did not pose a security threat, but removing the warning made it easier to
detect actual security issues, should they arise in the future.
+10. Fixed out-of-bounds read in cjpeg that occurred when attempting to compress
+a specially-crafted malformed color-index (8-bit-per-sample) Targa file in
+which some of the samples (color indices) exceeded the bounds of the Targa
+file's color table.
+
1.5.3
=====
*
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1991-1996, Thomas G. Lane.
- * It was modified by The libjpeg-turbo Project to include only code relevant
- * to libjpeg-turbo.
+ * Modified 2017 by Guido Vollbeding.
+ * libjpeg-turbo Modifications:
+ * Copyright (C) 2018, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
U_CHAR tga_pixel[4];
int pixel_size; /* Bytes per Targa pixel (1 to 4) */
+ int cmap_length; /* colormap length */
/* State info for reading RLE-coded pixels; both counts must be init to 0 */
int block_count; /* # of pixels remaining in RLE block */
register JSAMPROW ptr;
register JDIMENSION col;
register JSAMPARRAY colormap = source->colormap;
+ int cmaplen = source->cmap_length;
ptr = source->pub.buffer[0];
for (col = cinfo->image_width; col > 0; col--) {
(*source->read_pixel) (source); /* Load next pixel into tga_pixel */
t = UCH(source->tga_pixel[0]);
+ if (t >= cmaplen)
+ ERREXIT(cinfo, JERR_TGA_BADPARMS);
*ptr++ = colormap[0][t];
*ptr++ = colormap[1][t];
*ptr++ = colormap[2][t];
/* Allocate space to store the colormap */
source->colormap = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE, (JDIMENSION) maplen, (JDIMENSION) 3);
+ source->cmap_length = (int)maplen;
/* and read it from the file */
read_colormap(source, (int) maplen, UCH(targaheader[7]));
} else {
if (cmaptype) /* but you promised a cmap! */
ERREXIT(cinfo, JERR_TGA_BADPARMS);
source->colormap = NULL;
+ source->cmap_length = 0;
}
cinfo->input_components = components;
projects / libjpeg-turbo / commitdiff