From 9ab569e6163a906fe8d4443a8a4c0d466a112394 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 20 Jul 2018 18:04:15 +0200 Subject: [PATCH] Fix int overflow when decompr. corrupt prog. JPEG No discernible performance regression Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9447 Credit to OSS Fuzz Closes #259 --- ChangeLog.md | 6 ++++++ jdphuff.c | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/ChangeLog.md b/ChangeLog.md index 41da060..bf65be9 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -52,6 +52,12 @@ a specially-crafted malformed color-index (8-bit-per-sample) BMP file in which some of the samples (color indices) exceeded the bounds of the BMP file's color table. +9. Fixed a signed integer overflow in the progressive Huffman decoder, detected +by the Clang and GCC undefined behavior sanitizers, that could be triggered by +attempting to decompress a specially-crafted malformed JPEG image. This issue +did not pose a security threat, but removing the warning made it easier to +detect actual security issues, should they arise in the future. + 1.5.90 (2.0 beta1) ================== diff --git a/jdphuff.c b/jdphuff.c index 4df79ee..2d23177 100644 --- a/jdphuff.c +++ b/jdphuff.c @@ -21,6 +21,7 @@ #include "jinclude.h" #include "jpeglib.h" #include "jdhuff.h" /* Declarations shared with jdhuff.c */ +#include #ifdef D_PROGRESSIVE_SUPPORTED @@ -340,6 +341,10 @@ decode_mcu_DC_first(j_decompress_ptr cinfo, JBLOCKROW *MCU_data) } /* Convert DC difference to actual value, update last_dc_val */ + if ((state.last_dc_val[ci] >= 0 && + s > INT_MAX - state.last_dc_val[ci]) || + (state.last_dc_val[ci] < 0 && s < INT_MIN - state.last_dc_val[ci])) + ERREXIT(cinfo, JERR_BAD_DCT_COEF); s += state.last_dc_val[ci]; state.last_dc_val[ci] = s; /* Scale and output the coefficient (assumes jpeg_natural_order[0]=0) */ -- 2.40.0