shithub: jbig2

Download patch

ref: cfa054925de49675ac5445515ebf036fa9379ac6
parent: 258290340bb657c9efb44457f717b0d8b49f4aa3
author: Shailesh Mistry <[email protected]>
date: Wed May 10 13:50:39 EDT 2017

Bug 697683: Bounds check before reading from image source data.

Add extra check to prevent reading off the end of the image source
data buffer.

Thank you to Dai Ge for finding this issue and suggesting a patch.

--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -263,7 +263,8 @@
     /* general OR case */
     s = ss;
     d = dd = dst->data + y * dst->stride + leftbyte;
-    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
     }
     if (leftbyte == rightbyte) {