Google Git
Sign in
skia / external / github.com / libjpeg-turbo / libjpeg-turbo / 0463f7c9aad060fcd56e98d025ce16185279e2bc
commit0463f7c9aad060fcd56e98d025ce16185279e2bc[log] [tgz]
authorDRC <information@libjpeg-turbo.org>Thu Feb 04 18:34:38 2016 -0600
committerDRC <information@libjpeg-turbo.org>Thu Feb 04 18:43:48 2016 -0600
tree9604d7952ebfff8a75117a97dc4a9a3c4543ab6b
parent939e46608242cbb7050431ed102d9e74bf8c4db0 [diff]
Prevent overread when decoding malformed JPEG

The accelerated Huffman decoder was previously invoked if there were
> 128 bytes in the input buffer.  However, it is possible to construct a
JPEG image with Huffman blocks > 430 bytes in length
(http://stackoverflow.com/questions/2734678/jpeg-calculating-max-size).
While such images are pathological and could never be created by a
JPEG compressor, it is conceivable that an attacker could use such an
artifially-constructed image to trigger an input buffer overrun in the
libjpeg-turbo decompressor and thus gain access to some of the data on
the calling program's heap.

This patch simply increases the minimum buffer size for the accelerated
Huffman decoder to 512 bytes, which should (hopefully) accommodate any
possible input.

This addresses a major issue (LJT-01-005) identified in a security audit
by Cure53.
2 files changed
tree: 9604d7952ebfff8a75117a97dc4a9a3c4543ab6b
  1. cmakescripts/
  2. doc/
  3. java/
  4. release/
  5. sharedlib/
  6. simd/
  7. testimages/
  8. win/
  9. .gitignore
  10. acinclude.m4
  11. bmp.c
  12. bmp.h
  13. BUILDING.txt
  14. cderror.h
  15. cdjpeg.c
  16. cdjpeg.h
  17. change.log
  18. ChangeLog.txt
  19. cjpeg.1
  20. cjpeg.c
  21. CMakeLists.txt
  22. coderules.txt
  23. configure.ac
  24. djpeg.1
  25. djpeg.c
  26. doxygen.config
  27. example.c
  28. filelist.txt
  29. install.txt
  30. jaricom.c
  31. jcapimin.c
  32. jcapistd.c
  33. jcarith.c
  34. jccoefct.c
  35. jccolext.c
  36. jccolor.c
  37. jcdctmgr.c
  38. jchuff.c
  39. jchuff.h
  40. jcinit.c
  41. jcmainct.c
  42. jcmarker.c
  43. jcmaster.c
  44. jcomapi.c
  45. jconfig.h.in
  46. jconfig.txt
  47. jcparam.c
  48. jcphuff.c
  49. jcprepct.c
  50. jcsample.c
  51. jcstest.c
  52. jctrans.c
  53. jdapimin.c
  54. jdapistd.c
  55. jdarith.c
  56. jdatadst-tj.c
  57. jdatadst.c
  58. jdatasrc-tj.c
  59. jdatasrc.c
  60. jdcoefct.c
  61. jdcolext.c
  62. jdcolor.c
  63. jdct.h
  64. jddctmgr.c
  65. jdhuff.c
  66. jdhuff.h
  67. jdinput.c
  68. jdmainct.c
  69. jdmarker.c
  70. jdmaster.c
  71. jdmerge.c
  72. jdmrgext.c
  73. jdphuff.c
  74. jdpostct.c
  75. jdsample.c
  76. jdtrans.c
  77. jerror.c
  78. jerror.h
  79. jfdctflt.c
  80. jfdctfst.c
  81. jfdctint.c
  82. jidctflt.c
  83. jidctfst.c
  84. jidctint.c
  85. jidctred.c
  86. jinclude.h
  87. jmemmgr.c
  88. jmemnobs.c
  89. jmemsys.h
  90. jmorecfg.h
  91. jpegcomp.h
  92. jpegint.h
  93. jpeglib.h
  94. jpegtran.1
  95. jpegtran.c
  96. jquant1.c
  97. jquant2.c
  98. jsimd.h
  99. jsimd_none.c
  100. jsimddct.h
  101. jutils.c
  102. jversion.h
  103. libjpeg.map.in
  104. libjpeg.txt
  105. Makefile.am
  106. rdbmp.c
  107. rdcolmap.c
  108. rdgif.c
  109. rdjpgcom.1
  110. rdjpgcom.c
  111. rdppm.c
  112. rdrle.c
  113. rdswitch.c
  114. rdtarga.c
  115. README
  116. README-turbo.txt
  117. structure.txt
  118. tjbench.c
  119. tjbenchtest.in
  120. tjexampletest.in
  121. tjunittest.c
  122. tjutil.c
  123. tjutil.h
  124. transupp.c
  125. transupp.h
  126. turbojpeg-jni.c
  127. turbojpeg-mapfile
  128. turbojpeg-mapfile.jni
  129. turbojpeg.c
  130. turbojpeg.h
  131. usage.txt
  132. wizard.txt
  133. wrbmp.c
  134. wrgif.c
  135. wrjpgcom.1
  136. wrjpgcom.c
  137. wrppm.c
  138. wrrle.c
  139. wrtarga.c