From a3f2897b85760d1e98fedbe31fcf2ddf089c169e Mon Sep 17 00:00:00 2001 From: Fabian Giesen Date: Fri, 2 Jul 2021 18:10:49 -0700 Subject: [PATCH] stb_image: Fix bug on JPEGs with malformed DC deltas extend_receive implicitly requires n <= 15 (code length); the maximum that actually makes sense for 8-bit baseline JPEG is 11, but 15 is the natural limit for us because the AC coding path stores the number of magnitude bits in a nibble. Check that DC delta bits are in range before attempting to call extend_receive. Fixes issue #1108. --- stb_image.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stb_image.h b/stb_image.h index 71bd506..2fced29 100644 --- a/stb_image.h +++ b/stb_image.h @@ -2158,7 +2158,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman if (j->code_bits < 16) stbi__grow_buffer_unsafe(j); t = stbi__jpeg_huff_decode(j, hdc); - if (t < 0) return stbi__err("bad huffman code","Corrupt JPEG"); + if (t < 0 || t > 15) return stbi__err("bad huffman code","Corrupt JPEG"); // 0 all the ac values now so we can do it 32-bits at a time memset(data,0,64*sizeof(data[0])); @@ -2215,7 +2215,7 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__ // first scan for DC coefficient, must be first memset(data,0,64*sizeof(data[0])); // 0 all the ac values now t = stbi__jpeg_huff_decode(j, hdc); - if (t == -1) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); + if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG"); diff = t ? stbi__extend_receive(j, t) : 0; dc = j->img_comp[b].dc_pred + diff;