From 621f2c0b3b913c59c0d3cc8ebedac1453caf7acb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=BCnzli?= <zeniko@gmail.com>
Date: Sun, 24 Aug 2014 11:13:36 +0200
Subject: Bug 695440: fix buffer underflows in load-jpeg.c

With this change, all 32-bit values read from untrusted data through
read_value are compared unmodified in order to prevent unintended
integer overflows during the comparison.
---
 source/fitz/load-jpeg.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'source/fitz')

diff --git a/source/fitz/load-jpeg.c b/source/fitz/load-jpeg.c
index 96c82ebd..2603ce7d 100644
--- a/source/fitz/load-jpeg.c
+++ b/source/fitz/load-jpeg.c
@@ -133,7 +133,7 @@ static int extract_exif_resolution(jpeg_saved_marker_ptr marker, int *xres, int
 		return 0;
 
 	offset = read_value(data + 10, 4, is_big_endian) + 6;
-	if (offset < 14 || offset + 2 > marker->data_length)
+	if (offset < 14 || offset > marker->data_length - 2)
 		return 0;
 	ifd_len = read_value(data + offset, 2, is_big_endian);
 	for (offset += 2; ifd_len > 0 && offset + 12 < marker->data_length; ifd_len--, offset += 12)
@@ -145,11 +145,11 @@ static int extract_exif_resolution(jpeg_saved_marker_ptr marker, int *xres, int
 		switch (tag)
 		{
 		case 0x11A:
-			if (type == 5 && value_off > offset && value_off + 8 <= marker->data_length)
+			if (type == 5 && value_off > offset && value_off <= marker->data_length - 8)
 				x_res = 1.0f * read_value(data + value_off, 4, is_big_endian) / read_value(data + value_off + 4, 4, is_big_endian);
 			break;
 		case 0x11B:
-			if (type == 5 && value_off > offset && value_off + 8 <= marker->data_length)
+			if (type == 5 && value_off > offset && value_off <= marker->data_length - 8)
 				y_res = 1.0f * read_value(data + value_off, 4, is_big_endian) / read_value(data + value_off + 4, 4, is_big_endian);
 			break;
 		case 0x128:
@@ -197,9 +197,9 @@ static int extract_app13_resolution(jpeg_saved_marker_ptr marker, int *xres, int
 		int value_off = 11 + read_value(data + 6, 2, 1);
 		if (value_off % 2 == 1)
 			value_off++;
-		if (read_value(data, 4, 1) == 0x3842494D /* 8BIM */ && data + value_off <= data_end)
+		if (read_value(data, 4, 1) == 0x3842494D /* 8BIM */ && value_off <= data_end - data)
 			data_size = read_value(data + value_off - 4, 4, 1);
-		if (data_size < 0 || data + value_off + data_size > data_end)
+		if (data_size < 0 || data_size > data_end - data - value_off)
 			return 0;
 		if (tag == 0x3ED && data_size == 16)
 		{
-- 
cgit v1.2.3