1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
Index: libjpeg-turbo-1.5.2/rdbmp.c
===================================================================
--- libjpeg-turbo-1.5.2.orig/rdbmp.c 2018-07-05 14:47:54.525745754 -0400
+++ libjpeg-turbo-1.5.2/rdbmp.c 2018-07-05 14:47:54.521745700 -0400
@@ -434,6 +434,12 @@ start_input_bmp (j_compress_ptr cinfo, c
progress->total_extra_passes++; /* count file input as separate pass */
}
+ /* Ensure that biWidth * cinfo->input_components doesn't exceed the maximum
+ value of the JDIMENSION type. This is only a danger with BMP files, since
+ their width and height fields are 32-bit integers. */
+ if ((unsigned long long)biWidth *
+ (unsigned long long)cinfo->input_components > 0xFFFFFFFFULL)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
/* Allocate one-row buffer for returned data */
source->pub.buffer = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE,
|
