Fix OSS-Fuzz issue 20332: buffer overflow in jbig2_image_compose.

With extreme values of x/y/w/h we can get overflow. Test for this and exit safely. Thanks for OSS-Fuzz for reporting.
ArtifexSoftware · Jan 27, 2020 · 0726320 · 0726320
1 parent b2686b3
commit 0726320
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/jbig2_image.c b/jbig2_image.c
@@ -33,6 +33,9 @@
 #if !defined (INT32_MAX)
 #define INT32_MAX  0x7fffffff
 #endif
+#if !defined (UINT32_MAX)
+#define UINT32_MAX  0xffffffffu
+#endif
 
 /* allocate a Jbig2Image structure and its associated bitmap */
 Jbig2Image *
@@ -351,6 +354,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
     if (src == NULL)
         return 0;
 
+    if ((UINT32_MAX - src->width  < (x > 0 ? x : -x)) ||
+        (UINT32_MAX - src->height < (y > 0 ? y : -y)))
+    {
+#ifdef JBIG2_DEBUG
+        jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
+#endif
+        return 0;
+    }
+
     /* This code takes a src image and combines it onto dst at offset (x,y), with operation op. */
 
     /* Data is packed msb first within a byte, so with bits numbered: 01234567.