Fix int overflow when decompr. corrupt prog. JPEG
No discernible performance regression
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9447
Credit to OSS Fuzz
Closes #259
diff --git a/ChangeLog.md b/ChangeLog.md
index 41da060..bf65be9 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -52,6 +52,12 @@
some of the samples (color indices) exceeded the bounds of the BMP file's color
table.
+9. Fixed a signed integer overflow in the progressive Huffman decoder, detected
+by the Clang and GCC undefined behavior sanitizers, that could be triggered by
+attempting to decompress a specially-crafted malformed JPEG image. This issue
+did not pose a security threat, but removing the warning made it easier to
+detect actual security issues, should they arise in the future.
+
1.5.90 (2.0 beta1)
==================
diff --git a/jdphuff.c b/jdphuff.c
index 4df79ee..2d23177 100644
--- a/jdphuff.c
+++ b/jdphuff.c
@@ -21,6 +21,7 @@
#include "jinclude.h"
#include "jpeglib.h"
#include "jdhuff.h" /* Declarations shared with jdhuff.c */
+#include <limits.h>
#ifdef D_PROGRESSIVE_SUPPORTED
@@ -340,6 +341,10 @@
}
/* Convert DC difference to actual value, update last_dc_val */
+ if ((state.last_dc_val[ci] >= 0 &&
+ s > INT_MAX - state.last_dc_val[ci]) ||
+ (state.last_dc_val[ci] < 0 && s < INT_MIN - state.last_dc_val[ci]))
+ ERREXIT(cinfo, JERR_BAD_DCT_COEF);
s += state.last_dc_val[ci];
state.last_dc_val[ci] = s;
/* Scale and output the coefficient (assumes jpeg_natural_order[0]=0) */
