stb_image: Fix bug on JPEGs with malformed DC deltas
extend_receive implicitly requires n <= 15 (code length); the maximum that actually makes sense for 8-bit baseline JPEG is 11, but 15 is the natural limit for us because the AC coding path stores the number of magnitude bits in a nibble. Check that DC delta bits are in range before attempting to call extend_receive. Fixes issue #1108.
This commit is contained in:
Fabian Giesen
parent
50072f6658
commit
a3f2897b85
@ -2158,7 +2158,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
|
|||||||
|
|
||||||
if (j->code_bits < 16) stbi__grow_buffer_unsafe(j);
|
if (j->code_bits < 16) stbi__grow_buffer_unsafe(j);
|
||||||
t = stbi__jpeg_huff_decode(j, hdc);
|
t = stbi__jpeg_huff_decode(j, hdc);
|
||||||
if (t < 0) return stbi__err("bad huffman code","Corrupt JPEG");
|
if (t < 0 || t > 15) return stbi__err("bad huffman code","Corrupt JPEG");
|
||||||
|
|
||||||
// 0 all the ac values now so we can do it 32-bits at a time
|
// 0 all the ac values now so we can do it 32-bits at a time
|
||||||
memset(data,0,64*sizeof(data[0]));
|
memset(data,0,64*sizeof(data[0]));
|
||||||
@ -2215,7 +2215,7 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__
|
|||||||
// first scan for DC coefficient, must be first
|
// first scan for DC coefficient, must be first
|
||||||
memset(data,0,64*sizeof(data[0])); // 0 all the ac values now
|
memset(data,0,64*sizeof(data[0])); // 0 all the ac values now
|
||||||
t = stbi__jpeg_huff_decode(j, hdc);
|
t = stbi__jpeg_huff_decode(j, hdc);
|
||||||
if (t == -1) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
|
if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
|
||||||
diff = t ? stbi__extend_receive(j, t) : 0;
|
diff = t ? stbi__extend_receive(j, t) : 0;
|
||||||
|
|
||||||
dc = j->img_comp[b].dc_pred + diff;
|
dc = j->img_comp[b].dc_pred + diff;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user