diff options
Diffstat (limited to 'main/jbig2dec/CVE-2020-12268.patch')
-rw-r--r-- | main/jbig2dec/CVE-2020-12268.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch new file mode 100644 index 00000000000..773515ae2dc --- /dev/null +++ b/main/jbig2dec/CVE-2020-12268.patch @@ -0,0 +1,44 @@ +From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001 +From: Robin Watts <Robin.Watts@artifex.com> +Date: Mon, 27 Jan 2020 10:12:24 -0800 +Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in + jbig2_image_compose. + +With extreme values of x/y/w/h we can get overflow. Test for this +and exit safely. + +Thanks for OSS-Fuzz for reporting. +--- + jbig2_image.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/jbig2_image.c b/jbig2_image.c +index 22e21ef..100263d 100644 +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -33,6 +33,9 @@ + #if !defined (INT32_MAX) + #define INT32_MAX 0x7fffffff + #endif ++#if !defined (UINT32_MAX) ++#define UINT32_MAX 0xffffffffu ++#endif + + /* allocate a Jbig2Image structure and its associated bitmap */ + Jbig2Image * +@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int + if (src == NULL) + return 0; + ++ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) || ++ (UINT32_MAX - src->height < (y > 0 ? y : -y))) ++ { ++#ifdef JBIG2_DEBUG ++ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image"); ++#endif ++ return 0; ++ } ++ + /* The optimized code for the OR operator below doesn't + handle the source image partially placed outside the + destination (above and/or to the left). The affected |