LibGfx/JBIG2: Fix size bound in scan_for_immediate_generic_region_size()

The memmem() call passes `data.size() - 19 - sizeof(u32)` for big_len, (18 prefix bytes skipped, the flag byte, and the trailing u32), so the buffer needs to be at least that large. Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67332
Author: https://github.com/nico Commit: https://github.com/SerenityOS/serenity/commit/7740aeca29 Pull-request: https://github.com/SerenityOS/serenity/pull/23577
2026-05-05 06:32:30 +02:00 · 2024-03-13 18:46:24 -04:00 · 2024-07-17 06:29:49 +09:00
parent ec6e7077fe
commit 7740aeca29
1 changed files with 2 additions and 2 deletions
--- a/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/JBIG2Loader.cpp
@@ -306,8 +306,8 @@ static ErrorOr<size_t> scan_for_immediate_generic_region_size(ReadonlyBytes data
    //  Thus, those sequences cannot occur by chance in the data that is decoded to generate the contents of the generic region."
    dbgln_if(JBIG2_DEBUG, "(Unknown data length, computing it)");

-    if (data.size() < 18)
-        return Error::from_string_literal("JBIG2ImageDecoderPlugin: Data too short to contain segment data header");
+    if (data.size() < 19 + sizeof(u32))
+        return Error::from_string_literal("JBIG2ImageDecoderPlugin: Data too short to contain segment data header and end sequence");

    // Per 7.4.6.1 Generic region segment data header, this starts with the 17 bytes described in
    // 7.4.1 Region segment information field, followed the byte described in 7.4.6.2 Generic region segment flags.