Merge branch '1.4.x'
diff --git a/ChangeLog.md b/ChangeLog.md
index bc9d760..826f898 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -12,6 +12,13 @@
to examine an application binary and determine which version of the library the
application was linked against.
+3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
+in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
+maximum value defined in the file's header. libjpeg-turbo 1.4.2 already
+included a similar fix for ASCII PPM/PGM files. Note that these issues were
+not security bugs, since they were confined to the cjpeg program and did not
+affect any of the libjpeg-turbo libraries.
+
1.4.90 (1.5 beta1)
==================
diff --git a/rdppm.c b/rdppm.c
index aef4923..b71d337 100644
--- a/rdppm.c
+++ b/rdppm.c
@@ -5,7 +5,7 @@
* Copyright (C) 1991-1997, Thomas G. Lane.
* Modified 2009 by Bill Allombert, Guido Vollbeding.
* libjpeg-turbo Modifications:
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015, 2016, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
* file.
*
@@ -244,6 +244,7 @@
register U_CHAR *bufferptr;
register JSAMPLE *rescale = source->rescale;
JDIMENSION col;
+ unsigned int maxval = source->maxval;
if (! ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -253,6 +254,8 @@
register int temp;
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+ ERREXIT(cinfo, JERR_PPM_TOOLARGE);
*ptr++ = rescale[temp];
}
return 1;
@@ -268,6 +271,7 @@
register U_CHAR *bufferptr;
register JSAMPLE *rescale = source->rescale;
JDIMENSION col;
+ unsigned int maxval = source->maxval;
if (! ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -277,12 +281,18 @@
register int temp;
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+ ERREXIT(cinfo, JERR_PPM_TOOLARGE);
*ptr++ = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+ ERREXIT(cinfo, JERR_PPM_TOOLARGE);
*ptr++ = rescale[temp];
temp = UCH(*bufferptr++) << 8;
temp |= UCH(*bufferptr++);
+ if (temp > maxval)
+ ERREXIT(cinfo, JERR_PPM_TOOLARGE);
*ptr++ = rescale[temp];
}
return 1;