41 lines
1.5 KiB
Diff
41 lines
1.5 KiB
Diff
From ea9b3a676a516a603fabb593085d14a67356db6f Mon Sep 17 00:00:00 2001
|
|
From: Sebastian Rasmussen <sebras@gmail.com>
|
|
Date: Thu, 17 Oct 2019 01:48:00 +0200
|
|
Subject: [PATCH] Bug 701721: jbig2dec: Fix under/overflow handling in
|
|
arithmetic integer decoder.
|
|
|
|
The previous detection logic caused GCC's -Wlogical-op to trip.
|
|
Not only that, but the detection logic never took into account
|
|
that underflow is not possible (the worst case is V == INT32_MIN,
|
|
but offset is always > 0, so underflow cannot happen), nor take
|
|
varying offset values into account (hardcoded limits meant that
|
|
the offset was ignored even if it could not cause an overflow),
|
|
but instead could cause non-clamped values to be emitted.
|
|
|
|
This corrected logic adheres to the Annex A. Table A.1 in the specification.
|
|
---
|
|
jbig2dec/jbig2_arith_int.c | 7 +++++--
|
|
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/jbig2dec/jbig2_arith_int.c b/jbig2dec/jbig2_arith_int.c
|
|
index 7ad47ad..20b62df 100644
|
|
--- a/jbig2dec/jbig2_arith_int.c
|
|
+++ b/jbig2dec/jbig2_arith_int.c
|
|
@@ -130,8 +130,11 @@ jbig2_arith_int_decode(Jbig2Ctx *ctx, Jbig2ArithIntCtx *actx, Jbig2ArithState *a
|
|
V = (V << 1) | bit;
|
|
}
|
|
|
|
- /* make sure not to underflow/overflow 32 bit value */
|
|
- if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436)
|
|
+ /* offset is always >=0, so underflow can't happen. */
|
|
+ /* avoid overflow by clamping 32 bit value. */
|
|
+ if (V > INT32_MAX - offset)
|
|
+ V = INT32_MAX;
|
|
+ else
|
|
V += offset;
|
|
V = S ? -V : V;
|
|
*p_result = V;
|
|
--
|
|
1.8.3.1
|
|
|