From 2f4d55c15bda2ffb3c0eaf4cbb35715bced5371d Mon Sep 17 00:00:00 2001 From: Nico Weber Date: Wed, 13 Mar 2024 18:46:24 -0400 Subject: [PATCH] LibGfx/JBIG2: Fix size bound in scan_for_immediate_generic_region_size() The memmem() call passes `data.size() - 19 - sizeof(u32)` for big_len, (18 prefix bytes skipped, the flag byte, and the trailing u32), so the buffer needs to be at least that large. Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67332 --- Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp b/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp index d5a90b313ef316..7ead52b527722c 100644 --- a/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp +++ b/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp @@ -306,8 +306,8 @@ static ErrorOr scan_for_immediate_generic_region_size(ReadonlyBytes data // Thus, those sequences cannot occur by chance in the data that is decoded to generate the contents of the generic region." dbgln_if(JBIG2_DEBUG, "(Unknown data length, computing it)"); - if (data.size() < 18) - return Error::from_string_literal("JBIG2ImageDecoderPlugin: Data too short to contain segment data header"); + if (data.size() < 19 + sizeof(u32)) + return Error::from_string_literal("JBIG2ImageDecoderPlugin: Data too short to contain segment data header and end sequence"); // Per 7.4.6.1 Generic region segment data header, this starts with the 17 bytes described in // 7.4.1 Region segment information field, followed the byte described in 7.4.6.2 Generic region segment flags.