Blame SOURCES/CVE-2020-12268.patch
|
 |
2ef6a5 |
From 24ddcfc7e37c0ce3b0f1852042ee431a53fd774c Mon Sep 17 00:00:00 2001
|
|
|
2ef6a5 |
From: Robin Watts <Robin.Watts@artifex.com>
|
|
|
2ef6a5 |
Date: Mon, 27 Jan 2020 10:12:24 -0800
|
|
|
2ef6a5 |
Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
|
|
|
2ef6a5 |
jbig2_image_compose.
|
|
|
2ef6a5 |
|
|
|
2ef6a5 |
With extreme values of x/y/w/h we can get overflow. Test for this
|
|
|
2ef6a5 |
and exit safely.
|
|
|
2ef6a5 |
|
|
|
2ef6a5 |
Thanks for OSS-Fuzz for reporting.
|
|
|
2ef6a5 |
---
|
|
|
2ef6a5 |
jbig2_image.c | 13 +++++++++++++
|
|
|
2ef6a5 |
1 file changed, 13 insertions(+)
|
|
|
2ef6a5 |
|
|
|
2ef6a5 |
diff --git a/jbig2_image.c b/jbig2_image.c
|
|
|
2ef6a5 |
index 22e21ef..f036cef 100644
|
|
|
2ef6a5 |
--- a/jbig2_image.c
|
|
|
2ef6a5 |
+++ b/jbig2_image.c
|
|
|
2ef6a5 |
@@ -34,6 +34,10 @@
|
|
|
2ef6a5 |
#define INT32_MAX 0x7fffffff
|
|
|
2ef6a5 |
#endif
|
|
|
2ef6a5 |
|
|
|
2ef6a5 |
+#if !defined (UINT32_MAX)
|
|
|
2ef6a5 |
+#define UINT32_MAX 0xffffffffu
|
|
|
2ef6a5 |
+#endif
|
|
|
2ef6a5 |
+
|
|
|
2ef6a5 |
/* allocate a Jbig2Image structure and its associated bitmap */
|
|
|
2ef6a5 |
Jbig2Image *
|
|
|
2ef6a5 |
jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
|
|
|
2ef6a5 |
@@ -255,6 +259,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
|
|
|
2ef6a5 |
uint8_t *d, *dd;
|
|
|
2ef6a5 |
uint8_t mask, rightmask;
|
|
|
2ef6a5 |
|
|
|
2ef6a5 |
+ if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
|
|
|
2ef6a5 |
+ (UINT32_MAX - src->height < (y > 0 ? y : -y)))
|
|
|
2ef6a5 |
+ {
|
|
|
2ef6a5 |
+#ifdef JBIG2_DEBUG
|
|
|
2ef6a5 |
+ jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
|
|
|
2ef6a5 |
+#endif
|
|
|
2ef6a5 |
+ return 0;
|
|
|
2ef6a5 |
+ }
|
|
|
2ef6a5 |
+
|
|
|
2ef6a5 |
if (src == NULL)
|
|
|
2ef6a5 |
return 0;
|
|
|
2ef6a5 |
|
|
|
2ef6a5 |
--
|
|
|
2ef6a5 |
2.26.2
|
|
|
2ef6a5 |
|