blob: 8a2f490f5002f5e620d705f45a867018a6062f3a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
From caf7c8978025eb0cc307bfeffdad46a16d47dad9 Mon Sep 17 00:00:00 2001
From: DRC <information@libjpeg-turbo.org>
Date: Wed, 25 Nov 2020 14:55:55 -0600
Subject: [PATCH] Fix buffer overrun with certain narrow prog JPEGs
Regression introduced by 6d91e950c871103a11bac2f10c63bf998796c719
last_block_column in decompress_smooth_data() can be 0 if, for instance,
decompressing a 4:4:4 image of width 8 or less or a 4:2:2 or 4:2:0 image
of width 16 or less. Since last_block_column is an unsigned int,
subtracting 1 from it produced 0xFFFFFFFF, the test in line 590 passed,
and we attempted to access blocks from a second block column that didn't
actually exist.
Closes #476
(cherry picked from commit ccaba5d7894ecfb5a8f11e48d3f86e1f14d5a469)
---
ChangeLog.md | 10 ++++++++++
jdcoefct.c | 2 +-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/ChangeLog.md b/ChangeLog.md
index 6eb06f0e..9084bee0 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,13 @@
+2.1 post-beta
+=============
+
+### Significant changes relative to 2.1 beta1
+
+1. Fixed a regression introduced by 2.1 beta1[6(b)] whereby attempting to
+decompress certain progressive JPEG images with one or more component planes of
+width 8 or less caused a buffer overrun.
+
+
2.0.90 (2.1 beta1)
==================
diff --git a/jdcoefct.c b/jdcoefct.c
index 699a4809..a3c6d4e8 100644
--- a/jdcoefct.c
+++ b/jdcoefct.c
@@ -587,7 +587,7 @@ decompress_smooth_data(j_decompress_ptr cinfo, JSAMPIMAGE output_buf)
DC19 = (int)next_block_row[1][0];
DC24 = (int)next_next_block_row[1][0];
}
- if (block_num < last_block_column - 1) {
+ if (block_num + 1 < last_block_column) {
DC05 = (int)prev_prev_block_row[2][0];
DC10 = (int)prev_block_row[2][0];
DC15 = (int)buffer_ptr[2][0];
--
2.41.0
|
