From ab4d21b69bf0717ac93072d24b076681bdb9b3a4 Mon Sep 17 00:00:00 2001 From: Chris Liddell Date: Wed, 19 Jun 2013 16:25:17 +0100 Subject: [PATCH] Bug 693934: CCITT Fax decode - cope with negative run length In various places in the fax decode code we coped with the run length being negative - in just a few we didn't. We'll now cope gracefully with negative run lengths in places. No cluster differences. --- base/scfd.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/base/scfd.c b/base/scfd.c index 970c925..5f7f798 100644 --- a/base/scfd.c +++ b/base/scfd.c @@ -611,6 +611,7 @@ v0: skip_bits(1); rlen, "[w2]", d2l, out0); /* rlen may be run2_pass, run_uncompressed, or */ /* 0..countof(cf2_run_vertical)-1. */ +rlen_lt_zero: if (rlen < 0) switch (rlen) { case run2_pass: @@ -726,6 +727,9 @@ v0: skip_bits(1); status = ERRC; goto out; } + + if (rlen < 0) goto rlen_lt_zero; + skip_data(rlen, hww); /* Handle the second half of a white-black horizontal code. */ hwb:get_run(cf_black_decode, cfd_black_initial_bits, cfd_black_min_bits, @@ -734,6 +738,9 @@ v0: skip_bits(1); status = ERRC; goto out; } + + if (rlen < 0) goto rlen_lt_zero; + invert_data(rlen, black_byte, goto hwb, ihwb); goto top; outww:ss->run_color = -2; @@ -747,6 +754,9 @@ v0: skip_bits(1); status = ERRC; goto out; } + + if (rlen < 0) goto rlen_lt_zero; + invert_data(rlen, black_byte, goto hbb, ihbb); /* Handle the second half of a black-white horizontal code. */ hbw:get_run(cf_white_decode, cfd_white_initial_bits, cfd_white_min_bits, @@ -755,6 +765,9 @@ v0: skip_bits(1); status = ERRC; goto out; } + + if (rlen < 0) goto rlen_lt_zero; + skip_data(rlen, hbw); goto top; outbb:ss->run_color = 2; -- 2.9.4