Bug 697703: Prevent integer overflow vulnerability.

Add extra check for the offset being greater than the size of the image and hence reading off the end of the buffer. Thank you to Dai Ge for finding this issue and suggesting a patch.
author: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> 2017-05-03 22:06:01 +0100
committer: Shailesh Mistry <shailesh.mistry@hotmail.co.uk> 2017-05-04 18:16:13 +0100
commit: b184e783702246e154294326d03d9abda669fcfa (patch)
tree: 878c68d6c171d45c4fb8bab335ccfc5edf80da3d
parent: e24e6194ca59d7b556116451490f71d2d85f4642 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/jbig2dec/jbig2_symbol_dict.c b/jbig2dec/jbig2_symbol_dict.c
index 4acaba9d0..36225cb1f 100644
--- a/jbig2dec/jbig2_symbol_dict.c
+++ b/jbig2dec/jbig2_symbol_dict.c
@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx,
                 byte *dst = image->data;
 
                 /* SumatraPDF: prevent read access violation */
-                if (size - jbig2_huffman_offset(hs) < image->height * stride) {
+                if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) {
                     jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride,
                                 size - jbig2_huffman_offset(hs));
                     jbig2_image_release(ctx, image);
author	Shailesh Mistry <shailesh.mistry@hotmail.co.uk>	2017-05-03 22:06:01 +0100
committer	Shailesh Mistry <shailesh.mistry@hotmail.co.uk>	2017-05-04 18:16:13 +0100
commit	b184e783702246e154294326d03d9abda669fcfa (patch)
tree	878c68d6c171d45c4fb8bab335ccfc5edf80da3d
parent	e24e6194ca59d7b556116451490f71d2d85f4642 (diff)