1 files changed, 44 insertions, 0 deletions

diff --git a/main/jbig2dec/CVE-2020-12268.patch b/main/jbig2dec/CVE-2020-12268.patch
new file mode 100644
index 00000000000..773515ae2dc
--- /dev/null
+++ b/main/jbig2dec/CVE-2020-12268.patch
@@ -0,0 +1,44 @@
+From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001
+From: Robin Watts <Robin.Watts@artifex.com>
+Date: Mon, 27 Jan 2020 10:12:24 -0800
+Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
+ jbig2_image_compose.
+
+With extreme values of x/y/w/h we can get overflow. Test for this
+and exit safely.
+
+Thanks for OSS-Fuzz for reporting.
+---
+ jbig2_image.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/jbig2_image.c b/jbig2_image.c
+index 22e21ef..100263d 100644
+--- a/jbig2_image.c
++++ b/jbig2_image.c
+@@ -33,6 +33,9 @@
+ #if !defined (INT32_MAX)
+ #define INT32_MAX  0x7fffffff
+ #endif
++#if !defined (UINT32_MAX)
++#define UINT32_MAX  0xffffffffu
++#endif
+ 
+ /* allocate a Jbig2Image structure and its associated bitmap */
+ Jbig2Image *
+@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
+     if (src == NULL)
+         return 0;
+ 
++    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
++        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
++    {
++#ifdef JBIG2_DEBUG
++        jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
++#endif
++        return 0;
++    }
++
+     /* The optimized code for the OR operator below doesn't
+        handle the source image partially placed outside the
+        destination (above and/or to the left). The affected