From d00d7d8c194e587ed10a395e0f307ce9dddf5687 Mon Sep 17 00:00:00 2001 From: DRC Date: Fri, 5 Oct 2018 16:13:07 -0500 Subject: [PATCH] cjpeg: Fix OOB read caused by malformed 8-bit TGA ... in which one or more of the color indices is out of range for the number of palette entries. Fix partly borrowed from jpeg-9c. Fixes #295 --- ChangeLog.md | 5 +++++ rdtarga.c | 11 +++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index 1b9ac69..e479b57 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -18,6 +18,11 @@ incompatible with the soft float ABI. the AVX2 SIMD extensions (2.0 beta1[1]), that caused libjpeg-turbo to crash on Windows 7 if Service Pack 1 was not installed. +4. Fixed out-of-bounds read in cjpeg that occurred when attempting to compress +a specially-crafted malformed color-index (8-bit-per-sample) Targa file in +which some of the samples (color indices) exceeded the bounds of the Targa +file's color table. + 2.0.0 ===== diff --git a/rdtarga.c b/rdtarga.c index e0c6947..37bd286 100644 --- a/rdtarga.c +++ b/rdtarga.c @@ -3,8 +3,9 @@ * * This file was part of the Independent JPEG Group's software: * Copyright (C) 1991-1996, Thomas G. Lane. - * It was modified by The libjpeg-turbo Project to include only code relevant - * to libjpeg-turbo. + * Modified 2017 by Guido Vollbeding. + * libjpeg-turbo Modifications: + * Copyright (C) 2018, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -66,6 +67,7 @@ typedef struct _tga_source_struct { U_CHAR tga_pixel[4]; int pixel_size; /* Bytes per Targa pixel (1 to 4) */ + int cmap_length; /* colormap length */ /* State info for reading RLE-coded pixels; both counts must be init to 0 */ int block_count; /* # of pixels remaining in RLE block */ @@ -196,11 +198,14 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) register JSAMPROW ptr; register JDIMENSION col; register JSAMPARRAY colormap = source->colormap; + int cmaplen = source->cmap_length; ptr = source->pub.buffer[0]; for (col = cinfo->image_width; col > 0; col--) { (*source->read_pixel) (source); /* Load next pixel into tga_pixel */ t = UCH(source->tga_pixel[0]); + if (t >= cmaplen) + ERREXIT(cinfo, JERR_TGA_BADPARMS); *ptr++ = colormap[0][t]; *ptr++ = colormap[1][t]; *ptr++ = colormap[2][t]; @@ -452,12 +457,14 @@ start_input_tga(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) /* Allocate space to store the colormap */ source->colormap = (*cinfo->mem->alloc_sarray) ((j_common_ptr)cinfo, JPOOL_IMAGE, (JDIMENSION)maplen, (JDIMENSION)3); + source->cmap_length = (int)maplen; /* and read it from the file */ read_colormap(source, (int)maplen, UCH(targaheader[7])); } else { if (cmaptype) /* but you promised a cmap! */ ERREXIT(cinfo, JERR_TGA_BADPARMS); source->colormap = NULL; + source->cmap_length = 0; } cinfo->input_components = components; -- 2.50.1