Merge pull request #20440 from Gaurang-5/master

timvandermeij · web-flow · commit d946f0584187 · 2025-12-09T20:42:51.000+01:00
Fix infinite loop in JBIG2 decoder with &gt;4 referred-to segments
diff --git a/src/core/jbig2.js b/src/core/jbig2.js
@@ -1165,15 +1165,15 @@ function readSegmentHeader(data, start) {
   let referredToCount = (referredFlags >> 5) & 7;
   const retainBits = [referredFlags & 31];
   let position = start + 6;
-  if (referredFlags === 7) {
+  if (referredToCount === 7) {
     referredToCount = readUint32(data, position - 1) & 0x1fffffff;
     position += 3;
-    let bytes = (referredToCount + 7) >> 3;
+    let bytes = (referredToCount + 8) >> 3;
     retainBits[0] = data[position++];
     while (--bytes > 0) {
       retainBits.push(data[position++]);
     }
-  } else if (referredFlags === 5 || referredFlags === 6) {
+  } else if (referredToCount === 5 || referredToCount === 6) {
     throw new Jbig2Error("invalid referred-to flags");
   }
 
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
@@ -751,6 +751,7 @@
 !comments.pdf
 !issue20319_1.pdf
 !issue20319_2.pdf
+!issue20439.pdf
 !bug1992868.pdf
 !bug1937438_af_from_latex.pdf
 !bug1937438_from_word.pdf
diff --git a/test/pdfs/issue20439.pdf b/test/pdfs/issue20439.pdf
diff --git a/test/test_manifest.json b/test/test_manifest.json
@@ -2817,6 +2817,13 @@
     "rounds": 1,
     "type": "eq"
   },
+  {
+    "id": "issue20439",
+    "file": "pdfs/issue20439.pdf",
+    "md5": "3c7e888b26ff00943ec1610d93235efc",
+    "rounds": 1,
+    "type": "eq"
+  },
   {
     "id": "issue15942",
     "file": "pdfs/issue15942.pdf",
