ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Guard against num_components being a ridiculous value due to a corrupt header

Browse Source
This commit is contained in:
DRC
2012-05-30 20:34:42 +00:00
parent ca423d39a3
commit 8aab7a1dad
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog.txt
View File

@@ -30,6 +30,10 @@ so this was an attempt to make them happy.
upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64
calling conventions.
[7] Fixed a regression caused by 1.2.0[6] in which decompressing corrupt JPEG
images (specifically, images in which the component count was erroneously set
to a large value) would cause libjpeg-turbo to segfault.
1.2.0
=====

5
jdmarker.c
View File

@@ -323,14 +323,15 @@ get_sos (j_decompress_ptr cinfo)
/* Collect the component-spec parameters */
for (i = 0; i < cinfo->num_components; i++)
for (i = 0; i < MAX_COMPS_IN_SCAN; i++)
cinfo->cur_comp_info[i] = NULL;
for (i = 0; i < n; i++) {
INPUT_BYTE(cinfo, cc, return FALSE);
INPUT_BYTE(cinfo, c, return FALSE);
for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
for (ci = 0, compptr = cinfo->comp_info;
ci < cinfo->num_components && ci < MAX_COMPS_IN_SCAN;
ci++, compptr++) {
if (cc == compptr->component_id && !cinfo->cur_comp_info[ci])
goto id_found;