Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[iimage] Prevent possible access violations, especially for gifs. #8348

Merged
merged 7 commits into from Nov 5, 2015
Prev

[JpegIO] Crop too large image/frame in Decode. This fixes a theoretic…

…ally possible access violation.
  • Loading branch information...
ace20022 committed Nov 4, 2015
commit 51fb220c908eb8dc2f136e8832b606c897be3c88
Copy path View file
@@ -343,6 +343,8 @@ bool CJpegIO::Read(unsigned char* buffer, unsigned int bufSize, unsigned int min
bool CJpegIO::Decode(unsigned char* const pixels, unsigned int width, unsigned int height, unsigned int pitch, unsigned int format)
{
unsigned char *dst = (unsigned char*)pixels;
unsigned int copyWidth = std::min(m_width, width);
unsigned int copyHeight = std::min(m_height, height);

struct my_error_mgr jerr;
m_cinfo.err = jpeg_std_error(&jerr.pub);
@@ -359,7 +361,7 @@ bool CJpegIO::Decode(unsigned char* const pixels, unsigned int width, unsigned i

if (format == XB_FMT_RGB8)
{
while (m_cinfo.output_scanline < m_height)
while (m_cinfo.output_scanline < copyHeight)
{
jpeg_read_scanlines(&m_cinfo, &dst, 1);
dst += pitch;
@@ -368,12 +370,12 @@ bool CJpegIO::Decode(unsigned char* const pixels, unsigned int width, unsigned i
else if (format == XB_FMT_A8R8G8B8)
{
unsigned char* row = new unsigned char[m_width * 3];
while (m_cinfo.output_scanline < m_height)
while (m_cinfo.output_scanline < copyHeight)
{
jpeg_read_scanlines(&m_cinfo, &row, 1);
unsigned char *src2 = row;
unsigned char *dst2 = dst;
for (unsigned int x = 0; x < m_width; x++, src2 += 3)
for (unsigned int x = 0; x < copyWidth; x++, src2 += 3)
{
*dst2++ = src2[2];
*dst2++ = src2[1];
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.