]> granicus.if.org Git - libjpeg-turbo/commitdiff
wrbmp.c: Don't allow quantization w/ non-RGB CS
authorDRC <information@libjpeg-turbo.org>
Wed, 2 Jan 2019 02:32:40 +0000 (20:32 -0600)
committerDRC <information@libjpeg-turbo.org>
Wed, 2 Jan 2019 02:48:14 +0000 (20:48 -0600)
If cinfo->quantize_colors == 1, then jpeg_calc_output_dimensions() will
set cinfo->output_components to 1, and if cinfo->out_color_space is not
RGB (or extended RGB), hilarity will ensue.

Fixes #305

ChangeLog.md
wrbmp.c

index bd5e0d373bba3fecb45c6a29fb35806adb32ab13..07b880828ac77f55590eb32952a19ea2afe913c2 100644 (file)
@@ -14,6 +14,10 @@ libjpeg-turbo shared libraries.
 occurred when attempting to load a BMP file with more than 1 billion pixels
 using the `tjLoadImage()` function.
 
+3. Fixed a buffer overrun (CVE-2018-19664) that occurred when attempting to
+decompress a specially-crafted malformed JPEG image to a 256-color BMP using
+djpeg.
+
 
 2.0.1
 =====
diff --git a/wrbmp.c b/wrbmp.c
index 4bf81426b0ef685049d7228543eb9ce8aa326caa..239f64eb3c3f6964801d6830b9796fd54f46cae2 100644 (file)
--- a/wrbmp.c
+++ b/wrbmp.c
@@ -502,8 +502,9 @@ jinit_write_bmp(j_decompress_ptr cinfo, boolean is_os2,
       dest->pub.put_pixel_rows = put_gray_rows;
     else
       dest->pub.put_pixel_rows = put_pixel_rows;
-  } else if (cinfo->out_color_space == JCS_RGB565 ||
-             cinfo->out_color_space == JCS_CMYK) {
+  } else if (!cinfo->quantize_colors &&
+             (cinfo->out_color_space == JCS_RGB565 ||
+              cinfo->out_color_space == JCS_CMYK)) {
     dest->pub.put_pixel_rows = put_pixel_rows;
   } else {
     ERREXIT(cinfo, JERR_BMP_COLORSPACE);