Guard against num_components being a ridiculous value due to a corrupt header

git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.2.x@831 632fc199-4ca6-4c93-a231-07263d6284db

diff --git a/ChangeLog.txt b/ChangeLog.txt
index 8a8a29b5025266e20ba00ae96a55360fb35772f9..3775d5439b4eda4678513a3493384ad96299cf97 100644 (file)
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -15,6 +15,10 @@ correct behavior of the colorspace extensions when merged upsampling is used.
 upper 64 bits of xmm6 and xmm7 on Win64 platforms, which violated the Win64
 calling conventions.
 
+[4] Fixed a regression caused by 1.2.0[6] whereby decompressing corrupt JPEG
+images (specifically, images in which the component count was erroneously set
+to a large value) would cause libjpeg-turbo to segfault.
+
 
 1.2.0
 =====

diff --git a/jdmarker.c b/jdmarker.c
index d8dcba98fa06a6f25f8d0cfcd37900090457066a..6fc0f7dcab2e9e293c7ffd008cf06bba77b6367f 100644 (file)
--- a/jdmarker.c
+++ b/jdmarker.c
@@ -323,14 +323,15 @@ get_sos (j_decompress_ptr cinfo)
 
   /* Collect the component-spec parameters */
 
-  for (i = 0; i < cinfo->num_components; i++)
+  for (i = 0; i < MAX_COMPS_IN_SCAN; i++)
     cinfo->cur_comp_info[i] = NULL;
 
   for (i = 0; i < n; i++) {
     INPUT_BYTE(cinfo, cc, return FALSE);
     INPUT_BYTE(cinfo, c, return FALSE);
     
-    for (ci = 0, compptr = cinfo->comp_info; ci < cinfo->num_components;
+    for (ci = 0, compptr = cinfo->comp_info;
+        ci < cinfo->num_components && ci < MAX_COMPS_IN_SCAN;
         ci++, compptr++) {
       if (cc == compptr->component_id && !cinfo->cur_comp_info[ci])
        goto id_found;