summaryrefslogtreecommitdiff
blob: 7205c980fc284dc1289535591ba2d49cbcd697e3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
https://github.com/ArtifexSoftware/jbig2dec/commit/f6d326878893dc92b45cbd18e25ab4d2b3a8db73
----
From f6d326878893dc92b45cbd18e25ab4d2b3a8db73 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Sun, 15 Sep 2019 18:12:31 +0200
Subject: [PATCH] jbig2dec: Add overflow detection for IAID context size.

---
 jbig2_arith_iaid.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/jbig2_arith_iaid.c b/jbig2_arith_iaid.c
index 78dc830..bbc38a0 100644
--- a/jbig2_arith_iaid.c
+++ b/jbig2_arith_iaid.c
@@ -44,9 +44,18 @@ struct _Jbig2ArithIaidCtx {
 Jbig2ArithIaidCtx *
 jbig2_arith_iaid_ctx_new(Jbig2Ctx *ctx, int SBSYMCODELEN)
 {
-    Jbig2ArithIaidCtx *result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1);
-    int ctx_size = 1 << SBSYMCODELEN;
+    Jbig2ArithIaidCtx *result;
+    size_t ctx_size;
 
+    if (sizeof(ctx_size) * 8 <= SBSYMCODELEN)
+    {
+        jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "requested IAID arithmetic coding state size too large");
+        return NULL;
+    }
+
+    ctx_size = 1 << SBSYMCODELEN;
+
+    result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1);
     if (result == NULL) {
         jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed to allocate IAID arithmetic coding state");
         return NULL;