From 43d8cf4d4572fa50a37cccadbe71b9bee37de55d Mon Sep 17 00:00:00 2001 From: DRC Date: Thu, 21 Nov 2013 18:34:39 +0000 Subject: [PATCH] Fix CVE-2013-6629 and CVE-2013-6630 git-svn-id: svn+ssh://svn.code.sf.net/p/libjpeg-turbo/code/branches/1.2.x@1090 632fc199-4ca6-4c93-a231-07263d6284db --- ChangeLog.txt | 3 +++ jdmarker.c | 11 ++++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 1bdc1b0..9d5ae8d 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -20,6 +20,9 @@ entropy coding (by passing arguments of -progressive -arithmetic to cjpeg or jpegtran, for instance) would result in an error, "Requested feature was omitted at compile time". +[6] Fixed a couple of issues whereby malformed JPEG images would cause +libjpeg-turbo to use uninitialized memory during decompression. + 1.2.1 ===== diff --git a/jdmarker.c b/jdmarker.c index 77f7274..914e298 100644 --- a/jdmarker.c +++ b/jdmarker.c @@ -304,7 +304,7 @@ get_sos (j_decompress_ptr cinfo) /* Process a SOS marker */ { INT32 length; - int i, ci, n, c, cc; + int i, ci, n, c, cc, pi; jpeg_component_info * compptr; INPUT_VARS(cinfo); @@ -348,6 +348,13 @@ get_sos (j_decompress_ptr cinfo) TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc, compptr->dc_tbl_no, compptr->ac_tbl_no); + + /* This CSi (cc) should differ from the previous CSi */ + for (pi = 0; pi < i; pi++) { + if (cinfo->cur_comp_info[pi] == compptr) { + ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); + } + } } /* Collect the additional scan parameters Ss, Se, Ah/Al. */ @@ -465,6 +472,8 @@ get_dht (j_decompress_ptr cinfo) for (i = 0; i < count; i++) INPUT_BYTE(cinfo, huffval[i], return FALSE); + MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8)); + length -= count; if (index & 0x10) { /* AC table definition */ -- 2.49.0