ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prevent overread when decoding malformed JPEG

Browse Source 
The accelerated Huffman decoder was previously invoked if there were
> 128 bytes in the input buffer.  However, it is possible to construct a
JPEG image with Huffman blocks > 430 bytes in length
(http://stackoverflow.com/questions/2734678/jpeg-calculating-max-size).
While such images are pathological and could never be created by a
JPEG compressor, it is conceivable that an attacker could use such an
artifially-constructed image to trigger an input buffer overrun in the
libjpeg-turbo decompressor and thus gain access to some of the data on
the calling program's heap.

This patch simply increases the minimum buffer size for the accelerated
Huffman decoder to 512 bytes, which should (hopefully) accommodate any
possible input.

This addresses a major issue (LJT-01-005) identified in a security audit
by Cure53.
This commit is contained in:
DRC
2016-02-04 18:34:38 -06:00
parent 939e466082
commit 0463f7c9aa
2 changed files with 11 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog.txt
View File

@@ -39,6 +39,15 @@ set to JMSG_COPYRIGHT.
[10] Fixed a bug in the build system that was causing the Windows version of
wrjpgcom to be built using the rdjpgcom code.
[11] Fixed an issue in the accelerated Huffman decoder that could have caused
the decoder to read past the end of the input buffer when a malformed,
specially-crafted JPEG image was being decompressed. In prior versions of
libjpeg-turbo, the accelerated Huffman decoder was invoked (in most cases) only
if there were > 128 bytes of data in the input buffer. However, it is possible
to construct a JPEG image in which a single Huffman block is over 430 bytes
long, so this version of libjpeg-turbo activates the accelerated Huffman
decoder only if there are > 512 bytes of data in the input buffer.
1.2.1
=====

4
jdhuff.c
View File

@@ -4,7 +4,7 @@
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1991-1997, Thomas G. Lane.
* Modifications:
* Copyright (C) 2009-2011, D. R. Commander.
* Copyright (C) 2009-2011, 2016, D. R. Commander.
* For conditions of distribution and use, see the accompanying README file.
*
* This file contains Huffman entropy decoding routines.
@@ -743,7 +743,7 @@ decode_mcu_fast (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
* this module, since we'll just re-assign them on the next call.)
*/
#define BUFSIZE (DCTSIZE2 * 2)
#define BUFSIZE (DCTSIZE2 * 8)
METHODDEF(boolean)
decode_mcu (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)