29 lines
1.3 KiB
Diff
29 lines
1.3 KiB
Diff
From ed6c5133a1004ce8d38f1b44de85a7186feda95e Mon Sep 17 00:00:00 2001
|
|
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
|
|
Date: Wed, 10 May 2017 17:50:39 +0100
|
|
Subject: [PATCH] Bug 697683: Bounds check before reading from image source
|
|
data.
|
|
|
|
Add extra check to prevent reading off the end of the image source
|
|
data buffer.
|
|
|
|
Thank you to Dai Ge for finding this issue and suggesting a patch.
|
|
---
|
|
jbig2dec/jbig2_image.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
Backported dilfridge@g.o
|
|
|
|
diff -ruN jbig2dec-0.13.orig/jbig2_image.c jbig2dec-0.13/jbig2_image.c
|
|
--- jbig2dec-0.13.orig/jbig2_image.c 2017-06-10 01:41:16.207939489 +0200
|
|
+++ jbig2dec-0.13/jbig2_image.c 2017-06-10 01:46:28.009952461 +0200
|
|
@@ -256,7 +256,8 @@
|
|
/* general OR case */
|
|
s = ss;
|
|
d = dd = dst->data + y * dst->stride + leftbyte;
|
|
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
|
|
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
|
|
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
|
|
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
|
|
}
|
|
if (leftbyte == rightbyte) {
|