33 *
44 * This file was part of the Independent JPEG Group's software:
55 * Copyright (C) 1994-1996, Thomas G. Lane.
6- * Modified 2009-2010 by Guido Vollbeding.
6+ * Modified 2009-2017 by Guido Vollbeding.
77 * libjpeg-turbo Modifications:
88 * Modified 2011 by Siarhei Siamashka.
99 * Copyright (C) 2015, 2017-2018, D. R. Commander.
@@ -72,6 +72,7 @@ typedef struct _bmp_source_struct {
7272 JDIMENSION row_width ; /* Physical width of scanlines in file */
7373
7474 int bits_per_pixel ; /* remembers 8- or 24-bit format */
75+ int cmap_length ; /* colormap length */
7576
7677 boolean use_inversion_array ; /* TRUE = preload the whole image, which is
7778 stored in bottom-up order, and feed it to
@@ -155,6 +156,7 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
155156{
156157 bmp_source_ptr source = (bmp_source_ptr )sinfo ;
157158 register JSAMPARRAY colormap = source -> colormap ;
159+ int cmaplen = source -> cmap_length ;
158160 JSAMPARRAY image_ptr ;
159161 register int t ;
160162 register JSAMPROW inptr , outptr ;
@@ -178,11 +180,15 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
178180 if (cinfo -> in_color_space == JCS_GRAYSCALE ) {
179181 for (col = cinfo -> image_width ; col > 0 ; col -- ) {
180182 t = GETJSAMPLE (* inptr ++ );
183+ if (t >= cmaplen )
184+ ERREXIT (cinfo , JERR_BMP_OUTOFRANGE );
181185 * outptr ++ = colormap [0 ][t ];
182186 }
183187 } else if (cinfo -> in_color_space == JCS_CMYK ) {
184188 for (col = cinfo -> image_width ; col > 0 ; col -- ) {
185189 t = GETJSAMPLE (* inptr ++ );
190+ if (t >= cmaplen )
191+ ERREXIT (cinfo , JERR_BMP_OUTOFRANGE );
186192 rgb_to_cmyk (colormap [0 ][t ], colormap [1 ][t ], colormap [2 ][t ], outptr ,
187193 outptr + 1 , outptr + 2 , outptr + 3 );
188194 outptr += 4 ;
@@ -197,6 +203,8 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
197203 if (aindex >= 0 ) {
198204 for (col = cinfo -> image_width ; col > 0 ; col -- ) {
199205 t = GETJSAMPLE (* inptr ++ );
206+ if (t >= cmaplen )
207+ ERREXIT (cinfo , JERR_BMP_OUTOFRANGE );
200208 outptr [rindex ] = colormap [0 ][t ];
201209 outptr [gindex ] = colormap [1 ][t ];
202210 outptr [bindex ] = colormap [2 ][t ];
@@ -206,6 +214,8 @@ get_8bit_row(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
206214 } else {
207215 for (col = cinfo -> image_width ; col > 0 ; col -- ) {
208216 t = GETJSAMPLE (* inptr ++ );
217+ if (t >= cmaplen )
218+ ERREXIT (cinfo , JERR_BMP_OUTOFRANGE );
209219 outptr [rindex ] = colormap [0 ][t ];
210220 outptr [gindex ] = colormap [1 ][t ];
211221 outptr [bindex ] = colormap [2 ][t ];
@@ -539,6 +549,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
539549 /* Allocate space to store the colormap */
540550 source -> colormap = (* cinfo -> mem -> alloc_sarray )
541551 ((j_common_ptr )cinfo , JPOOL_IMAGE , (JDIMENSION )biClrUsed , (JDIMENSION )3 );
552+ source -> cmap_length = (int )biClrUsed ;
542553 /* and read it from the file */
543554 read_colormap (source , (int )biClrUsed , mapentrysize );
544555 /* account for size of colormap */
0 commit comments