Fix infinite loop in JBIG2 decoder with >4 referred-to segments and add regression test

Gaurang-5 · Gaurang-5 · commit ac8d80a8e4a6 · 2025-12-07T06:46:16.000+05:30
diff --git a/src/core/jbig2.js b/src/core/jbig2.js
@@ -1165,15 +1165,15 @@ function readSegmentHeader(data, start) {
   let referredToCount = (referredFlags >> 5) & 7;
   const retainBits = [referredFlags & 31];
   let position = start + 6;
-  if (referredFlags === 7) {
+  if (referredToCount === 7) {
     referredToCount = readUint32(data, position - 1) & 0x1fffffff;
     position += 3;
-    let bytes = (referredToCount + 7) >> 3;
+    let bytes = (referredToCount + 8) >> 3;
     retainBits[0] = data[position++];
     while (--bytes > 0) {
       retainBits.push(data[position++]);
     }
-  } else if (referredFlags === 5 || referredFlags === 6) {
+  } else if (referredToCount === 5 || referredToCount === 6) {
     throw new Jbig2Error("invalid referred-to flags");
   }
 
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
@@ -749,6 +749,7 @@
 !comments.pdf
 !issue20319_1.pdf
 !issue20319_2.pdf
+!issue20439.pdf
 !bug1992868.pdf
 !bug1937438_af_from_latex.pdf
 !bug1937438_from_word.pdf
diff --git a/test/pdfs/issue20439.pdf b/test/pdfs/issue20439.pdf
diff --git a/test/test_manifest.json b/test/test_manifest.json
@@ -2809,6 +2809,13 @@
     "rounds": 1,
     "type": "eq"
   },
+  {
+    "id": "issue20439",
+    "file": "pdfs/issue20439.pdf",
+    "md5": "3c7e888b26ff00943ec1610d93235efc",
+    "rounds": 1,
+    "type": "eq"
+  },
   {
     "id": "issue15942",
     "file": "pdfs/issue15942.pdf",
