Skip to content

Commit

Permalink
Fix OSS-Fuzz issue 20332: buffer overflow in jbig2_image_compose.
Browse files Browse the repository at this point in the history
With extreme values of x/y/w/h we can get overflow. Test for this
and exit safely.

Thanks for OSS-Fuzz for reporting.
  • Loading branch information
robinwatts committed Jan 27, 2020
1 parent b2686b3 commit 0726320
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions jbig2_image.c
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@
#if !defined (INT32_MAX)
#define INT32_MAX 0x7fffffff
#endif
#if !defined (UINT32_MAX)
#define UINT32_MAX 0xffffffffu
#endif

/* allocate a Jbig2Image structure and its associated bitmap */
Jbig2Image *
Expand Down Expand Up @@ -351,6 +354,15 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
if (src == NULL)
return 0;

if ((UINT32_MAX - src->width < (x > 0 ? x : -x)) ||
(UINT32_MAX - src->height < (y > 0 ? y : -y)))
{
#ifdef JBIG2_DEBUG
jbig2_error(ctx, JBIG2_SEVERITY_DEBUG, -1, "overflow in compose_image");
#endif
return 0;
}

/* This code takes a src image and combines it onto dst at offset (x,y), with operation op. */

/* Data is packed msb first within a byte, so with bits numbered: 01234567.
Expand Down

0 comments on commit 0726320

Please sign in to comment.