cheng/libtiff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OJPEG: avoid use of unintialized memory on corrupted files

Browse Source 
Fixes https://bugs.chromium.org/p/chromium/issues/detail?id=925269
Patch from Lei Zhang with little adaptations.
This commit is contained in:
Even Rouault 2019-07-05 18:51:46 +02:00
parent ab3204b167
commit cf3ce6fab8
No known key found for this signature in database
GPG Key ID: 33EBBFC47B3DD87D
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
libtiff/tif_ojpeg.c
View File

@ -831,6 +831,32 @@ OJPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc)
{
if (sp->subsampling_convert_state==0)
{
const jpeg_decompress_struct* cinfo = &sp->libjpeg_jpeg_decompress_struct;
int width = 0;
int last_col_width = 0;
int jpeg_bytes;
int expected_bytes;
int i;
if (cinfo->MCUs_per_row == 0)
return 0;
for (i = 0; i < cinfo->comps_in_scan; ++i)
{
const jpeg_component_info* info = cinfo->cur_comp_info[i];
#if JPEG_LIB_VERSION >= 70
width += info->MCU_width * info->DCT_h_scaled_size;
last_col_width += info->last_col_width * info->DCT_h_scaled_size;
#else
width += info->MCU_width * info->DCT_scaled_size;
last_col_width += info->last_col_width * info->DCT_scaled_size;
#endif
}
jpeg_bytes = (cinfo->MCUs_per_row - 1) * width + last_col_width;
expected_bytes = sp->subsampling_convert_clinelenout * sp->subsampling_ver * sp->subsampling_hor;
if (jpeg_bytes != expected_bytes)
{
TIFFErrorExt(tif->tif_clientdata,module,"Inconsistent number of MCU in codestream");
return(0);
}
if (jpeg_read_raw_data_encap(sp,&(sp->libjpeg_jpeg_decompress_struct),sp->subsampling_convert_ycbcrimage,sp->subsampling_ver*8)==0)
return(0);
}