Mon Feb 3 06:06:48 EST 2020
jbig2dec: Fix OSS-Fuzz issue 20493 The maximum x gbat works out as 126, where GBW is 32. This makes right = GBW - gmax huge. Clip the value to avoid problems. Thanks for OSS-Fuzz for reporting.
--- a/jbig2_arith.c
+++ b/jbig2_arith.c
@@ -42,22 +42,17 @@
int offset;
};
-#undef SOFTWARE_CONVENTION
-
/*
- A note on the "software conventions".
+ Previous versions of this code had a #define to allow
+ us to choose between using the revised arithmetic decoding
+ specified in the 'Software Convention' section of the spec.
+ Back to back tests showed that the 'Software Convention'
+ version was indeed slightly faster. We therefore enable it
+ by default. We also strip the option out, because a) it
+ makes the code harder to read, and b) such things are an
+ invitation to bitrot.
+*/
- Previously, I had misinterpreted the spec, and had thought that the
- spec's description of the "software convention" was wrong. Now I
- believe that this code is both correct and matches the spec, with
- SOFTWARE_CONVENTION defined or not. Thanks to William Rucklidge for
- the clarification.
-
- In any case, my benchmarking indicates no speed difference at all.
- Therefore, for now we will just use the normative version.
-
- */
-
static void
jbig2_arith_bytein(Jbig2ArithState *as)
{@@ -83,9 +78,6 @@
#ifdef JBIG2_DEBUG_ARITH
fprintf(stderr, "read %02x (aa)\n", B);
#endif
-#ifndef SOFTWARE_CONVENTION
- as->C += 0xFF00;
-#endif
as->CT = 8;
as->next_word = 0xFF000000 | (as->next_word >> 8);
as->next_word_bytes = 4;
@@ -94,11 +86,7 @@
#ifdef JBIG2_DEBUG_ARITH
fprintf(stderr, "read %02x (a)\n", B);
#endif
-#ifdef SOFTWARE_CONVENTION
as->C += 0xFE00 - (B1 << 9);
-#else
- as->C += B1 << 9;
-#endif
as->CT = 7;
}
} else {@@ -107,9 +95,6 @@
#ifdef JBIG2_DEBUG_ARITH
fprintf(stderr, "read %02x (ba)\n", B);
#endif
-#ifndef SOFTWARE_CONVENTION
- as->C += 0xFF00;
-#endif
as->CT = 8;
} else {as->next_word_bytes--;
@@ -118,11 +103,7 @@
fprintf(stderr, "read %02x (b)\n", B);
#endif
-#ifdef SOFTWARE_CONVENTION
as->C += 0xFE00 - (B1 << 9);
-#else
- as->C += (B1 << 9);
-#endif
as->CT = 7;
}
}
@@ -141,11 +122,7 @@
as->next_word_bytes = new_bytes;
}
B = (byte)((as->next_word >> 24) & 0xFF);
-#ifdef SOFTWARE_CONVENTION
as->C += 0xFF00 - (B << 8);
-#else
- as->C += (B << 8);
-#endif
}
}
@@ -172,11 +149,7 @@
result->offset = new_bytes;
/* Figure E.20 */
-#ifdef SOFTWARE_CONVENTION
result->C = (~(result->next_word >> 8)) & 0xFF0000;
-#else
- result->C = (result->next_word >> 8) & 0xFF0000;
-#endif
jbig2_arith_bytein(result);
result->C <<= 7;
@@ -276,16 +249,9 @@
/* Figure E.15 */
as->A -= pqe->Qe;
if (
-#ifdef SOFTWARE_CONVENTION
/* Note: I do not think this is correct. See above. */
(as->C >> 16) < as->A
-#else
- !((as->C >> 16) < pqe->Qe)
-#endif
) {-#ifndef SOFTWARE_CONVENTION
- as->C -= pqe->Qe << 16;
-#endif
if ((as->A & 0x8000) == 0) {/* MPS_EXCHANGE, Figure E.16 */
if (as->A < pqe->Qe) {@@ -303,9 +269,7 @@
return cx >> 7;
}
} else {-#ifdef SOFTWARE_CONVENTION
as->C -= (as->A) << 16;
-#endif
/* LPS_EXCHANGE, Figure E.17 */
if (as->A < pqe->Qe) {as->A = pqe->Qe;