poppler/JBIG2Stream.cc | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-)
New commits: commit 756ab7a061f505722a92efdeb61765311d00e313 Author: Albert Astals Cid <[email protected]> Date: Thu Jul 21 19:41:22 2022 +0200 JBIG2Stream::readPatternDictSeg: Protect against some overflow diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index 9f70431d..77ffeb28 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -2506,7 +2506,19 @@ void JBIG2Stream::readPatternDictSeg(unsigned int segNum, unsigned int length) aty[2] = -2; atx[3] = -2; aty[3] = -2; - bitmap = readGenericBitmap(mmr, (grayMax + 1) * patternW, patternH, templ, false, false, nullptr, atx, aty, length - 7); + + unsigned int grayMaxPlusOne; + if (unlikely(checkedAdd(grayMax, 1u, &grayMaxPlusOne))) { + return; + } + unsigned int bitmapW; + if (unlikely(checkedMultiply(grayMaxPlusOne, patternW, &bitmapW))) { + return; + } + if (bitmapW >= INT_MAX) { + return; + } + bitmap = readGenericBitmap(mmr, static_cast<int>(bitmapW), patternH, templ, false, false, nullptr, atx, aty, length - 7); if (!bitmap) { return;
