From dc20ac98d48382a8e0eaafd15c38a57f8ca836c9 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Fri, 11 Oct 2013 10:55:39 -0700 Subject: improve the handling of images with duplicate component IDs Patch written by noel@chromium.org and aedla@chromium.org (cherry picked from commit 0061f897d4f6217475bbb4bb63fcbd7f8f4af3e5) Change-Id: I62b7e4d04e9b1c6be18d33e9ddd6d09a0c84daaf --- jdmarker.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/jdmarker.c b/jdmarker.c index 5837edb..6978049 100644 --- a/jdmarker.c +++ b/jdmarker.c @@ -302,7 +302,7 @@ get_sos (j_decompress_ptr cinfo) /* Process a SOS marker */ { INT32 length; - int i, ci, n, c, cc; + int i, ci, n, c, cc, pi; jpeg_component_info * compptr; INPUT_VARS(cinfo); @@ -342,6 +342,12 @@ get_sos (j_decompress_ptr cinfo) TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc, compptr->dc_tbl_no, compptr->ac_tbl_no); + + /* This CSi (cc) should differ from the previous CSi */ + for (pi = 0; pi < i; pi++) { + if (cinfo->cur_comp_info[pi] == compptr) + ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); + } } /* Collect the additional scan parameters Ss, Se, Ah/Al. */ @@ -459,6 +465,8 @@ get_dht (j_decompress_ptr cinfo) for (i = 0; i < count; i++) INPUT_BYTE(cinfo, huffval[i], return FALSE); + MEMZERO(&huffval[count], (256 - count) * SIZEOF(UINT8)); + length -= count; if (index & 0x10) { /* AC table definition */ -- cgit v1.2.3