wrbmp.c: Don't allow quantization w/ non-RGB CS

If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will set cinfo->output_components to 1, and if cinfo->out_color_space is not RGB (or extended RGB), hilarity will ensue. Fixes #305
2019-01-01 20:32:40 -06:00
parent beefb62a6f
commit f8cca819a4
2 changed files with 7 additions and 2 deletions
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -14,6 +14,10 @@ libjpeg-turbo shared libraries.
 occurred when attempting to load a BMP file with more than 1 billion pixels
 using the `tjLoadImage()` function.

+3. Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to
+decompress a specially-crafted malformed JPEG image to a 256-color BMP using
+djpeg.
+

 2.0.1
 =====
--- a/wrbmp.c
+++ b/wrbmp.c
@@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
      dest->pub.put_pixel_rows = put_gray_rows;
    else
      dest->pub.put_pixel_rows = put_pixel_rows;
-  } else if (cinfo->out_color_space == JCS_RGB565 ||
-             cinfo->out_color_space == JCS_CMYK) {
+  } else if (!cinfo->quantize_colors &&
+             (cinfo->out_color_space == JCS_RGB565 ||
+              cinfo->out_color_space == JCS_CMYK)) {
    dest->pub.put_pixel_rows = put_pixel_rows;
  } else {
    ERREXIT(cinfo, JERR_BMP_COLORSPACE);