From: DRC Date: Sun, 24 Jun 2018 22:31:15 +0000 (-0500) Subject: Fix infinite loop in partial image decompression X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6e95c08649794f5018608f37250026a45ead2db8;p=libjpeg-turbo Fix infinite loop in partial image decompression ... caused by using certain specific combinations of jpeg_skip_scanlines() and jpeg_read_scanlines() calls with progressive, vertically-subsampled JPEG images. Fixes #237 --- diff --git a/ChangeLog.md b/ChangeLog.md index 3aa41d1..f762efb 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -38,6 +38,11 @@ the underlying library, and because it did not involve any out-of-bounds reads or other exploitable behaviors, it was not believed to represent a security threat. +6. Fixed an issue whereby certain combinations of calls to +`jpeg_skip_scanlines()` and `jpeg_read_scanlines()` could trigger an infinite +loop when decompressing progressive JPEG images that use vertical chroma +subsampling (for instance, 4:2:0 or 4:4:0.) + 1.5.3 ===== diff --git a/jdapistd.c b/jdapistd.c index 105121d..eb6808b 100644 --- a/jdapistd.c +++ b/jdapistd.c @@ -4,7 +4,7 @@ * This file was part of the Independent JPEG Group's software: * Copyright (C) 1994-1996, Thomas G. Lane. * libjpeg-turbo Modifications: - * Copyright (C) 2010, 2015-2017, D. R. Commander. + * Copyright (C) 2010, 2015-2018, D. R. Commander. * Copyright (C) 2015, Google, Inc. * For conditions of distribution and use, see the accompanying README.ijg * file. @@ -481,7 +481,7 @@ jpeg_skip_scanlines (j_decompress_ptr cinfo, JDIMENSION num_lines) if (cinfo->upsample->need_context_rows) { cinfo->output_scanline += lines_to_skip; cinfo->output_iMCU_row += lines_to_skip / lines_per_iMCU_row; - main_ptr->iMCU_row_ctr += lines_after_iMCU_row / lines_per_iMCU_row; + main_ptr->iMCU_row_ctr += lines_to_skip / lines_per_iMCU_row; /* It is complex to properly move to the middle of a context block, so * read the remaining lines instead of skipping them. */