shithub: jbig2

Download patch

ref: 55c69896eaa11f2ff55cbe507884869247272ade
parent: 93ce4f96674d6a9dbd7b03a28991fb37065ceee2
author: Sebastian Rasmussen <[email protected]>
date: Tue Jun 19 21:38:41 EDT 2018

jbig2dec: Cast BMSIZE in symbol dicts to size_t.

BMSIZE is used to skip over uncompressed symbols in a symbol dictionary.
Therefore this value is inherently unsigned. Also because the value is
a multiplication of the height and stride of an image, both of which are
unsigned 32 bit numbers, rely on the size_t type which is large enough
to handle images this big.

--- a/jbig2_huffman.c
+++ b/jbig2_huffman.c
@@ -205,11 +205,11 @@
 /* skip ahead a specified number of bytes in the word stream
  */
 int
-jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset)
+jbig2_huffman_advance(Jbig2HuffmanState *hs, size_t advance)
 {
     int code;
-    hs->offset += offset & ~3;
-    hs->offset_bits += (offset & 3) << 3;
+    hs->offset += advance & ~3;
+    hs->offset_bits += (advance & 3) << 3;
     if (hs->offset_bits >= 32) {
         hs->offset += 4;
         hs->offset_bits -= 32;
--- a/jbig2_huffman.h
+++ b/jbig2_huffman.h
@@ -62,7 +62,7 @@
 
 int jbig2_huffman_skip(Jbig2HuffmanState *hs);
 
-int jbig2_huffman_advance(Jbig2HuffmanState *hs, int offset);
+int jbig2_huffman_advance(Jbig2HuffmanState *hs, size_t advance);
 
 uint32_t jbig2_huffman_offset(Jbig2HuffmanState *hs);
 
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -584,7 +584,7 @@
                         /* 6.5.8.2.2 (7) */
                         if (params->SDHUFF) {
                             if (BMSIZE == 0)
-                                BMSIZE = SDNEWSYMS->glyphs[NSYMSDECODED]->height *
+                                BMSIZE = (size_t) SDNEWSYMS->glyphs[NSYMSDECODED]->height *
                                     SDNEWSYMS->glyphs[NSYMSDECODED]->stride;
                             code = jbig2_huffman_advance(hs, BMSIZE);
                             if (code < 0) {
@@ -630,7 +630,7 @@
         /* 6.5.5 (4d) */
         if (params->SDHUFF && !params->SDREFAGG) {
             /* 6.5.9 */
-            uint32_t BMSIZE;
+            size_t BMSIZE;
             uint32_t j;
             int x;
 
@@ -663,13 +663,13 @@
                 byte *dst = image->data;
 
                 /* SumatraPDF: prevent read access violation */
-                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
+                if ((size - jbig2_huffman_offset(hs) < (size_t) image->height * stride) || (size < jbig2_huffman_offset(hs))) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding uncompressed (%d/%d)", image->height * stride,
                                 size - jbig2_huffman_offset(hs));
                     goto cleanup;
                 }
 
-                BMSIZE = image->height * stride;
+                BMSIZE = (size_t) image->height * stride;
                 jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
                             "reading %dx%d uncompressed bitmap for %d symbols (%d bytes)", image->width, image->height, NSYMSDECODED - HCFIRSTSYM, BMSIZE);
 
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -380,7 +380,7 @@
             if (RI) {
                 Jbig2RefinementRegionParams rparams;
                 int32_t RDW, RDH, RDX, RDY;
-                int BMSIZE = 0;
+                size_t BMSIZE = 0;
                 int code1 = 0;
                 int code2 = 0;
                 int code3 = 0;