shithub: jbig2

Download patch

ref: d1a03359b9f267714f60662dc021eef4054ae202
parent: 83c67854e5e0fd06045bd5e8fc53f98e1ddb9b76
author: Ralph Giles <[email protected]>
date: Wed Apr 15 15:26:39 EDT 2009

Check the return value of sscanf when parsing pbm dimensions.

This is a follow-on to the previous commit. It shouldn't be
possible to reach the sscanf with less than one digit in the
parse buffer, but we abort anyway in case sscanf can't find
anything. If the code could proceed from that point with an
uninitialized value in the dim array the call to jbig2_image_new()
could request excessive resources.

--- a/jbig2_image_pbm.c
+++ b/jbig2_image_pbm.c
@@ -123,7 +123,10 @@
                 buf[i++] = c;
             }
             buf[i] = '\0';
-            sscanf(buf, "%d", &dim[done]);
+            if (sscanf(buf, "%d", &dim[done]) != 1) {
+                fprintf(stderr, "couldn't read pbm image dimensions\n");
+                return NULL;
+            }
             i = 0;
             done++;
         }