jbig2_image_compose is supposed to clip the source image against the destination before compositing but the logic is insufficient. Corrupt or malicious data can read/write outside the boundaries of allocated space.
Created attachment 5592 [details] a8-2i4-generic.jbig2 Attaching a corrupt embedded fragment illustrates the problem. $ ./jbig2dec /dev/null a8-2i4-generic.jbig2 Segmentation fault
Created attachment 5593 [details] a8-2i4-corrupt.jbig2 Sorry, the previous attachment was the wrong version of the file. This one reproduces the problem: $ ./jbig2dec /dev/null a8-2i4-corrupt.jbig2 Segmentation fault
Created attachment 8207 [details] Patch for Bug690870 This patch prevents image compositing occurring if the src is outside of the clip region. The corrupt test file no longer causes a segmentation fault. A cluster regression shows no differences.
The patch seems reasonable but it seems odd the author would add a "FIXME" and leave that (your fix) out, the other part of the code seems to be taken from the fit_fill macro in gxdevice.h which includes the code you've added. Perhaps he thought it warranted further investigation (i.e. the actual Adobe behavior is different). Can we embed this jbig2 example in a real pdf file and make sure we are behaving the same as Adobe.
Let's just go ahead and commit this one.
Patch committed in 8b150573a88276849b32b359030fc195786d2be8
Fixed see comment #6 for commit info.