Skip to content
Permalink
Browse files Browse the repository at this point in the history
rdppm.c: Fix buf overrun caused by bad binary PPM
This extends the fix in 1e81b0c to
include binary PPM files with maximum values < 255, thus preventing a
malformed binary PPM input file with those specifications from
triggering an overrun of the rescale array and potentially crashing
cjpeg, TJBench, or any program that uses the tjLoadImage() function.

Fixes #433
  • Loading branch information
dcommander committed Jun 2, 2020
1 parent a2291b2 commit 3de15e0
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 6 deletions.
14 changes: 10 additions & 4 deletions ChangeLog.md
Expand Up @@ -13,6 +13,12 @@ TurboJPEG Java API that caused an error ("java.lang.IllegalStateException: No
source image is associated with this instance") when attempting to use that
method to compress a YUV image.

3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
TJBench, or the `tjLoadImage()` function if one of the values in a binary
PPM/PGM input file exceeded the maximum value defined in the file's header and
that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
similar fix for binary PPM/PGM files with maximum values greater than 255.


2.0.4
=====
Expand Down Expand Up @@ -578,10 +584,10 @@ application was linked against.

3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
included a similar fix for ASCII PPM/PGM files. Note that these issues were
not security bugs, since they were confined to the cjpeg program and did not
affect any of the libjpeg-turbo libraries.
maximum value defined in the file's header and that maximum value was greater
than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
files. Note that these issues were not security bugs, since they were confined
to the cjpeg program and did not affect any of the libjpeg-turbo libraries.

4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
header using the `tjDecompressToYUV2()` function would cause the function to
Expand Down
4 changes: 2 additions & 2 deletions rdppm.c
Expand Up @@ -5,7 +5,7 @@
* Copyright (C) 1991-1997, Thomas G. Lane.
* Modified 2009 by Bill Allombert, Guido Vollbeding.
* libjpeg-turbo Modifications:
* Copyright (C) 2015-2017, D. R. Commander.
* Copyright (C) 2015-2017, 2020, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
Expand Down Expand Up @@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
/* On 16-bit-int machines we have to be careful of maxval = 65535 */
source->rescale = (JSAMPLE *)
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
(size_t)(((long)maxval + 1L) *
(size_t)(((long)MAX(maxval, 255) + 1L) *
sizeof(JSAMPLE)));
half_maxval = maxval / 2;
for (val = 0; val <= (long)maxval; val++) {
Expand Down

0 comments on commit 3de15e0

Please sign in to comment.