ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Guard against num_components being a ridiculous value due to a corrupt header

Browse Source 
git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.2.x@831 632fc199-4ca6-4c93-a231-07263d6284db
This commit is contained in:
DRC
2012-05-30 20:36:42 +00:00
parent 4f24016bde
commit dd2b651243
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog.txt
View File

@@ -15,6 +15,10 @@ correct behavior of the colorspace extensions when merged upsampling is used.
upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64 upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64
calling conventions. calling conventions.
[4] Fixed a regression caused by 1.2.0[6] whereby decompressing corrupt JPEG
images (specifically, images in which the component count was erroneously set
to a large value) would cause libjpeg-turbo to segfault.
1.2.0 1.2.0
===== =====

5
jdmarker.c
View File

@@ -323,14 +323,15 @@ get_sos (j_decompress_ptr cinfo)
/* Collect the component-spec parameters */ /* Collect the component-spec parameters */
for (i = 0; i < cinfo->num_components; i++) for (i = 0; i < MAX_COMPS_IN_SCAN; i++)
cinfo->cur_comp_info[i] = NULL; cinfo->cur_comp_info[i] = NULL;
for (i = 0; i < n; i++) { for (i = 0; i < n; i++) {
INPUT_BYTE(cinfo, cc, return FALSE); INPUT_BYTE(cinfo, cc, return FALSE);
INPUT_BYTE(cinfo, c, return FALSE); INPUT_BYTE(cinfo, c, return FALSE);
for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components; for (ci = 0, compptr = cinfo->comp_info;
ci < cinfo->num_components && ci < MAX_COMPS_IN_SCAN;
ci++, compptr++) { ci++, compptr++) {
if (cc == compptr->component_id && !cinfo->cur_comp_info[ci]) if (cc == compptr->component_id && !cinfo->cur_comp_info[ci])
goto id_found; goto id_found;