Skip to content

Commit 3de15e0

Browse files
committed
rdppm.c: Fix buf overrun caused by bad binary PPM
This extends the fix in 1e81b0c to include binary PPM files with maximum values < 255, thus preventing a malformed binary PPM input file with those specifications from triggering an overrun of the rescale array and potentially crashing cjpeg, TJBench, or any program that uses the tjLoadImage() function. Fixes #433
1 parent a2291b2 commit 3de15e0

File tree

2 files changed

+12
-6
lines changed

2 files changed

+12
-6
lines changed

Diff for: ChangeLog.md

+10-4
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,12 @@ TurboJPEG Java API that caused an error ("java.lang.IllegalStateException: No
1313
source image is associated with this instance") when attempting to use that
1414
method to compress a YUV image.
1515

16+
3. Fixed an issue in the PPM reader that caused a buffer overrun in cjpeg,
17+
TJBench, or the `tjLoadImage()` function if one of the values in a binary
18+
PPM/PGM input file exceeded the maximum value defined in the file's header and
19+
that maximum value was less than 255. libjpeg-turbo 1.5.0 already included a
20+
similar fix for binary PPM/PGM files with maximum values greater than 255.
21+
1622

1723
2.0.4
1824
=====
@@ -578,10 +584,10 @@ application was linked against.
578584

579585
3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
580586
in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
581-
maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
582-
included a similar fix for ASCII PPM/PGM files. Note that these issues were
583-
not security bugs, since they were confined to the cjpeg program and did not
584-
affect any of the libjpeg-turbo libraries.
587+
maximum value defined in the file's header and that maximum value was greater
588+
than 255. libjpeg-turbo 1.4.2 already included a similar fix for ASCII PPM/PGM
589+
files. Note that these issues were not security bugs, since they were confined
590+
to the cjpeg program and did not affect any of the libjpeg-turbo libraries.
585591

586592
4. Fixed an issue whereby attempting to decompress a JPEG file with a corrupt
587593
header using the `tjDecompressToYUV2()` function would cause the function to

Diff for: rdppm.c

+2-2
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* Copyright (C) 1991-1997, Thomas G. Lane.
66
* Modified 2009 by Bill Allombert, Guido Vollbeding.
77
* libjpeg-turbo Modifications:
8-
* Copyright (C) 2015-2017, D. R. Commander.
8+
* Copyright (C) 2015-2017, 2020, D. R. Commander.
99
* For conditions of distribution and use, see the accompanying README.ijg
1010
* file.
1111
*
@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
720720
/* On 16-bit-int machines we have to be careful of maxval = 65535 */
721721
source->rescale = (JSAMPLE *)
722722
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
723-
(size_t)(((long)maxval + 1L) *
723+
(size_t)(((long)MAX(maxval, 255) + 1L) *
724724
sizeof(JSAMPLE)));
725725
half_maxval = maxval / 2;
726726
for (val = 0; val <= (long)maxval; val++) {

0 commit comments

Comments
 (0)