diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 7ddcc81..027985f 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -584,6 +584,9 @@ int JBIG2MMRDecoder::getBlackCode() { } else { code = buf >> (bufLen - 12); } + if ((code & 0xff) < 64) { + break; + } p = &blackTab2[(code & 0xff) - 64]; } else { if (bufLen <= 6) { @@ -1849,6 +1852,10 @@ GBool JBIG2Stream::readSymbolDictSeg(Guint segNum, Guint length, collBitmap = new JBIG2Bitmap(0, totalWidth, symHeight); bmSize = symHeight * ((totalWidth + 7) >> 3); p = collBitmap->getDataPtr(); + if (p == NULL) { + delete collBitmap; + goto syntaxError; + } for (k = 0; k < (Guint)bmSize; ++k) { if ((c = curStr->getChar()) == EOF) { break; @@ -2365,6 +2372,11 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, if (symID >= (Guint)numSyms) { error(errSyntaxError, curStr->getPos(), "Invalid symbol number in JBIG2 text region"); + if (numInstances - inst > 0x8000000) { + // don't loop too often with damaged JBIg2 streams + delete bitmap; + return NULL; + } } else { // get the symbol bitmap @@ -2416,8 +2428,24 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, //~ something is wrong here - refCorner shouldn't degenerate into //~ two cases bw = symbolBitmap->getWidth() - 1; + if (symbolBitmap->getHeight() == 0) { + error(errSyntaxError, curStr->getPos(), "Invalid symbol bitmap height"); + if (ri) { + delete symbolBitmap; + } + delete bitmap; + return NULL; + } bh = symbolBitmap->getHeight() - 1; if (transposed) { + if (s > 2 * bitmap->getHeight()) { + error(errSyntaxError, curStr->getPos(), "Invalid JBIG2 combine"); + if (ri) { + delete symbolBitmap; + } + delete bitmap; + return NULL; + } switch (refCorner) { case 0: // bottom left bitmap->combine(symbolBitmap, tt, s, combOp); @@ -2432,19 +2460,51 @@ JBIG2Bitmap *JBIG2Stream::readTextRegion(GBool huff, GBool refine, bitmap->combine(symbolBitmap, tt - bw, s, combOp); break; } - s += bh; + s += bh; } else { switch (refCorner) { case 0: // bottom left + if (tt - (int) bh > 2 * bitmap->getHeight()) { + error(errSyntaxError, curStr->getPos(), "Invalid JBIG2 combine"); + if (ri) { + delete symbolBitmap; + } + delete bitmap; + return NULL; + } bitmap->combine(symbolBitmap, s, tt - bh, combOp); break; case 1: // top left + if (tt > 2 * bitmap->getHeight()) { + error(errSyntaxError, curStr->getPos(), "Invalid JBIG2 combine"); + if (ri) { + delete symbolBitmap; + } + delete bitmap; + return NULL; + } bitmap->combine(symbolBitmap, s, tt, combOp); break; case 2: // bottom right + if (tt - (int) bh > 2 * bitmap->getHeight()) { + error(errSyntaxError, curStr->getPos(), "Invalid JBIG2 combine"); + if (ri) { + delete symbolBitmap; + } + delete bitmap; + return NULL; + } bitmap->combine(symbolBitmap, s, tt - bh, combOp); break; case 3: // top right + if (tt > 2 * bitmap->getHeight()) { + error(errSyntaxError, curStr->getPos(), "Invalid JBIG2 combine"); + if (ri) { + delete symbolBitmap; + } + delete bitmap; + return NULL; + } bitmap->combine(symbolBitmap, s, tt, combOp); break; }