40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
From 399719595f413158b3510128eb85f944654f960c Mon Sep 17 00:00:00 2001
|
|
From: DRC <information@libjpeg-turbo.org>
|
|
Date: Tue, 12 Jun 2018 20:27:00 -0500
|
|
Subject: [PATCH] tjLoadImage(): Fix FPE triggered by malformed BMP
|
|
|
|
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
|
|
when allocating the row buffer, because since BMP files have 32-bit
|
|
width and height fields, the value of biWidth can be up to 4294967295.
|
|
Specifically, if biWidth is 1073741824 and cinfo->input_components = 4,
|
|
then the samplesperrow argument in alloc_sarray() would wrap around to
|
|
0, and a division by zero error would occur at line 458 in jmemmgr.c.
|
|
|
|
If biWidth is set to a higher value, then samplesperrow would wrap
|
|
around to a small number, which would likely cause a buffer overflow
|
|
(this has not been tested or verified.)
|
|
---
|
|
rdbmp.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/rdbmp.c b/rdbmp.c
|
|
index eaa7086..4104b68 100644
|
|
--- a/rdbmp.c
|
|
+++ b/rdbmp.c
|
|
@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
|
progress->total_extra_passes++; /* count file input as separate pass */
|
|
}
|
|
|
|
+ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
|
|
+ value of the JDIMENSION type. This is only a danger with BMP files, since
|
|
+ their width and height fields are 32-bit integers. */
|
|
+ if ((unsigned long long)biWidth *
|
|
+ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
|
|
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
|
|
/* Allocate one-row buffer for returned data */
|
|
source->pub.buffer = (*cinfo->mem->alloc_sarray)
|
|
((j_common_ptr) cinfo, JPOOL_IMAGE,
|
|
--
|
|
2.17.1
|
|
|