ref: 4e62b3968d0d897bb9a24ba7f75504f476e33ba6
parent: 86e0b052dc32de4e0f9a3cbc7dbf27211a2b3182
author: Ralph Giles <[email protected]>
date: Wed Apr 1 11:52:17 EDT 2009
Bounds check exported symbol run-lengths. CVE-2009-0196. The final symbol dictionary is built from a combination of symbols from referenced dictionaries and new symbols coded in the current segment. Because the symbols can be composed and refined, not all coded symbols are necessarily exported. The list of symbols to export from those constructed by the decoding process is coded as a series of on/off run-lengths. Previously we accepted the value read as the run-length, even though this could result in writing off the end of the exported symbol array. This commit checks the read value against the number of elements remaining in the export array and throws a fatal error if there is an overflow. Thanks for Alin Rad Pop of Secunia Research for pointing out the issue.
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -696,6 +696,15 @@
exrunlength = params->SDNUMEXSYMS;
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
+ if (exrunlength > params->SDNUMEXSYMS - j) {
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "runlength too large in export symbol table (%d > %d - %d)\n",
+ exrunlength, params->SDNUMEXSYMS, j);
+ jbig2_sd_release(ctx, SDEXSYMS);
+ /* skip to the cleanup code and return SDEXSYMS = NULL */
+ SDEXSYMS = NULL;
+ break;
+ }
for(k = 0; k < exrunlength; k++)
if (exflag) {
SDEXSYMS->glyphs[j++] = (i < m) ?