thestig@ - Can you please have a look or assign an appropriate owner?

A little more info:

core/fxcodec/jbig2/JBig2_Context.cpp:175 appears to be the only function that calls the proper method:
   m_pPage.reset(new CJBig2_Image(width, height, stride, pBuf))

This call is reachable via a pdf with a jbig image (Such as the example here: https://bugs.chromium.org/p/pdfium/issues/detail?id=511).

A write what where, for limited values of what

It's not immediately obvious if the values passed directly to the CJBig2_Image ctor are actually possible in the one and only path that actually call that ctor.

+ochang as well for more eyes.

1) The "direct API calls" statement is flawed. The CJBig2_Image ctor is not directly accessible to the user.
2) The only way to access the ctor is via CPDF_DIBSource::ContinueLoadDIBSource() -> CCodec_Jbig2Module::StartDecode() -> CJBig2_Context::getFirstPage().
3) And thus the buffer that is being passed in can only come from a few places in CFX_DIBitmap::Create() and CFX_DIBitmap::ConvertFormat().
4) In most cases in (3), the size of the buffer is calculate from the pitch/height. It cannot be arbitrarily set to a size that's too small like in the POC.

Thus I am leaning towards WontFix, as the POC cannot happen with real PDFium code in its entirety.

Another way of looking at this is: Can you make a PDF file with a specially crafted JBIG image inside that triggers an overflow in setPixel()?

Someone from security should read my analysis and retriage.

Please re-open if you can produce a crafted JBIG image file that triggers this.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot