ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Guard against num_components being a ridiculous value due to a corrupt header

Browse Source
This commit is contained in:
DRC
2012-05-30 20:34:42 +00:00
parent ca423d39a3
commit 8aab7a1dad
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog.txt
View File

@@ -30,6 +30,10 @@ so this was an attempt to make them happy.
upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64 upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64
calling conventions. calling conventions.
[7] Fixed a regression caused by 1.2.0[6] in which decompressing corrupt JPEG
images (specifically, images in which the component count was erroneously set
to a large value) would cause libjpeg-turbo to segfault.
1.2.0 1.2.0
===== =====

5
jdmarker.c
View File

@@ -323,14 +323,15 @@ get_sos (j_decompress_ptr cinfo)
/* Collect the component-spec parameters */ /* Collect the component-spec parameters */
for (i = 0; i < cinfo->num_components; i++) for (i = 0; i < MAX_COMPS_IN_SCAN; i++)
cinfo->cur_comp_info[i] = NULL; cinfo->cur_comp_info[i] = NULL;
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
INPUT_BYTE(cinfo, cc, return FALSE); INPUT_BYTE(cinfo, cc, return FALSE);
INPUT_BYTE(cinfo, c, return FALSE); INPUT_BYTE(cinfo, c, return FALSE);
for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components; for (ci = 0, compptr = cinfo->comp_info;
ci < cinfo->num_components && ci < MAX_COMPS_IN_SCAN;
ci++, compptr++) { ci++, compptr++) {
if (cc == compptr->component_id && !cinfo->cur_comp_info[ci]) if (cc == compptr->component_id && !cinfo->cur_comp_info[ci])
goto id_found; goto id_found;