ref: 29f7b09614a4a98b09c4b6255f0f0fea5a65378f
parent: 1c60d10318a37e1e2e1d343cf9bf89b530f6518c
author: Alex Cherepanov <alex.cherepanov@artifex.com>
date: Mon Jan 28 08:34:01 EST 2013
Bug 693284: Break an infinite loop.
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -754,6 +754,8 @@
int exflag = 0;
int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
int32_t exrunlength;
+ /* SumatraPDF: prevent infinite loop */
+ int zerolength = 0;
while (i < limit) {if (params->SDHUFF)
@@ -760,10 +762,16 @@
exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
- if (code || (exrunlength > limit - i)) {+ /* SumatraPDF: prevent infinite loop */
+ zerolength = exrunlength > 0 ? 0 : zerolength + 1;
+ if (code || (exrunlength > limit - i) || (exrunlength < 0) || (zerolength > 4)) {if (code)
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"failed to decode exrunlength for exported symbols");
+ /* SumatraPDF: prevent infinite loop */
+ else if (exrunlength <= 0)
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "runlength too small in export symbol table (%d <= 0)\n", exrunlength);
else
jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"runlength too large in export symbol table (%d > %d - %d)\n",