ryan/mozjpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix Huffman local buffer overrun discovered by Debian developers when attempting to transform a junk image using ImageMagick:

Browse Source 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768369


git-svn-id: svn://svn.code.sf.net/p/libjpeg-turbo/code/trunk@1425 632fc199-4ca6-4c93-a231-07263d6284db
This commit is contained in:
DRC
2014-11-22 22:07:05 +00:00
parent 0e9c14e1bb
commit f03d5df238
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ChangeLog.txt
View File

@@ -35,6 +35,18 @@ before it treated the image as a grayscale JPEG.
[8] cjpeg, djpeg, and jpegtran now accept an argument of -version, which will
print the library version and exit.
[9] Referring to 1.4 beta1 [15], another extremely rare circumstance was
discovered under which the Huffman encoder's local buffer can be overrun
when a buffered destination manager is being used and an
extremely-high-frequency block (basically junk image data) is being encoded.
Even though the Huffman local buffer was increased from 128 bytes to 136 bytes
to address the previous issue, the new issue caused even the larger buffer to
be overrun. Further analysis reveals that, in the absolute worst case (such as
setting alternating AC coefficients to 32767 and -32768 in the JPEG scanning
order), the Huffman encoder can produce encoded blocks that approach double the
size of the unencoded blocks. Thus, the Huffman local buffer was increased to
256 bytes, which should prevent any such issue from re-occurring in the future.
1.3.90 (1.4 beta1)
==================

11
jchuff.c
View File

@@ -408,7 +408,16 @@ dump_buffer (working_state * state)
#endif
#define BUFSIZE (DCTSIZE2 * 2) + 8
/* Although it is exceedingly rare, it is possible for a Huffman-encoded
* coefficient block to be larger than the 128-byte unencoded block. For each
* of the 64 coefficients, PUT_BITS is invoked twice, and each invocation can
* theoretically store 16 bits (for a maximum of 2048 bits or 256 bytes per
* encoded block.) If, for instance, one artificially sets the AC
* coefficients to alternating values of 32767 and -32768 (using the JPEG
* scanning order-- 1, 8, 16, etc.), then this will produce an encoded block
* larger than 200 bytes.
*/
#define BUFSIZE (DCTSIZE2 * 4)
#define LOAD_BUFFER() { \
if (state->free_in_buffer < BUFSIZE) { \