You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
33 lines
1.3 KiB
33 lines
1.3 KiB
From a224e4dfd34823a4d993dcb97819bdcee8471676 Mon Sep 17 00:00:00 2001
|
|
From: DRC <information@libjpeg-turbo.org>
|
|
Date: Tue, 2 Jun 2020 14:15:37 -0500
|
|
Subject: [PATCH] rdppm.c: Fix buf overrun caused by bad binary PPM
|
|
|
|
This extends the fix in 1e81b0c3ea26f4ea8f56de05367469333de64a9f to
|
|
include binary PPM files with maximum values < 255, thus preventing a
|
|
malformed binary PPM input file with those specifications from
|
|
triggering an overrun of the rescale array and potentially crashing
|
|
cjpeg, TJBench, or any program that uses the tjLoadImage() function.
|
|
|
|
Fixes #433
|
|
---
|
|
rdppm.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/rdppm.c b/rdppm.c
|
|
index 87bc330..71dd146 100644
|
|
--- a/rdppm.c
|
|
+++ b/rdppm.c
|
|
@@ -720,7 +720,7 @@ start_input_ppm(j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
|
|
/* On 16-bit-int machines we have to be careful of maxval = 65535 */
|
|
source->rescale = (JSAMPLE *)
|
|
(*cinfo->mem->alloc_small) ((j_common_ptr)cinfo, JPOOL_IMAGE,
|
|
- (size_t)(((long)maxval + 1L) *
|
|
+ (size_t)(((long)MAX(maxval, 255) + 1L) *
|
|
sizeof(JSAMPLE)));
|
|
half_maxval = maxval / 2;
|
|
for (val = 0; val <= (long)maxval; val++) {
|
|
--
|
|
2.26.2
|
|
|