shithub: jbig2

Download patch

ref: c9d7eeee85e5bad495a86f75eb926f5946693726
parent: fc94c421719bad08c24f31dc92c82a7885a21ec9
author: Sebastian Rasmussen <[email protected]>
date: Wed Mar 11 20:27:13 EDT 2020

jbig2dec: Use uint32_t when counting segments.

--- a/jbig2.c
+++ b/jbig2.c
@@ -322,9 +322,17 @@
                 return 0; /* need more data */
             ctx->buf_rd_ix += header_size;
 
-            if (ctx->n_segments == ctx->n_segments_max) {
+            if (ctx->n_segments >= ctx->n_segments_max) {
                 Jbig2Segment **segments;
 
+                if (ctx->n_segments_max == UINT32_MAX) {
+                    ctx->state = JBIG2_FILE_EOF;
+                    return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "too many segments in jbig2 image");
+                }
+                else if (ctx->n_segments_max > (UINT32_MAX >> 2)) {
+                    ctx->n_segments_max = UINT32_MAX;
+                }
+
                 segments = jbig2_renew(ctx, ctx->segments, Jbig2Segment *, (ctx->n_segments_max <<= 2));
                 if (segments == NULL) {
                     ctx->state = JBIG2_FILE_EOF;
@@ -332,7 +340,6 @@
                 }
                 ctx->segments = segments;
             }
-
 
             ctx->segments[ctx->n_segments++] = segment;
             if (ctx->state == JBIG2_FILE_RANDOM_HEADERS) {
--- a/jbig2_priv.h
+++ b/jbig2_priv.h
@@ -94,10 +94,10 @@
     uint8_t file_header_flags;
     uint32_t n_pages;
 
-    int n_segments_max;
+    uint32_t n_segments_max;
     Jbig2Segment **segments;
-    int n_segments;             /* index of last segment header parsed */
-    int segment_index;          /* index of last segment body parsed */
+    uint32_t n_segments;             /* index of last segment header parsed */
+    uint32_t segment_index;          /* index of last segment body parsed */
 
     /* list of decoded pages, including the one in progress,
        currently stored as a contiguous, 0-indexed array. */