From: DRC Date: Sat, 16 Dec 2017 02:37:02 +0000 (-0600) Subject: jdarith.c: Fix two signed integer overflows X-Git-Tag: 1.5.90~46^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0e2bca0744feaf74509818f950120dceff8e28d0;p=libjpeg-turbo jdarith.c: Fix two signed integer overflows I guess I have to fix these, or Google Autofuzz is going to keep bugging me about them. Fixes #171 Fixes #197 Fixes #198 --- diff --git a/ChangeLog.md b/ChangeLog.md index f5fe44b..e44ddc8 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,13 @@ +1.5.4 +===== + +1. Fixed two signed integer overflows in the arithmetic decoder, detected by +the Clang undefined behavior sanitizer, that could be triggered by attempting +to decompress a specially-crafted malformed JPEG image. These issues did not +pose a security threat, but removing the warnings makes it easier to detect +actual security issues, should they arise in the future. + + 1.5.3 ===== diff --git a/jdarith.c b/jdarith.c index ce0f920..0f560f6 100644 --- a/jdarith.c +++ b/jdarith.c @@ -4,7 +4,7 @@ * This file was part of the Independent JPEG Group's software: * Developed 1997-2015 by Guido Vollbeding. * libjpeg-turbo Modifications: - * Copyright (C) 2015-2016, D. R. Commander. + * Copyright (C) 2015-2017, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -306,7 +306,7 @@ decode_mcu_DC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data) while (m >>= 1) if (arith_decode(cinfo, st)) v |= m; v += 1; if (sign) v = -v; - entropy->last_dc_val[ci] += v; + entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff; } /* Scale and output the DC coefficient (assumes jpeg_natural_order[0]=0) */ @@ -564,7 +564,7 @@ decode_mcu (j_decompress_ptr cinfo, JBLOCKROW *MCU_data) while (m >>= 1) if (arith_decode(cinfo, st)) v |= m; v += 1; if (sign) v = -v; - entropy->last_dc_val[ci] += v; + entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff; } if (block)