Blob Blame History Raw
diff -rupN --no-dereference poppler-21.08.0/poppler/JBIG2Stream.cc poppler-21.08.0-new/poppler/JBIG2Stream.cc
--- poppler-21.08.0/poppler/JBIG2Stream.cc	2021-08-01 17:19:17.000000000 +0200
+++ poppler-21.08.0-new/poppler/JBIG2Stream.cc	2022-09-13 14:26:47.375613172 +0200
@@ -1962,7 +1962,11 @@ void JBIG2Stream::readTextRegionSeg(unsi
     for (i = 0; i < nRefSegs; ++i) {
         if ((seg = findSegment(refSegs[i]))) {
             if (seg->getType() == jbig2SegSymbolDict) {
-                numSyms += ((JBIG2SymbolDict *)seg)->getSize();
+                const unsigned int segSize = ((JBIG2SymbolDict *)seg)->getSize();
+                if (unlikely(checkedAdd(numSyms, segSize, &numSyms))) {
+                    error(errSyntaxError, getPos(), "Too many symbols in JBIG2 text region");
+                    return;
+                }
             } else if (seg->getType() == jbig2SegCodeTable) {
                 codeTables.push_back(seg);
             }