ref: 46d6b40803cb7a68ceb06b2f71db8cf3f384c2ee
parent: fe6f6e359a5c13dd744712d4e633425feb9b2ee1
author: Alex Cherepanov <[email protected]>
date: Tue Apr 9 20:56:15 EDT 2013
Bug 693798: Fix buffer overrun. When jbig2dec detects that a run of pixels exceeds the image width, it clamps the beginning and end of the run to the image width+1. Probably, this is done to make runs that are entirely outside of the image to leave no marks. This patch adds 1 byte to the image buffer to ensure that writing 1 byte beyond the image line is valid.
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -57,7 +57,8 @@
jbig2_free(ctx->allocator, image);
return NULL;
}
- image->data = jbig2_new(ctx, uint8_t, (int)check);
+ /* Add 1 to accept runs that exceed image width and clamped to width+1 */
+ image->data = jbig2_new(ctx, uint8_t, (int)check + 1);
if (image->data == NULL) {
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
"could not allocate image data buffer! [stride(%d)*height(%d) bytes]",