Fix int overflow when decompr. corrupt prog. JPEG

No discernible performance regression

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9447
Credit to OSS Fuzz
Closes #259

diff --git a/ChangeLog.md b/ChangeLog.md
index 41da0602114ca92c4db9611178e542521d8957e3..bf65be9250c15fceb6d4629e651a5fa424247a7c 100644 (file)
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -52,6 +52,12 @@ a specially-crafted malformed color-index (8-bit-per-sample) BMP file in which
 some of the samples (color indices) exceeded the bounds of the BMP file's color
 table.
 
+9. Fixed a signed integer overflow in the progressive Huffman decoder, detected
+by the Clang and GCC undefined behavior sanitizers, that could be triggered by
+attempting to decompress a specially-crafted malformed JPEG image.  This issue
+did not pose a security threat, but removing the warning made it easier to
+detect actual security issues, should they arise in the future.
+
 
 1.5.90 (2.0 beta1)
 ==================

diff --git a/jdphuff.c b/jdphuff.c
index 4df79ee1e6aea4807ce4645275b9c4941c44f19f..2d231776333d80dd289263f732e628cc835efaa0 100644 (file)
--- a/jdphuff.c
+++ b/jdphuff.c
@@ -21,6 +21,7 @@
 #include "jinclude.h"
 #include "jpeglib.h"
 #include "jdhuff.h"             /* Declarations shared with jdhuff.c */
+#include <limits.h>
 
 
 #ifdef D_PROGRESSIVE_SUPPORTED
@@ -340,6 +341,10 @@ decode_mcu_DC_first(j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
       }
 
       /* Convert DC difference to actual value, update last_dc_val */
+      if ((state.last_dc_val[ci] >= 0 &&
+           s > INT_MAX - state.last_dc_val[ci]) ||
+          (state.last_dc_val[ci] < 0 && s < INT_MIN - state.last_dc_val[ci]))
+        ERREXIT(cinfo, JERR_BAD_DCT_COEF);
       s += state.last_dc_val[ci];
       state.last_dc_val[ci] = s;
       /* Scale and output the coefficient (assumes jpeg_natural_order[0]=0) */