From: Even Rouault <even.rouault@spatialys.com>
Date: Fri, 20 Jul 2018 16:04:15 +0000 (+0200)
Subject: Fix int overflow when decompr. corrupt prog. JPEG
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8c1264f9f8ceaaea9004687f51f235ac765f187c;p=libjpeg-turbo

Fix int overflow when decompr. corrupt prog. JPEG

No discernible performance regression

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9447
Credit to OSS Fuzz
Closes #259
---

diff --git a/ChangeLog.md b/ChangeLog.md
index 9300f3a..27043fc 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -52,6 +52,12 @@ a specially-crafted malformed color-index (8-bit-per-sample) BMP file in which
 some of the samples (color indices) exceeded the bounds of the BMP file's color
 table.
 
+9. Fixed a signed integer overflow in the progressive Huffman decoder, detected
+by the Clang and GCC undefined behavior sanitizers, that could be triggered by
+attempting to decompress a specially-crafted malformed JPEG image.  This issue
+did not pose a security threat, but removing the warning made it easier to
+detect actual security issues, should they arise in the future.
+
 
 1.5.3
 =====
diff --git a/jdphuff.c b/jdphuff.c
index c927ffa..06f0689 100644
--- a/jdphuff.c
+++ b/jdphuff.c
@@ -21,6 +21,7 @@
 #include "jinclude.h"
 #include "jpeglib.h"
 #include "jdhuff.h"             /* Declarations shared with jdhuff.c */
+#include <limits.h>
 
 
 #ifdef D_PROGRESSIVE_SUPPORTED
@@ -336,6 +337,10 @@ decode_mcu_DC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
       }
 
       /* Convert DC difference to actual value, update last_dc_val */
+      if ((state.last_dc_val[ci] >= 0 &&
+           s > INT_MAX - state.last_dc_val[ci]) ||
+          (state.last_dc_val[ci] < 0 && s < INT_MIN - state.last_dc_val[ci]))
+        ERREXIT(cinfo, JERR_BAD_DCT_COEF);
       s += state.last_dc_val[ci];
       state.last_dc_val[ci] = s;
       /* Scale and output the coefficient (assumes jpeg_natural_order[0]=0) */