30 lines
1.6 KiB
Diff
30 lines
1.6 KiB
Diff
diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
|
|
index 94e5a4c..00f966b 100644 (file)
|
|
--- jbig2_image.c
|
|
+++ jbig2_image.c
|
|
@@ -256,7 +256,7 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
|
|
/* general OR case */
|
|
s = ss;
|
|
d = dd = dst->data + y * dst->stride + leftbyte;
|
|
- if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
|
|
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
|
|
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
|
|
}
|
|
if (leftbyte == rightbyte) {
|
|
|
|
|
|
diff --git a/jbig2dec/jbig2_image.c b/jbig2dec/jbig2_image.c
|
|
index 661d0a5..ae161b9 100644 (file)
|
|
--- jbig2_image.c
|
|
+++ jbig2_image.c
|
|
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2Image *dst, Jbig2Image *src, int x, int
|
|
/* general OR case */
|
|
s = ss;
|
|
d = dd = dst->data + y * dst->stride + leftbyte;
|
|
- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
|
|
+ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
|
|
+ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
|
|
return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
|
|
}
|
|
if (leftbyte == rightbyte) {
|