Index: mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
===================================================================
--- mupdf-1.10a-source.orig/thirdparty/jbig2dec/jbig2_image.c
+++ mupdf-1.10a-source/thirdparty/jbig2dec/jbig2_image.c
@@ -263,7 +263,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2
     /* general OR case */
     s = ss;
     d = dd = dst->data + y * dst->stride + leftbyte;
-    if (d < dst->data || leftbyte > dst->stride || h * dst->stride < 0 || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) {
+    if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride ||
+        s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) {
         return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose");
     }
     if (leftbyte == rightbyte) {