From cf3ce6fab894414a336546f62adc57f02590a22c Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Fri, 5 Jul 2019 18:51:46 +0200 Subject: [PATCH] OJPEG: avoid use of unintialized memory on corrupted files Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=925269 Patch from Lei Zhang with little adaptations. --- libtiff/tif_ojpeg.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c index c01d71a2..ad3e1e71 100644 --- a/libtiff/tif_ojpeg.c +++ b/libtiff/tif_ojpeg.c @@ -831,6 +831,32 @@ OJPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc) { if (sp->subsampling_convert_state==0) { + const jpeg_decompress_struct* cinfo = &sp->libjpeg_jpeg_decompress_struct; + int width = 0; + int last_col_width = 0; + int jpeg_bytes; + int expected_bytes; + int i; + if (cinfo->MCUs_per_row == 0) + return 0; + for (i = 0; i < cinfo->comps_in_scan; ++i) + { + const jpeg_component_info* info = cinfo->cur_comp_info[i]; +#if JPEG_LIB_VERSION >= 70 + width += info->MCU_width * info->DCT_h_scaled_size; + last_col_width += info->last_col_width * info->DCT_h_scaled_size; +#else + width += info->MCU_width * info->DCT_scaled_size; + last_col_width += info->last_col_width * info->DCT_scaled_size; +#endif + } + jpeg_bytes = (cinfo->MCUs_per_row - 1) * width + last_col_width; + expected_bytes = sp->subsampling_convert_clinelenout * sp->subsampling_ver * sp->subsampling_hor; + if (jpeg_bytes != expected_bytes) + { + TIFFErrorExt(tif->tif_clientdata,module,"Inconsistent number of MCU in codestream"); + return(0); + } if (jpeg_read_raw_data_encap(sp,&(sp->libjpeg_jpeg_decompress_struct),sp->subsampling_convert_ycbcrimage,sp->subsampling_ver*8)==0) return(0); }