utils: Avoid overwriting the end of a buffer with jpeg_decode()

Odd that this bug has existed for so long, but it is partly due to the fact that with modern scanners we get an entire JPEG from the file, rather than the tiled JPEGs we create ourselves. When a JPEG image height is not a multiple of 16. the JPEG format requires that it be encoded expanded to the nearest multiple. When decoding we must ignore anything beyond the end of the image, otherwise we will write beyond the end of the buffer. Fix this.
sjg20 · Mar 4, 2014 · c4c52f1 · c4c52f1
1 parent 334fccf
commit c4c52f1
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/filemax.cpp b/filemax.cpp
@@ -1427,7 +1427,8 @@ err_info *Filemax::decode_tile (chunk_info &chunk,
             case 24 :
                // decode raw JPEG file here
                // need to restrict output to width tile_size->x
-               jpeg_decode (data, size, ptr, chunk.line_bytes, 32, tile_size.x);
+               jpeg_decode (data, size, ptr, chunk.line_bytes, 32, tile_size.x,
+                            tile_size.y);
                break;
 
             default :

diff --git a/utils.cpp b/utils.cpp
@@ -191,7 +191,8 @@ static void my_error_exit (j_common_ptr cinfo)
 }
 
 
-void jpeg_decode (byte *data, int size, byte *dest, int line_bytes, int bpp, int max_width)
+void jpeg_decode (byte *data, int size, byte *dest, int line_bytes, int bpp,
+                  int max_width, int max_height)
    {
    struct jpeg_decompress_struct cinfo;
    JSAMPARRAY buffer;/* Output row buffer */
@@ -231,7 +232,8 @@ void jpeg_decode (byte *data, int size, byte *dest, int line_bytes, int bpp, int
 //      printf ("width = %d, tile_bytes = %d, line_bytes = %d\n",
 //         cinfo.output_width, tile_bytes, line_bytes);
 
-      while (cinfo.output_scanline < cinfo.output_height)
+      while (cinfo.output_scanline < cinfo.output_height &&
+             cinfo.output_scanline < max_height)
          {
          jpeg_read_scanlines(&cinfo, buffer, 1);
          if (cinfo.output_components == 3 && bpp == 32)

diff --git a/utils.h b/utils.h
@@ -91,7 +91,8 @@ int jpeg_thumbnail (byte *data, int insize, byte **destp, int *dest_sizep, cpoin
    \param dest        destimation buffer (which must be big enough)
    \param line_bytes  number of bytes per line in the output
    \param max_width   if not -1, then this is the maximum width available in the destination */
-void jpeg_decode (byte *data, int size, byte *dest, int line_bytes, int bpp, int max_width);
+void jpeg_decode (byte *data, int size, byte *dest, int line_bytes, int bpp,
+                  int max_width, int max_height);
 
 QString removeExtension (const QString &fname, QString &ext);