aboutsummaryrefslogtreecommitdiffstats
path: root/main/jbig2dec/CVE-2020-12268.patch
blob: 773515ae2dcf030665d71873bb5405fd563b566a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
From 0726320a4b55078e9d8deb590e477d598b3da66e Mon Sep 17 00:00:00 2001
From: Robin Watts <Robin.Watts@artifex.com>
Date: Mon, 27 Jan 2020 10:12:24 -0800
Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
 jbig2_image_compose.

With extreme values of x/y/w/h we can get overflow. Test for this
and exit safely.

Thanks for OSS-Fuzz for reporting.
---
 jbig2_image.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/jbig2_image.c b/jbig2_image.c
index 22e21ef..100263d 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -33,6 +33,9 @@
 #if !defined (INT32_MAX)
 #define INT32_MAX  0x7fffffff
 #endif
+#if !defined (UINT32_MAX)
+#define UINT32_MAX  0xffffffffu
+#endif
 
 /* allocate a Jbig2Image structure and its associated bitmap */
 Jbig2Image *
@@ -258,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
     if (src == NULL)
         return 0;
 
+    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
+        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
+    {
+#ifdef JBIG2_DEBUG
+        jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
+#endif
+        return 0;
+    }
+
     /* The optimized code for the OR operator below doesn't
        handle the source image partially placed outside the
        destination (above and/or to the left). The affected