From ea9b3a676a516a603fabb593085d14a67356db6f Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Thu, 17 Oct 2019 01:48:00 +0200
Subject: [PATCH] Bug 701721: jbig2dec: Fix under/overflow handling in
 arithmetic integer decoder.

The previous detection logic caused GCC's -Wlogical-op to trip.
Not only that, but the detection logic never took into account
that underflow is not possible (the worst case is V == INT32_MIN,
but offset is always > 0, so underflow cannot happen), nor take
varying offset values into account (hardcoded limits meant that
the offset was ignored even if it could not cause an overflow),
but instead could cause non-clamped values to be emitted.

This corrected logic adheres to the Annex A. Table A.1 in the specification.
---
 jbig2dec/jbig2_arith_int.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/jbig2dec/jbig2_arith_int.c b/jbig2dec/jbig2_arith_int.c
index 7ad47ad..20b62df 100644
--- a/jbig2dec/jbig2_arith_int.c
+++ b/jbig2dec/jbig2_arith_int.c
@@ -130,8 +130,11 @@ jbig2_arith_int_decode(Jbig2Ctx *ctx, Jbig2ArithIntCtx *actx, Jbig2ArithState *a
         V = (V << 1) | bit;
     }
 
-    /* make sure not to underflow/overflow 32 bit value */
-    if (V < INT32_MAX - 4436 || V > INT32_MIN + 4436)
+    /* offset is always >=0, so underflow can't happen. */
+    /* avoid overflow by clamping 32 bit value. */
+    if (V > INT32_MAX - offset)
+        V = INT32_MAX;
+    else
         V += offset;
     V = S ? -V : V;
     *p_result = V;
-- 
1.8.3.1