ref: 90f453a7ea397418ed33966e6b94650efd99284f
parent: 26565665591e250cfbda9bc6d8834f8a2922d206
author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
date: Wed May 30 13:42:29 EDT 2012
Bug 693050 : Fixes CERT reported issue labelled DestAvNearNull
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -43,7 +43,7 @@
stride = ((width - 1) >> 3) + 1; /* generate a byte-aligned stride */
/* check for integer multiplication overflow */
- check = (int64_t)stride*height;
+ check = ((int64_t)stride)*((int64_t)height);
if (check != (int)check)
{jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
--- a/jbig2_page.c
+++ b/jbig2_page.c
@@ -259,6 +259,14 @@
jbig2_page_add_result(Jbig2Ctx *ctx, Jbig2Page *page, Jbig2Image *image,
int x, int y, Jbig2ComposeOp op)
{+ /* ensure image exists first */
+ if (page->image == NULL)
+ {+ jbig2_error(ctx, JBIG2_SEVERITY_WARNING, -1,
+ "page info possibly missing, no image defined");
+ return 0;
+ }
+
/* grow the page to accomodate a new stripe if necessary */
if (page->striped) {int new_height = y + image->height + page->end_row;
--- a/jbig2_symbol_dict.c
+++ b/jbig2_symbol_dict.c
@@ -729,33 +729,34 @@
{int i = 0;
int j = 0;
- int k, m, exflag = 0;
+ int k;
+ int exflag = 0;
+ int64_t limit = params->SDNUMINSYMS + params->SDNUMNEWSYMS;
int32_t exrunlength;
- if (params->SDINSYMS != NULL)
- m = params->SDINSYMS->n_symbols;
- else
- m = 0;
- while (j < params->SDNUMEXSYMS) {+ while (i < limit) {if (params->SDHUFF)
- /* FIXME: implement reading from huff table B.1 */
- exrunlength = exflag ? params->SDNUMEXSYMS : 0;
+ exrunlength = jbig2_huffman_get(hs, SBHUFFRSIZE, &code);
else
code = jbig2_arith_int_decode(IAEX, as, &exrunlength);
- if (exflag && exrunlength > params->SDNUMEXSYMS - j) {- jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
- "runlength too large in export symbol table (%d > %d - %d)\n",
- exrunlength, params->SDNUMEXSYMS, j);
- jbig2_sd_release(ctx, SDEXSYMS);
+ if (code || (exrunlength > limit - i)) {+ if (code)
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "failed to decode exrunlength for exported symbols");
+ else
+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
+ "runlength too large in export symbol table (%d > %d - %d)\n",
+ exrunlength, params->SDNUMEXSYMS, j);
/* skip to the cleanup code and return SDEXSYMS = NULL */
+ jbig2_sd_release(ctx, SDEXSYMS);
SDEXSYMS = NULL;
break;
}
for(k = 0; k < exrunlength; k++) { if (exflag) {- SDEXSYMS->glyphs[j++] = (i < m) ?
+ SDEXSYMS->glyphs[j++] = (i < params->SDNUMINSYMS) ?
jbig2_image_clone(ctx, params->SDINSYMS->glyphs[i]) :
- jbig2_image_clone(ctx, SDNEWSYMS->glyphs[i-m]);
+ jbig2_image_clone(ctx, SDNEWSYMS->glyphs[i-params->SDNUMINSYMS]);
}
i++;
}
--- a/jbig2_text.c
+++ b/jbig2_text.c
@@ -212,8 +212,8 @@
STRIPT = jbig2_huffman_get(hs, params->SBHUFFDT, &code);
} else {code = jbig2_arith_int_decode(params->IADT, as, &STRIPT);
- if (code < 0) goto cleanup2;
}
+ if (code < 0) goto cleanup2;
/* 6.4.5 (2) */
STRIPT *= -(params->SBSTRIPS);
@@ -227,8 +227,8 @@
DT = jbig2_huffman_get(hs, params->SBHUFFDT, &code);
} else {code = jbig2_arith_int_decode(params->IADT, as, &DT);
- if (code < 0) goto cleanup2;
}
+ if (code < 0) goto cleanup2;
DT *= params->SBSTRIPS;
STRIPT += DT;
@@ -242,12 +242,11 @@
DFS = jbig2_huffman_get(hs, params->SBHUFFFS, &code);
} else {code = jbig2_arith_int_decode(params->IAFS, as, &DFS);
- if (code < 0) goto cleanup2;
}
+ if (code < 0) goto cleanup2;
FIRSTS += DFS;
CURS = FIRSTS;
first_symbol = FALSE;
-
} else {/* (3c.ii) / 6.4.8 */
if (params->SBHUFF) {@@ -256,6 +255,7 @@
code = jbig2_arith_int_decode(params->IADS, as, &IDS);
}
if (code) {+ /* decoded an OOB, reached end of stripe */
break;
}
CURS += IDS + params->SBDSOFFSET;
@@ -277,8 +277,8 @@
ID = jbig2_huffman_get(hs, SBSYMCODES, &code);
} else {code = jbig2_arith_iaid_decode(params->IAID, as, (int *)&ID);
- if (code < 0) goto cleanup2;
}
+ if (code < 0) goto cleanup2;
if (ID >= SBNUMSYMS) {code = jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"symbol id out of range! (%d/%d)", ID, SBNUMSYMS);