jbig2dec/SOURCES/CVE-2020-12268.patch
2021-09-09 19:27:32 +00:00

49 lines
1.4 KiB
Diff

From df29c989c7578476921d4f5ec277ee3cc9e87350 Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Mon, 27 Jan 2020 10:12:24 -0800
Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
jbig2_image_compose.
With extreme values of x/y/w/h we can get overflow. Test for this
and exit safely.
Thanks for OSS-Fuzz for reporting.
---
jbig2_image.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/jbig2_image.c b/jbig2_image.c
index 23e12ae..74050b9 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -30,6 +30,10 @@
#include "jbig2_priv.h"
#include "jbig2_image.h"
+#if !defined (UINT32_MAX)
+#define UINT32_MAX 0xffffffffu
+#endif
+
/* allocate a Jbig2Image structure and its associated bitmap */
Jbig2Image *
jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
@@ -229,6 +233,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
uint8_t *d, *dd;
uint8_t mask, rightmask;
+ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
+ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
+ {
+#ifdef JBIG2_DEBUG
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
+#endif
+ return 0;
+ }
+
if (op != JBIG2_COMPOSE_OR) {
/* hand off the the general routine */
return jbig2_image_compose_unopt(ctx, dst, src, x, y, op);
--
2.26.2