shithub: jbig2

Download patch

ref: e20979d9e27342a2e5d54f12702e038df015de01
parent: 834b90bd62de11f0b5483bc8d449eb110eb3c493
author: Robin Watts <[email protected]>
date: Mon Feb 3 06:06:48 EST 2020

jbig2dec: Fix OSS-Fuzz issue 20493

The maximum x gbat works out as 126, where GBW is 32.
This makes right = GBW - gmax huge. Clip the value to
avoid problems.

Thanks for OSS-Fuzz for reporting.

--- a/jbig2_arith.c
+++ b/jbig2_arith.c
@@ -42,22 +42,17 @@
     int offset;
 };
 
-#undef SOFTWARE_CONVENTION
-
 /*
-  A note on the "software conventions".
+  Previous versions of this code had a #define to allow
+  us to choose between using the revised arithmetic decoding
+  specified in the 'Software Convention' section of the spec.
+  Back to back tests showed that the 'Software Convention'
+  version was indeed slightly faster. We therefore enable it
+  by default. We also strip the option out, because a) it
+  makes the code harder to read, and b) such things are an
+  invitation to bitrot.
+*/
 
-  Previously, I had misinterpreted the spec, and had thought that the
-  spec's description of the "software convention" was wrong. Now I
-  believe that this code is both correct and matches the spec, with
-  SOFTWARE_CONVENTION defined or not. Thanks to William Rucklidge for
-  the clarification.
-
-  In any case, my benchmarking indicates no speed difference at all.
-  Therefore, for now we will just use the normative version.
-
- */
-
 static void
 jbig2_arith_bytein(Jbig2ArithState *as)
 {
@@ -83,9 +78,6 @@
 #ifdef JBIG2_DEBUG_ARITH
                 fprintf(stderr, "read %02x (aa)\n", B);
 #endif
-#ifndef SOFTWARE_CONVENTION
-                as->C += 0xFF00;
-#endif
                 as->CT = 8;
                 as->next_word = 0xFF000000 | (as->next_word >> 8);
                 as->next_word_bytes = 4;
@@ -94,11 +86,7 @@
 #ifdef JBIG2_DEBUG_ARITH
                 fprintf(stderr, "read %02x (a)\n", B);
 #endif
-#ifdef SOFTWARE_CONVENTION
                 as->C += 0xFE00 - (B1 << 9);
-#else
-                as->C += B1 << 9;
-#endif
                 as->CT = 7;
             }
         } else {
@@ -107,9 +95,6 @@
 #ifdef JBIG2_DEBUG_ARITH
                 fprintf(stderr, "read %02x (ba)\n", B);
 #endif
-#ifndef SOFTWARE_CONVENTION
-                as->C += 0xFF00;
-#endif
                 as->CT = 8;
             } else {
                 as->next_word_bytes--;
@@ -118,11 +103,7 @@
                 fprintf(stderr, "read %02x (b)\n", B);
 #endif
 
-#ifdef SOFTWARE_CONVENTION
                 as->C += 0xFE00 - (B1 << 9);
-#else
-                as->C += (B1 << 9);
-#endif
                 as->CT = 7;
             }
         }
@@ -141,11 +122,7 @@
             as->next_word_bytes = new_bytes;
         }
         B = (byte)((as->next_word >> 24) & 0xFF);
-#ifdef SOFTWARE_CONVENTION
         as->C += 0xFF00 - (B << 8);
-#else
-        as->C += (B << 8);
-#endif
     }
 }
 
@@ -172,11 +149,7 @@
     result->offset = new_bytes;
 
     /* Figure E.20 */
-#ifdef SOFTWARE_CONVENTION
     result->C = (~(result->next_word >> 8)) & 0xFF0000;
-#else
-    result->C = (result->next_word >> 8) & 0xFF0000;
-#endif
 
     jbig2_arith_bytein(result);
     result->C <<= 7;
@@ -276,16 +249,9 @@
     /* Figure E.15 */
     as->A -= pqe->Qe;
     if (
-#ifdef SOFTWARE_CONVENTION
         /* Note: I do not think this is correct. See above. */
         (as->C >> 16) < as->A
-#else
-        !((as->C >> 16) < pqe->Qe)
-#endif
     ) {
-#ifndef SOFTWARE_CONVENTION
-        as->C -= pqe->Qe << 16;
-#endif
         if ((as->A & 0x8000) == 0) {
             /* MPS_EXCHANGE, Figure E.16 */
             if (as->A < pqe->Qe) {
@@ -303,9 +269,7 @@
             return cx >> 7;
         }
     } else {
-#ifdef SOFTWARE_CONVENTION
         as->C -= (as->A) << 16;
-#endif
         /* LPS_EXCHANGE, Figure E.17 */
         if (as->A < pqe->Qe) {
             as->A = pqe->Qe;