From ac8d80a8e4a66053c765bcf3cf9e0f750cc3e093 Mon Sep 17 00:00:00 2001
From: Gaurang Bhatia <gaurang525@outlook.com>
Date: Sun, 7 Dec 2025 06:46:16 +0530
Subject: [PATCH] Fix infinite loop in JBIG2 decoder with >4 referred-to
 segments and add regression test

---
 src/core/jbig2.js        |   6 +++---
 test/pdfs/.gitignore     |   1 +
 test/pdfs/issue20439.pdf | Bin 0 -> 1300 bytes
 test/test_manifest.json  |   7 +++++++
 4 files changed, 11 insertions(+), 3 deletions(-)
 create mode 100644 test/pdfs/issue20439.pdf

diff --git a/src/core/jbig2.js b/src/core/jbig2.js
index df689d963..e31bd1f5e 100644
--- a/src/core/jbig2.js
+++ b/src/core/jbig2.js
@@ -1165,15 +1165,15 @@ function readSegmentHeader(data, start) {
   let referredToCount = (referredFlags >> 5) & 7;
   const retainBits = [referredFlags & 31];
   let position = start + 6;
-  if (referredFlags === 7) {
+  if (referredToCount === 7) {
     referredToCount = readUint32(data, position - 1) & 0x1fffffff;
     position += 3;
-    let bytes = (referredToCount + 7) >> 3;
+    let bytes = (referredToCount + 8) >> 3;
     retainBits[0] = data[position++];
     while (--bytes > 0) {
       retainBits.push(data[position++]);
     }
-  } else if (referredFlags === 5 || referredFlags === 6) {
+  } else if (referredToCount === 5 || referredToCount === 6) {
     throw new Jbig2Error("invalid referred-to flags");
   }
 
diff --git a/test/pdfs/.gitignore b/test/pdfs/.gitignore
index e2bb0f1e8..be41a6b37 100644
--- a/test/pdfs/.gitignore
+++ b/test/pdfs/.gitignore
@@ -749,6 +749,7 @@
 !comments.pdf
 !issue20319_1.pdf
 !issue20319_2.pdf
+!issue20439.pdf
 !bug1992868.pdf
 !bug1937438_af_from_latex.pdf
 !bug1937438_from_word.pdf
diff --git a/test/pdfs/issue20439.pdf b/test/pdfs/issue20439.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..5ed98c756706fdbc43d889ffcddc7b1b1dba7b75
GIT binary patch
literal 1300
zcmY!laB<T$)HC5y-MWp7%TU2UAwMaL%f^OFK|w#HvLIDK-#M`)F(*GABoL68o?5J6
z1XL8nWoO5gnwJ7n%mora*9BGz(&L?(Qmhbd4AK(|;ydS;=9MTIBI^f9V$%<?vM3d(
z9%3g@yKibrW};Jmg+jCeP?xc#rGklp0o35U5}?vz1rv~6AiY7U#rdU0$v`KA{R0$<
z@K4H0O)i1)fg+x{3Z_u?3JO3!fe9qPfeeGVP2VRqFTEr~!N?RSU0hO>nwZN4vLECQ
zpc}w+axNFhM3;O}*g)05LJ4FI!k19POwEiyE`@|N)O8?%;L@ZLaOivH0>d065}ug?
zv>a$5h~tr(nVwMsvKGX1&d<p&3NA=Y2F8|4YFTD-s(VplB}m3CGp8iANI~Dr$<y7)
zB{exe1#Fg6W=U~CYLRn(Zb5z?D0soq0d+3}5Ew8p0!d*82F89Mo&XX80gxbwWCStP
z85o%V|NYPO@83VLAW%ZR>-kPaK{IiKyK|;a{#+8`ZomKk8lWT-M27(u9W5q*@8s#|
z-wZB3W!4#d_e!mkYZ~{PDf8C!)q}M%L$q38(b^nmury$Tf#<tPlC~xcM-xr9yzKiI
z9hdW^@yz~uT_L^Yn&Dt0SRh8EVj3ZGzGY(V+xqxbS)y;k^OKH?@qBeZ|MTbDf5uLm
z7WhQHo+V@XJL&2f-?%saPn8{gJEjW0b@{dKa!Pw+XXsCZ`fFw7?ymiEr!GeXGE@XJ
zH13K7+s6vAZ#AZUd`+(<=bd5wcq94a?1Q^^vOkMl$=LbEp)!2BN91)O-?=95cFbY7
zKf7io_suWqtnRUAQulM)J*cuXC|o2jzxo*Om*;nMv$j2UIQFFDf8DF8)`x5q|LWE|
zw^{!<`Y(Hjw&YeN)6UA{wX-uTY8E~1xnlI}@S1l)Q+$>F>l-T-NF*P=oV_|bw&R;W
zL!I!{_u7A%W^ZK{{q_<PM{H~l7#M&~XJTey1x2qGFg{TtpMgOHD9qZiHj8)0gsDOd
zfB%T(@hjV1{=WuGVy`GlP2)09Fyk_S0|hfvQ)4rQGzGYrAuw}+fI=QZ%*+Bq%+MH^
z`_a@HSzxL&HbYX!RZ^6gnUh)sEy{v3t5Sik0cMGy{Cr?~2j)d^5msE1SX2UbtRWC^
Lsj9mAyKw;k<sXgO

literal 0
HcmV?d00001

diff --git a/test/test_manifest.json b/test/test_manifest.json
index f864c2be9..7ab71471b 100644
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@@ -2809,6 +2809,13 @@
     "rounds": 1,
     "type": "eq"
   },
+  {
+    "id": "issue20439",
+    "file": "pdfs/issue20439.pdf",
+    "md5": "3c7e888b26ff00943ec1610d93235efc",
+    "rounds": 1,
+    "type": "eq"
+  },
   {
     "id": "issue15942",
     "file": "pdfs/issue15942.pdf",