From c7dd3cd0fec2d6785f2bd79e3e2f0adb62ee8bc1 Mon Sep 17 00:00:00 2001

From: DRC <information@libjpeg-turbo.org>

Date: Fri, 20 Jul 2018 17:21:36 -0500

Subject: [PATCH] cjpeg: Fix OOB read caused by malformed 8-bit BMP

... in which one or more of the color indices is out of range for the

number of palette entries.

Fix partly borrowed from jpeg-9c.  This commit also adopts Guido's

JERR_PPM_OUTOFRANGE enum value in lieu of our project-specific

JERR_PPM_TOOLARGE enum value.

Fixes #258

---

 cderror.h |  5 +++--

 rdbmp.c   |  7 ++++++-

 rdppm.c   | 12 ++++++------

 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/cderror.h b/cderror.h

index 63de498..e57a8c8 100644

--- a/cderror.h

+++ b/cderror.h

@@ -2,7 +2,7 @@

  * cderror.h

  *

  * Copyright (C) 1994-1997, Thomas G. Lane.

- * Modified 2009 by Guido Vollbeding.

+ * Modified 2009-2017 by Guido Vollbeding.

  * This file is part of the Independent JPEG Group's software.

  * For conditions of distribution and use, see the accompanying README.ijg

  * file.

@@ -49,6 +49,7 @@ JMESSAGE(JERR_BMP_COLORSPACE, "BMP output must be grayscale or RGB")

 JMESSAGE(JERR_BMP_COMPRESSED, "Sorry, compressed BMPs not yet supported")

 JMESSAGE(JERR_BMP_EMPTY, "Empty BMP image")

 JMESSAGE(JERR_BMP_NOT, "Not a BMP file - does not start with BM")

+JMESSAGE(JERR_BMP_OUTOFRANGE, "Numeric value out of range in BMP file")

 JMESSAGE(JTRC_BMP, "%ux%u 24-bit BMP image")

 JMESSAGE(JTRC_BMP_MAPPED, "%ux%u 8-bit colormapped BMP image")

 JMESSAGE(JTRC_BMP_OS2, "%ux%u 24-bit OS2 BMP image")

@@ -75,8 +76,8 @@ JMESSAGE(JWRN_GIF_NOMOREDATA, "Ran out of GIF bits")

 #ifdef PPM_SUPPORTED

 JMESSAGE(JERR_PPM_COLORSPACE, "PPM output must be grayscale or RGB")

 JMESSAGE(JERR_PPM_NONNUMERIC, "Nonnumeric data in PPM file")

-JMESSAGE(JERR_PPM_TOOLARGE, "Integer value too large in PPM file")

 JMESSAGE(JERR_PPM_NOT, "Not a PPM/PGM file")

+JMESSAGE(JERR_PPM_OUTOFRANGE, "Numeric value out of range in PPM file")

 JMESSAGE(JTRC_PGM, "%ux%u PGM image")

 JMESSAGE(JTRC_PGM_TEXT, "%ux%u text PGM image")

 JMESSAGE(JTRC_PPM, "%ux%u PPM image")

diff --git a/rdbmp.c b/rdbmp.c

index 4104b68..a7dbe9f 100644

--- a/rdbmp.c

+++ b/rdbmp.c

@@ -3,7 +3,7 @@

  *

  * This file was part of the Independent JPEG Group's software:

  * Copyright (C) 1994-1996, Thomas G. Lane.

- * Modified 2009-2010 by Guido Vollbeding.

+ * Modified 2009-2017 by Guido Vollbeding.

  * libjpeg-turbo Modifications:

  * Modified 2011 by Siarhei Siamashka.

  * Copyright (C) 2015, D. R. Commander.

@@ -66,6 +66,7 @@ typedef struct _bmp_source_struct {

   JDIMENSION row_width;         /* Physical width of scanlines in file */

   int bits_per_pixel;           /* remembers 8- or 24-bit format */

+  int cmap_length;              /* colormap length */

 } bmp_source_struct;

@@ -126,6 +127,7 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)

 {

   bmp_source_ptr source = (bmp_source_ptr) sinfo;

   register JSAMPARRAY colormap = source->colormap;

+  int cmaplen = source->cmap_length;

   JSAMPARRAY image_ptr;

   register int t;

   register JSAMPROW inptr, outptr;

@@ -142,6 +144,8 @@ get_8bit_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)

   outptr = source->pub.buffer[0];

   for (col = cinfo->image_width; col > 0; col--) {

     t = GETJSAMPLE(*inptr++);

+    if (t >= cmaplen)

+      ERREXIT(cinfo, JERR_BMP_OUTOFRANGE);

     *outptr++ = colormap[0][t]; /* can omit GETJSAMPLE() safely */

     *outptr++ = colormap[1][t];

     *outptr++ = colormap[2][t];

@@ -401,6 +405,7 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)

     source->colormap = (*cinfo->mem->alloc_sarray)

       ((j_common_ptr) cinfo, JPOOL_IMAGE,

        (JDIMENSION) biClrUsed, (JDIMENSION) 3);

+    source->cmap_length = (int)biClrUsed;

     /* and read it from the file */

     read_colormap(source, (int) biClrUsed, mapentrysize);

     /* account for size of colormap */

diff --git a/rdppm.c b/rdppm.c

index 33ff749..c0c0962 100644

--- a/rdppm.c

+++ b/rdppm.c

@@ -69,7 +69,7 @@ typedef struct {

   JSAMPROW pixrow;              /* compressor input buffer */

   size_t buffer_width;          /* width of I/O buffer */

   JSAMPLE *rescale;             /* => maxval-remapping array, or NULL */

-  int maxval;

+  unsigned int maxval;

 } ppm_source_struct;

 typedef ppm_source_struct *ppm_source_ptr;

@@ -119,7 +119,7 @@ read_pbm_integer (j_compress_ptr cinfo, FILE *infile, unsigned int maxval)

   }

   if (val > maxval)

-    ERREXIT(cinfo, JERR_PPM_TOOLARGE);

+    ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);

   return val;

 }

@@ -255,7 +255,7 @@ get_word_gray_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)

     temp  = UCH(*bufferptr++) << 8;

     temp |= UCH(*bufferptr++);

     if (temp > maxval)

-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);

+      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);

     *ptr++ = rescale[temp];

   }

   return 1;

@@ -282,17 +282,17 @@ get_word_rgb_row (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)

     temp  = UCH(*bufferptr++) << 8;

     temp |= UCH(*bufferptr++);

     if (temp > maxval)

-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);

+      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);

     *ptr++ = rescale[temp];

     temp  = UCH(*bufferptr++) << 8;

     temp |= UCH(*bufferptr++);

     if (temp > maxval)

-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);

+      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);

     *ptr++ = rescale[temp];

     temp  = UCH(*bufferptr++) << 8;

     temp |= UCH(*bufferptr++);

     if (temp > maxval)

-      ERREXIT(cinfo, JERR_PPM_TOOLARGE);

+      ERREXIT(cinfo, JERR_PPM_OUTOFRANGE);

     *ptr++ = rescale[temp];

   }

   return 1;

-- 

2.21.0