From caf7c8978025eb0cc307bfeffdad46a16d47dad9 Mon Sep 17 00:00:00 2001 From: DRC Date: Wed, 25 Nov 2020 14:55:55 -0600 Subject: [PATCH] Fix buffer overrun with certain narrow prog JPEGs Regression introduced by 6d91e950c871103a11bac2f10c63bf998796c719 last_block_column in decompress_smooth_data() can be 0 if, for instance, decompressing a 4:4:4 image of width 8 or less or a 4:2:2 or 4:2:0 image of width 16 or less. Since last_block_column is an unsigned int, subtracting 1 from it produced 0xFFFFFFFF, the test in line 590 passed, and we attempted to access blocks from a second block column that didn't actually exist. Closes #476 (cherry picked from commit ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469) --- ChangeLog.md | 10 ++++++++++ jdcoefct.c | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 6eb06f0e..9084bee0 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,13 @@ +2.1 post-beta +============= + +### Significant changes relative to 2.1 beta1 + +1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to +decompress certain progressive JPEG images with one or more component planes of +width 8 or less caused a buffer overrun. + + 2.0.90 (2.1 beta1) ================== diff --git a/jdcoefct.c b/jdcoefct.c index 699a4809..a3c6d4e8 100644 --- a/jdcoefct.c +++ b/jdcoefct.c @@ -587,7 +587,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf) DC19 = (int)next_block_row[1][0]; DC24 = (int)next_next_block_row[1][0]; } - if (block_num < last_block_column - 1) { + if (block_num + 1 < last_block_column) { DC05 = (int)prev_prev_block_row[2][0]; DC10 = (int)prev_block_row[2][0]; DC15 = (int)buffer_ptr[2][0]; -- 2.41.0