Blame SOURCES/CVE-2020-12268.patch

ba9f4e
From 24ddcfc7e37c0ce3b0f1852042ee431a53fd774c Mon Sep 17 00:00:00 2001
6a5210
From: Robin Watts <Robin.Watts@artifex.com>
6a5210
Date: Mon, 27 Jan 2020 10:12:24 -0800
6a5210
Subject: [PATCH] Fix OSS-Fuzz issue 20332: buffer overflow in
6a5210
 jbig2_image_compose.
6a5210
6a5210
With extreme values of x/y/w/h we can get overflow. Test for this
6a5210
and exit safely.
6a5210
6a5210
Thanks for OSS-Fuzz for reporting.
6a5210
---
6a5210
 jbig2_image.c | 13 +++++++++++++
6a5210
 1 file changed, 13 insertions(+)
6a5210
6a5210
diff --git a/jbig2_image.c b/jbig2_image.c
ba9f4e
index 22e21ef..f036cef 100644
6a5210
--- a/jbig2_image.c
6a5210
+++ b/jbig2_image.c
ba9f4e
@@ -34,6 +34,10 @@
ba9f4e
 #define INT32_MAX  0x7fffffff
ba9f4e
 #endif
6a5210
 
6a5210
+#if !defined (UINT32_MAX)
6a5210
+#define UINT32_MAX  0xffffffffu
6a5210
+#endif
6a5210
+
6a5210
 /* allocate a Jbig2Image structure and its associated bitmap */
6a5210
 Jbig2Image *
6a5210
 jbig2_image_new(Jbig2Ctx *ctx, uint32_t width, uint32_t height)
ba9f4e
@@ -255,6 +259,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
6a5210
     uint8_t *d, *dd;
6a5210
     uint8_t mask, rightmask;
6a5210
 
6a5210
+    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
6a5210
+        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
6a5210
+    {
6a5210
+#ifdef JBIG2_DEBUG
6a5210
+        jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
6a5210
+#endif
6a5210
+        return 0;
6a5210
+    }
6a5210
+
ba9f4e
     if (src == NULL)
ba9f4e
         return 0;
ba9f4e
 
6a5210
-- 
6a5210
2.26.2
6a5210