https://github.com/ArtifexSoftware/jbig2dec/commit/f6d326878893dc92b45cbd18e25ab4d2b3a8db73 ---- From f6d326878893dc92b45cbd18e25ab4d2b3a8db73 Mon Sep 17 00:00:00 2001 From: Sebastian Rasmussen Date: Sun, 15 Sep 2019 18:12:31 +0200 Subject: [PATCH] jbig2dec: Add overflow detection for IAID context size. --- jbig2_arith_iaid.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/jbig2_arith_iaid.c b/jbig2_arith_iaid.c index 78dc830..bbc38a0 100644 --- a/jbig2_arith_iaid.c +++ b/jbig2_arith_iaid.c @@ -44,9 +44,18 @@ struct _Jbig2ArithIaidCtx { Jbig2ArithIaidCtx * jbig2_arith_iaid_ctx_new(Jbig2Ctx *ctx, int SBSYMCODELEN) { - Jbig2ArithIaidCtx *result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1); - int ctx_size = 1 << SBSYMCODELEN; + Jbig2ArithIaidCtx *result; + size_t ctx_size; + if (sizeof(ctx_size) * 8 <= SBSYMCODELEN) + { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "requested IAID arithmetic coding state size too large"); + return NULL; + } + + ctx_size = 1 << SBSYMCODELEN; + + result = jbig2_new(ctx, Jbig2ArithIaidCtx, 1); if (result == NULL) { jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "failed to allocate IAID arithmetic coding state"); return NULL;