From: DRC Date: Fri, 5 Oct 2018 21:13:07 +0000 (-0500) Subject: cjpeg: Fix OOB read caused by malformed 8-bit TGA X-Git-Tag: 2.0.1~7 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d00d7d8c194e587ed10a395e0f307ce9dddf5687;p=libjpeg-turbo cjpeg: Fix OOB read caused by malformed 8-bit TGA ... in which one or more of the color indices is out of range for the number of palette entries. Fix partly borrowed from jpeg-9c. Fixes #295 --- diff --git a/ChangeLog.md b/ChangeLog.md index 1b9ac69..e479b57 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -18,6 +18,11 @@ incompatible with the soft float ABI. the AVX2 SIMD extensions (2.0 beta1[1]), that caused libjpeg-turbo to crash on Windows 7 if Service Pack 1 was not installed. +4. Fixed out-of-bounds read in cjpeg that occurred when attempting to compress +a specially-crafted malformed color-index (8-bit-per-sample) Targa file in +which some of the samples (color indices) exceeded the bounds of the Targa +file's color table. + 2.0.0 ===== diff --git a/rdtarga.c b/rdtarga.c index e0c6947..37bd286 100644 --- a/rdtarga.c +++ b/rdtarga.c @@ -3,8 +3,9 @@ * * This file was part of the Independent JPEG Group's software: * Copyright (C) 1991-1996, Thomas G. Lane. - * It was modified by The libjpeg-turbo Project to include only code relevant - * to libjpeg-turbo. + * Modified 2017 by Guido Vollbeding. + * libjpeg-turbo Modifications: + * Copyright (C) 2018, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -66,6 +67,7 @@ typedef struct _tga_source_struct { U_CHAR tga_pixel[4]; int pixel_size; /* Bytes per Targa pixel (1 to 4) */ + int cmap_length; /* colormap length */ /* State info for reading RLE-coded pixels; both counts must be init to 0 */ int block_count; /* # of pixels remaining in RLE block */ @@ -196,11 +198,14 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) register JSAMPROW ptr; register JDIMENSION col; register JSAMPARRAY colormap = source->colormap; + int cmaplen = source->cmap_length; ptr = source->pub.buffer[0]; for (col = cinfo->image_width; col > 0; col--) { (*source->read_pixel) (source); /* Load next pixel into tga_pixel */ t = UCH(source->tga_pixel[0]); + if (t >= cmaplen) + ERREXIT(cinfo, JERR_TGA_BADPARMS); *ptr++ = colormap[0][t]; *ptr++ = colormap[1][t]; *ptr++ = colormap[2][t]; @@ -452,12 +457,14 @@ start_input_tga(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) /* Allocate space to store the colormap */ source->colormap = (*cinfo->mem->alloc_sarray) ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)maplen, (JDIMENSION)3); + source->cmap_length = (int)maplen; /* and read it from the file */ read_colormap(source, (int)maplen, UCH(targaheader[7])); } else { if (cmaptype) /* but you promised a cmap! */ ERREXIT(cinfo, JERR_TGA_BADPARMS); source->colormap = NULL; + source->cmap_length = 0; } cinfo->input_components = components;