blob: f16dbd51a3791d66d56f8d0984a67948d3d97373 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From 428803d7f0c6d868a70d335457c30af6f6caaae8 Mon Sep 17 00:00:00 2001
From: Leonardo Arena <rnalrd@alpinelinux.org>
Date: Fri, 22 May 2020 13:58:45 +0000
Subject: [PATCH] CVE-2020-12268
Refactored from https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e.patch
---
jbig2_image.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/jbig2_image.c b/jbig2_image.c
index 05a81bd..85ed13d 100644
--- a/jbig2_image.c
+++ b/jbig2_image.c
@@ -261,6 +261,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
if (src == NULL)
return 0;
+ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
+ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
+ {
+#ifdef JBIG2_DEBUG
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
+#endif
+ return 0;
+ }
+
/* The optimized code for the OR operator below doesn't
handle the source image partially placed outside the
destination (above and/or to the left). The affected
--
2.24.2
|
