From ed6c5133a1004ce8d38f1b44de85a7186feda95e Mon Sep 17 00:00:00 2001
From: Shailesh Mistry <shailesh.mistry@hotmail.co.uk>
Date: Wed, 10 May 2017 17:50:39 +0100
Subject: [PATCH] Bug 697683: Bounds check before reading from image source
 data.

Add extra check to prevent reading off the end of the image source
data buffer.

Thank you to Dai Ge for finding this issue and suggesting a patch.
---
 jbig2dec/jbig2_image.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Backported dilfridge@g.o

diff -ruN jbig2dec-0.13.orig/jbig2_image.c jbig2dec-0.13/jbig2_image.c
--- jbig2dec-0.13.orig/jbig2_image.c	2017-06-10 01:41:16.207939489 +0200
+++ jbig2dec-0.13/jbig2_image.c	2017-06-10 01:46:28.009952461 +0200
@@ -256,7 +256,8 @@
     /* general OR case */
     s = ss;
     d = dd = dst->data + y * dst->stride + leftbyte;
-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
     }
     if (leftbyte == rightbyte) {