ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rdppm.c: Fix buf overrun caused by bad binary PPM

Browse Source 
This extends the fix in 1e81b0c3ea to
include binary PPM files with maximum values < 255, thus preventing a
malformed binary PPM input file with those specifications from
triggering an overrun of the rescale array and potentially crashing
cjpeg, TJBench, or any program that uses the tjLoadImage() function.

Fixes #433
This commit is contained in:
DRC
2020-06-02 14:15:37 -05:00
parent a2291b252d
commit 3de15e0c34
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
ChangeLog.md
View File

@@ -13,6 +13,12 @@ TurboJPEG Java API that caused an error ("java.lang.IllegalStateException: No
source image is associated with this instance") when attempting to use that source image is associated with this instance") when attempting to use that
method to compress a YUV image. method to compress a YUV image.
3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
TJBench, or the `tjLoadImage()` function if one of the values in a binary
PPM/PGM input file exceeded the maximum value defined in the file's header and
that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
similar fix for binary PPM/PGM files with maximum values greater than 255.
2.0.4 2.0.4
===== =====
@@ -578,10 +584,10 @@ application was linked against.
3. Fixed a couple of issues in the PPM reader that would cause buffer overruns 3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
in cjpeg if one of the values in a binary PPM/PGM input file exceeded the in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
maximum value defined in the file's header. libjpeg-turbo 1.4.2 already maximum value defined in the file's header and that maximum value was greater
included a similar fix for ASCII PPM/PGM files. Note that these issues were than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
not security bugs, since they were confined to the cjpeg program and did not files. Note that these issues were not security bugs, since they were confined
affect any of the libjpeg-turbo libraries. to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt 4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
header using the `tjDecompressToYUV2()` function would cause the function to header using the `tjDecompressToYUV2()` function would cause the function to

4
rdppm.c
View File

@@ -5,7 +5,7 @@
* Copyright (C) 1991-1997, Thomas G. Lane. * Copyright (C) 1991-1997, Thomas G. Lane.
* Modified 2009 by Bill Allombert, Guido Vollbeding. * Modified 2009 by Bill Allombert, Guido Vollbeding.
* libjpeg-turbo Modifications: * libjpeg-turbo Modifications:
* Copyright (C) 2015-2017, D. R. Commander. * Copyright (C) 2015-2017, 2020, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg * For conditions of distribution and use, see the accompanying README.ijg
* file. * file.
* *
@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
/* On 16-bit-int machines we have to be careful of maxval = 65535 */ /* On 16-bit-int machines we have to be careful of maxval = 65535 */
source->rescale = (JSAMPLE *) source->rescale = (JSAMPLE *)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE, (*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
(size_t)(((long)maxval + 1L) * (size_t)(((long)MAX(maxval, 255) + 1L) *
sizeof(JSAMPLE))); sizeof(JSAMPLE)));
half_maxval = maxval / 2; half_maxval = maxval / 2;
for (val = 0; val <= (long)maxval; val++) { for (val = 0; val <= (long)maxval; val++) {