From ade9b5ebed44b0c15522c27669ef6cdf93eff84e Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Tue, 17 Dec 2024 18:59:01 +0100 Subject: [PATCH] JBIG2Bitmap::combine: Fix crash on malformed files Fixes #1553 --- poppler/JBIG2Stream.cc | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/poppler/JBIG2Stream.cc b/poppler/JBIG2Stream.cc index f482a123f..b2f96e149 100644 --- a/poppler/JBIG2Stream.cc +++ b/poppler/JBIG2Stream.cc @@ -857,7 +857,7 @@ void JBIG2Bitmap::combine(JBIG2Bitmap *bitmap, int x, int y, unsigned int combOp) { - int x0, x1, y0, y1, xx, yy; + int x0, x1, y0, y1, xx, yy, yyy; unsigned char *srcPtr, *destPtr; unsigned int src0, src1, src, dest, s1, s2, m1, m2, m3; bool oneByte; @@ -902,13 +902,16 @@ oneByte = x0 == ((x1 - 1) & ~7); for (yy = y0; yy < y1; ++yy) { - if (unlikely((y + yy >= h) || (y + yy < 0))) + if (unlikely(checkedAdd(y, yy, &yyy))) { + continue; + } + if (unlikely((yyy >= h) || (yyy < 0))) continue; // one byte per line -- need to mask both left and right side if (oneByte) { if (x >= 0) { - destPtr = data + (y + yy) * line + (x >> 3); + destPtr = data + yyy * line + (x >> 3); srcPtr = bitmap->data + yy * bitmap->line; dest = *destPtr; src1 = *srcPtr; @@ -931,7 +934,7 @@ } *destPtr = dest; } else { - destPtr = data + (y + yy) * line; + destPtr = data + yyy * line; srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3); dest = *destPtr; src1 = *srcPtr; @@ -961,7 +964,7 @@ // left-most byte if (x >= 0) { - destPtr = data + (y + yy) * line + (x >> 3); + destPtr = data + yyy * line + (x >> 3); srcPtr = bitmap->data + yy * bitmap->line; src1 = *srcPtr++; dest = *destPtr; @@ -985,7 +988,7 @@ *destPtr++ = dest; xx = x0 + 8; } else { - destPtr = data + (y + yy) * line; + destPtr = data + yyy * line; srcPtr = bitmap->data + yy * bitmap->line + (-x >> 3); src1 = *srcPtr++; xx = x0; -- GitLab