tjLoadImage(): Fix FPE triggered by malformed BMP
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound when allocating the row buffer, because since BMP files have 32-bit width and height fields, the value of biWidth can be up to 4294967295. Specifically, if biWidth is 1073741824 and cinfo->input_components = 4, then the samplesperrow argument in alloc_sarray() would wrap around to 0, and a division by zero error would occur at line 458 in jmemmgr.c. If biWidth is set to a higher value, then samplesperrow would wrap around to a small number, which would likely cause a buffer overflow (this has not been tested or verified.)
This commit is contained in:
DRC
8
rdbmp.c
8
rdbmp.c
@@ -6,7 +6,7 @@
|
||||
* Modified 2009-2010 by Guido Vollbeding.
|
||||
* libjpeg-turbo Modifications:
|
||||
* Modified 2011 by Siarhei Siamashka.
|
||||
* Copyright (C) 2015, 2017, D. R. Commander.
|
||||
* Copyright (C) 2015, 2017-2018, D. R. Commander.
|
||||
* For conditions of distribution and use, see the accompanying README.ijg
|
||||
* file.
|
||||
*
|
||||
@@ -623,6 +623,12 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
||||
}
|
||||
}
|
||||
|
||||
/* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
|
||||
value of the JDIMENSION type. This is only a danger with BMP files, since
|
||||
their width and height fields are 32-bit integers. */
|
||||
if ((unsigned long long)biWidth *
|
||||
(unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
|
||||
ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
|
||||
/* Allocate one-row buffer for returned data */
|
||||
source->pub.buffer = (*cinfo->mem->alloc_sarray)
|
||||
((j_common_ptr)cinfo, JPOOL_IMAGE,
|
||||
|
||||
Reference in New Issue
Block a user