From d623090b32a15df12d09f82c5da2ad65bfd5ec12 Mon Sep 17 00:00:00 2001
From: Uli Schlachter <psychon@znc.in>
Date: Sun, 1 Jan 2023 09:43:33 +0100
Subject: [PATCH] Fix an out of bounds read in _jbig2_get_next_segment()

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38451
Signed-off-by: Uli Schlachter <psychon@znc.in>
---
 src/cairo-image-info.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/cairo-image-info.c b/src/cairo-image-info.c
index f207ae887..9b5e2d2e2 100644
--- a/src/cairo-image-info.c
+++ b/src/cairo-image-info.c
@@ -348,6 +348,8 @@ _jbig2_get_next_segment (const unsigned char  *p,
 
     num_segs = p[0] >> 5;
     if (num_segs == 7) {
+	if (p + 4 >= end)
+	    return NULL;
 	num_segs = get_unaligned_be32 (p) & 0x1fffffff;
 	ref_seg_bytes = 4 + ((num_segs + 1)/8);
     } else {