diff options
Diffstat (limited to 'rdbmp.c')
-rw-r--r-- | rdbmp.c | 28 |
1 files changed, 20 insertions, 8 deletions
@@ -6,7 +6,7 @@ * Modified 2009-2017 by Guido Vollbeding. * libjpeg-turbo Modifications: * Modified 2011 by Siarhei Siamashka. - * Copyright (C) 2015, 2017-2018, D. R. Commander. + * Copyright (C) 2015, 2017-2018, 2021, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -424,14 +424,14 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) (((unsigned int)UCH(array[offset + 2])) << 16) + \ (((unsigned int)UCH(array[offset + 3])) << 24)) - unsigned int bfOffBits; - unsigned int headerSize; + int bfOffBits; + int headerSize; int biWidth; int biHeight; unsigned short biPlanes; unsigned int biCompression; int biXPelsPerMeter, biYPelsPerMeter; - unsigned int biClrUsed = 0; + int biClrUsed = 0; int mapentrysize = 0; /* 0 indicates no colormap */ int bPad; JDIMENSION row_width = 0; @@ -450,7 +450,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) if (!ReadOK(source->pub.input_file, bmpinfoheader, 4)) ERREXIT(cinfo, JERR_INPUT_EOF); headerSize = GET_4B(bmpinfoheader, 0); - if (headerSize < 12 || headerSize > 64) + if (headerSize < 12 || headerSize > 64 || (headerSize + 14) > bfOffBits) ERREXIT(cinfo, JERR_BMP_BADHEADER); if (!ReadOK(source->pub.input_file, bmpinfoheader + 4, headerSize - 4)) ERREXIT(cinfo, JERR_INPUT_EOF); @@ -522,6 +522,11 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) if (biWidth <= 0 || biHeight <= 0) ERREXIT(cinfo, JERR_BMP_EMPTY); +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + if (sinfo->max_pixels && + (unsigned long long)biWidth * biHeight > sinfo->max_pixels) + ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); +#endif if (biPlanes != 1) ERREXIT(cinfo, JERR_BMP_BADPLANES); @@ -575,7 +580,9 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) cinfo->input_components = 4; else ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); - row_width = (JDIMENSION)(biWidth * 3); + if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL) + ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + row_width = (JDIMENSION)biWidth * 3; break; case 32: if (cinfo->in_color_space == JCS_UNKNOWN) @@ -586,7 +593,9 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) cinfo->input_components = 4; else ERREXIT(cinfo, JERR_BAD_IN_COLORSPACE); - row_width = (JDIMENSION)(biWidth * 4); + if ((unsigned long long)biWidth * 4ULL > 0xFFFFFFFFULL) + ERREXIT(cinfo, JERR_WIDTH_OVERFLOW); + row_width = (JDIMENSION)biWidth * 4; break; default: ERREXIT(cinfo, JERR_BMP_BADDEPTH); @@ -631,7 +640,7 @@ start_input_bmp(j_compress_ptr cinfo, cjpeg_source_ptr sinfo) /* Allocate one-row buffer for returned data */ source->pub.buffer = (*cinfo->mem->alloc_sarray) ((j_common_ptr)cinfo, JPOOL_IMAGE, - (JDIMENSION)(biWidth * cinfo->input_components), (JDIMENSION)1); + (JDIMENSION)biWidth * (JDIMENSION)cinfo->input_components, (JDIMENSION)1); source->pub.buffer_height = 1; cinfo->data_precision = 8; @@ -668,6 +677,9 @@ jinit_read_bmp(j_compress_ptr cinfo, boolean use_inversion_array) /* Fill in method ptrs, except get_pixel_rows which start_input sets */ source->pub.start_input = start_input_bmp; source->pub.finish_input = finish_input_bmp; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + source->pub.max_pixels = 0; +#endif source->use_inversion_array = use_inversion_array; |