Google Git
Sign in
fuchsia / third_party / libjpeg-turbo / 1a3aebd88e1bb14e67ba0e64f0b59491631b3f25^1..1a3aebd88e1bb14e67ba0e64f0b59491631b3f25 / .
commit1a3aebd88e1bb14e67ba0e64f0b59491631b3f25[log] [tgz]
authorDRC <information@libjpeg-turbo.org>Thu Mar 31 10:02:44 2016 -0500
committerDRC <information@libjpeg-turbo.org>Thu Mar 31 10:02:44 2016 -0500
treea9aeb3577fd85d409ed771b488d1271eb6e5a626
parentb2817f52517361caff3dbab7373abc1b791f3246 [diff]
parent1e81b0c3ea26f4ea8f56de05367469333de64a9f [diff]
Merge branch '1.4.x'

diff --git a/ChangeLog.md b/ChangeLog.md
index bc9d760..826f898 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md

@@ -12,6 +12,13 @@
 to examine an application binary and determine which version of the library the
 application was linked against.
 
+3. Fixed a couple of issues in the PPM reader that would cause buffer overruns
+in cjpeg if one of the values in a binary PPM/PGM input file exceeded the
+maximum value defined in the file's header.  libjpeg-turbo 1.4.2 already
+included a similar fix for ASCII PPM/PGM files.  Note that these issues were
+not security bugs, since they were confined to the cjpeg program and did not
+affect any of the libjpeg-turbo libraries.
+
 
 1.4.90 (1.5 beta1)
 ==================

diff --git a/rdppm.c b/rdppm.c
index aef4923..b71d337 100644
--- a/rdppm.c
+++ b/rdppm.c

@@ -5,7 +5,7 @@
  * Copyright (C) 1991-1997, Thomas G. Lane.
  * Modified 2009 by Bill Allombert, Guido Vollbeding.
  * libjpeg-turbo Modifications:
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015, 2016, D. R. Commander.
  * For conditions of distribution and use, see the accompanying README.ijg
  * file.
  *
@@ -244,6 +244,7 @@
   register U_CHAR *bufferptr;
   register JSAMPLE *rescale = source->rescale;
   JDIMENSION col;
+  unsigned int maxval = source->maxval;
 
   if (! ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
     ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -253,6 +254,8 @@
     register int temp;
     temp  = UCH(*bufferptr++) << 8;
     temp |= UCH(*bufferptr++);
+    if (temp > maxval)
+      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
     *ptr++ = rescale[temp];
   }
   return 1;
@@ -268,6 +271,7 @@
   register U_CHAR *bufferptr;
   register JSAMPLE *rescale = source->rescale;
   JDIMENSION col;
+  unsigned int maxval = source->maxval;
 
   if (! ReadOK(source->pub.input_file, source->iobuffer, source->buffer_width))
     ERREXIT(cinfo, JERR_INPUT_EOF);
@@ -277,12 +281,18 @@
     register int temp;
     temp  = UCH(*bufferptr++) << 8;
     temp |= UCH(*bufferptr++);
+    if (temp > maxval)
+      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
     *ptr++ = rescale[temp];
     temp  = UCH(*bufferptr++) << 8;
     temp |= UCH(*bufferptr++);
+    if (temp > maxval)
+      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
     *ptr++ = rescale[temp];
     temp  = UCH(*bufferptr++) << 8;
     temp |= UCH(*bufferptr++);
+    if (temp > maxval)
+      ERREXIT(cinfo, JERR_PPM_TOOLARGE);
     *ptr++ = rescale[temp];
   }
   return 1;