diff options
author | Shailesh Mistry <shailesh.mistry@hotmail.co.uk> | 2017-05-03 22:06:01 +0100 |
---|---|---|
committer | Shailesh Mistry <shailesh.mistry@hotmail.co.uk> | 2017-05-04 18:16:13 +0100 |
commit | b184e783702246e154294326d03d9abda669fcfa (patch) | |
tree | 878c68d6c171d45c4fb8bab335ccfc5edf80da3d | |
parent | e24e6194ca59d7b556116451490f71d2d85f4642 (diff) |
Bug 697703: Prevent integer overflow vulnerability.
Add extra check for the offset being greater than the size
of the image and hence reading off the end of the buffer.
Thank you to Dai Ge for finding this issue and suggesting a patch.
-rw-r--r-- | jbig2dec/jbig2_symbol_dict.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c index 4acaba9d0..36225cb1f 100644 --- a/jbig2dec/jbig2_symbol_dict.c +++ b/jbig2dec/jbig2_symbol_dict.c @@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, byte *dst = image->data; /* SumatraPDF: prevent read access violation */ - if (size - jbig2_huffman_offset(hs) < image->height * stride) { + if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, size - jbig2_huffman_offset(hs)); jbig2_image_release(ctx, image); |