ref: d663f59b034d429d850cca7e84d0017eb6e5cda3
parent: d379be4ca803bf0bdd43d00b89da320c29d393c4
author: zeniko <[email protected]>
date: Tue Jun 11 18:04:00 EDT 2013
Bug 694121: prevent heap overflow jbig2_decode_symbol_dict checks whether more glyphs are requested than are available (SDNUMINSYMS + SDNUMNEWSYMS) but has so far failed check whether there are more than expected (SDNUMEXSYMS); fixes 3324.pdf.asan.3.2585
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -777,7 +777,6 @@
int exflag = 0;
int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
int32_t exrunlength;
- /* SumatraPDF: prevent infinite loop */
int zerolength = 0;
while (i < limit) {
@@ -785,13 +784,13 @@
exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
- /* SumatraPDF: prevent infinite loop */
+ /* prevent infinite loop */
zerolength = exrunlength > 0 ? 0 : zerolength + 1;
- if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4)) {
+ if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4) ||
+ (exflag && (exrunlength > params->SDNUMEXSYMS - j))) {
if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"failed to decode exrunlength for exported symbols");
- /* SumatraPDF: prevent infinite loop */
else if (exrunlength <= 0)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"runlength too small in export symbol table (%d <= 0)\n", exrunlength);