ref: dbf31907db5654184b9e7bca5d700f72deccc9fa
parent: 4886f1c69e712a730399da308bfb1b731a652cbb
author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
date: Sun May 27 17:43:27 EDT 2012
Bug 693050 : Fixes CERT reported issue labelled SegFaultOnPc
--- a/jbig2_generic.c
+++ b/jbig2_generic.c
@@ -816,7 +816,7 @@
image = jbig2_image_new(ctx, rsi.width, rsi.height);
if (image == NULL)
- return jbig2_error(ctx, JBIG2_SEVERITY_WARNING, segment->number,
+ return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number,
"unable to allocate generic image");
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, segment->number,
"allocated %d x %d image buffer for region decode results",
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -32,6 +32,7 @@
{Jbig2Image *image;
int stride;
+ int64_t check;
image = jbig2_new(ctx, Jbig2Image, 1);
if (image == NULL) {@@ -41,7 +42,17 @@
}
stride = ((width - 1) >> 3) + 1; /* generate a byte-aligned stride */
- image->data = jbig2_new(ctx, uint8_t, stride*height);
+ /* check for integer multiplication overflow */
+ check = (int64_t)stride*height;
+ if (check != (int)check)
+ {+ jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
+ "integer multiplication overflow from stride(%d)*height(%d)",
+ stride, height);
+ jbig2_free(ctx->allocator, image);
+ return NULL;
+ }
+ image->data = jbig2_new(ctx, uint8_t, (int)check);
if (image->data == NULL) {jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1,
"could not allocate image data buffer! [%d bytes]\n", stride*height);