shithub: jbig2

Download patch

ref: 3f370a0ffaa5dd8b903b0ee36294529fbf0cbd1f
parent: d02b3649334e59e862b37c70d7d0fa9e086a524c
author: zeniko <zeniko@gmail.com>
date: Tue Jun 11 18:49:05 EDT 2013 

Bug 694125: prevent heap underflow

jbig2_decode_mmr_line checks the arguments to jbig2_set_bits since the
fixes to issue 693050, however these checks still allow for the starting
index to be negative which results in a write underflow; fixes
2860.pdf.asan.9.2069


--- a/jbig2_mmr.c
+++ b/jbig2_mmr.c
@@ -862,7 +862,7 @@
 				a2 = a1 + black_run;
 				if (a1 > mmr->width) a1 = mmr->width;
 				if (a2 > mmr->width) a2 = mmr->width;
-				if (a2 < a1) return -1;
+				if (a2 < a1 || a1 < 0) return -1;
 				jbig2_set_bits(dst, a1, a2);
 				a0 = a2;
 				/* printf ("H %d %d\n", white_run, black_run); */
@@ -875,7 +875,7 @@
 				a2 = a1 + white_run;
 				if (a1 > mmr->width) a1 = mmr->width;
 				if (a2 > mmr->width) a2 = mmr->width;
-				if (a1 < a0) return -1;
+				if (a1 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, a1);
 				a0 = a2;
 				/* printf ("H %d %d\n", black_run, white_run); */
@@ -890,7 +890,7 @@
 			b2 = jbig2_find_changing_element(ref, b1, mmr->width);
 			if (c)
 			{
-				if (b2 < a0) return -1;
+				if (b2 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b2);
 			}
 			a0 = b2;
@@ -903,7 +903,7 @@
 			b1 = jbig2_find_changing_element_of_color(ref, a0, mmr->width, !c);
 			if (c)
 			{
-				if (b1 < a0) return -1;
+				if (b1 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1);
 			}
 			a0 = b1;
@@ -918,7 +918,7 @@
 			if (b1 + 1 > mmr->width) break;
 			if (c)
 			{
-				if (b1 + 1 < a0) return -1;
+				if (b1 + 1 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1 + 1);
 			}
 			a0 = b1 + 1;
@@ -933,7 +933,7 @@
 			if (b1 + 2 > mmr->width) break;
 			if (c)
 			{
-				if (b1 + 2 < a0) return -1;
+				if (b1 + 2 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1 + 2);
 			}
 			a0 = b1 + 2;
@@ -948,7 +948,7 @@
 			if (b1 + 3 > mmr->width) break;
 			if (c)
 			{
-				if (b1 + 3 < a0) return -1;
+				if (b1 + 3 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1 + 3);
 			}
 			a0 = b1 + 3;
@@ -963,7 +963,7 @@
 			if (b1 - 1 < 0) break;
 			if (c)
 			{
-				if (b1 - 1 < a0) return -1;
+				if (b1 - 1 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1 - 1);
 			}
 			a0 = b1 - 1;
@@ -978,7 +978,7 @@
 			if (b1 - 2 < 0) break;
 			if (c)
 			{
-				if (b1 - 2 < a0) return -1;
+				if (b1 - 2 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1 - 2);
 			}
 			a0 = b1 - 2;
@@ -993,7 +993,7 @@
 			if (b1 - 3 < 0) break;
 			if (c)
 			{
-				if (b1 - 3 < a0) return -1;
+				if (b1 - 3 < a0 || a0 < 0) return -1;
 				jbig2_set_bits(dst, a0, b1 - 3);
 			}
 			a0 = b1 - 3;