From 13f812c4130186cd27d5aac2eaef4b23bbe7056b Mon Sep 17 00:00:00 2001
From: Dan Bloomberg <dan.bloomberg@gmail.com>
Date: Mon, 27 Jul 2020 22:12:43 -0700
Subject: [PATCH] Fix buffer overflow in sreadHeaderSpix (found by
 cluster-fuzz)

---
 src/allheaders.h | 2 +-
 src/readfile.c   | 2 +-
 src/spixio.c     | 6 +++++-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/allheaders.h b/src/allheaders.h
index e16de0a5f..70b58349f 100644
--- a/src/allheaders.h
+++ b/src/allheaders.h
@@ -2561,7 +2561,7 @@ LEPT_DLL extern l_ok pixFindNormalizedSquareSum ( PIX *pixs, l_float32 *phratio,
 LEPT_DLL extern PIX * pixReadStreamSpix ( FILE *fp );
 LEPT_DLL extern l_ok readHeaderSpix ( const char *filename, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
 LEPT_DLL extern l_ok freadHeaderSpix ( FILE *fp, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
-LEPT_DLL extern l_ok sreadHeaderSpix ( const l_uint32 *data, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
+LEPT_DLL extern l_ok sreadHeaderSpix ( const l_uint32 *data, size_t size, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
 LEPT_DLL extern l_ok pixWriteStreamSpix ( FILE *fp, PIX *pix );
 LEPT_DLL extern PIX * pixReadMemSpix ( const l_uint8 *data, size_t size );
 LEPT_DLL extern l_ok pixWriteMemSpix ( l_uint8 **pdata, size_t *psize, PIX *pix );
diff --git a/src/readfile.c b/src/readfile.c
index 51e58bf05..fd495c97a 100644
--- a/src/readfile.c
+++ b/src/readfile.c
@@ -1070,7 +1070,7 @@ PIX     *pix;
         return ERROR_INT("Pdf reading is not supported\n", procName, 1);
 
     case IFF_SPIX:
-        ret = sreadHeaderSpix((l_uint32 *)data, &w, &h, &bps,
+        ret = sreadHeaderSpix((l_uint32 *)data, size, &w, &h, &bps,
                                &spp, &iscmap);
         if (ret)
             return ERROR_INT( "pnm: no header info returned", procName, 1);
diff --git a/src/spixio.c b/src/spixio.c
index 7df7253b2..229f4f468 100644
--- a/src/spixio.c
+++ b/src/spixio.c
@@ -190,7 +190,7 @@ l_uint32  data[6];
         return ERROR_INT("file too small to be spix", procName, 1);
     if (fread(data, 4, 6, fp) != 6)
         return ERROR_INT("error reading data", procName, 1);
-    ret = sreadHeaderSpix(data, pwidth, pheight, pbps, pspp, piscmap);
+    ret = sreadHeaderSpix(data, nbytes, pwidth, pheight, pbps, pspp, piscmap);
     return ret;
 }
 
@@ -199,6 +199,7 @@ l_uint32  data[6];
  * \brief   sreadHeaderSpix()
  *
  * \param[in]    data
+ * \param[in]    size      of data
  * \param[out]   pwidth    width
  * \param[out]   pheight   height
  * \param[out]   pbps      bits/sample
@@ -213,6 +214,7 @@ l_uint32  data[6];
  */
 l_ok
 sreadHeaderSpix(const l_uint32  *data,
+                size_t           size,
                 l_int32         *pwidth,
                 l_int32         *pheight,
                 l_int32         *pbps,
@@ -231,6 +233,8 @@ l_int32  d, ncolors;
     *pwidth = *pheight = *pbps = *pspp = 0;
     if (piscmap)
       *piscmap = 0;
+    if (size < 28)
+        return ERROR_INT("size too small", procName, 1);
 
         /* Check file id */
     id = (char *)data;