From f8cca819a4fb42aafa5f70df43c45e8c416d716f Mon Sep 17 00:00:00 2001 From: DRC Date: Tue, 1 Jan 2019 20:32:40 -0600 Subject: [PATCH] wrbmp.c: Don't allow quantization w/ non-RGB CS If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will set cinfo->output_components to 1, and if cinfo->out_color_space is not RGB (or extended RGB), hilarity will ensue. Fixes #305 --- ChangeLog.md | 4 ++++ wrbmp.c | 5 +++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index bd5e0d37..07b88082 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -14,6 +14,10 @@ libjpeg-turbo shared libraries. occurred when attempting to load a BMP file with more than 1 billion pixels using the `tjLoadImage()` function. +3. Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to +decompress a specially-crafted malformed JPEG image to a 256-color BMP using +djpeg. + 2.0.1 ===== diff --git a/wrbmp.c b/wrbmp.c index 4bf81426..239f64eb 100644 --- a/wrbmp.c +++ b/wrbmp.c @@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2, dest->pub.put_pixel_rows = put_gray_rows; else dest->pub.put_pixel_rows = put_pixel_rows; - } else if (cinfo->out_color_space == JCS_RGB565 || - cinfo->out_color_space == JCS_CMYK) { + } else if (!cinfo->quantize_colors && + (cinfo->out_color_space == JCS_RGB565 || + cinfo->out_color_space == JCS_CMYK)) { dest->pub.put_pixel_rows = put_pixel_rows; } else { ERREXIT(cinfo, JERR_BMP_COLORSPACE);