diff options
| author | Chong Zhang <chz@google.com> | 2020-02-14 00:57:28 +0000 |
|---|---|---|
| committer | Chong Zhang <chz@google.com> | 2020-02-14 00:57:28 +0000 |
| commit | d5973796ceb6e4f4f98c60cc7ed81d12ae1c59a7 (patch) | |
| tree | 493e9b4abbf166a2dcd0613e0941ff88bb88903d | |
| parent | 89330bce50a357e32dd12e28363cd7dc64f1924c (diff) | |
| parent | 956052dd8b29293f117791e2c0d820ad5a6c55fd (diff) | |
| download | libyuv-d5973796ceb6e4f4f98c60cc7ed81d12ae1c59a7.tar.gz | |
Cherry-pick security fix for skip_input_data am: 956052dd8b
Change-Id: I302b3168c756b05c0ece74d42091378406464014
| -rw-r--r-- | files/source/mjpeg_decoder.cc | 10 | ||||
| -rw-r--r-- | files/source/mjpeg_validate.cc | 3 | ||||
| -rw-r--r-- | files/unit_test/convert_test.cc | 6 |
3 files changed, 17 insertions, 2 deletions
diff --git a/files/source/mjpeg_decoder.cc b/files/source/mjpeg_decoder.cc index b43c008b..3acf9563 100644 --- a/files/source/mjpeg_decoder.cc +++ b/files/source/mjpeg_decoder.cc @@ -427,7 +427,15 @@ boolean fill_input_buffer(j_decompress_ptr cinfo) { } void skip_input_data(j_decompress_ptr cinfo, long num_bytes) { // NOLINT - cinfo->src->next_input_byte += num_bytes; + jpeg_source_mgr* src = cinfo->src; + size_t bytes = static_cast<size_t>(num_bytes); + if(bytes > src->bytes_in_buffer) { + src->next_input_byte = nullptr; + src->bytes_in_buffer = 0; + } else { + src->next_input_byte += bytes; + src->bytes_in_buffer -= bytes; + } } void term_source(j_decompress_ptr cinfo) { diff --git a/files/source/mjpeg_validate.cc b/files/source/mjpeg_validate.cc index 1a17dd72..cc38b99a 100644 --- a/files/source/mjpeg_validate.cc +++ b/files/source/mjpeg_validate.cc @@ -47,7 +47,8 @@ LIBYUV_BOOL ValidateJpeg(const uint8* sample, size_t sample_size) { // ERROR: Invalid jpeg size: sample_size return LIBYUV_FALSE; } - if (sample[0] != 0xff || sample[1] != 0xd8) { // SOI marker + // SOI marker + if (sample[0] != 0xff || sample[1] != 0xd8 || sample[2] != 0xff) { // ERROR: Invalid jpeg initial start code return LIBYUV_FALSE; } diff --git a/files/unit_test/convert_test.cc b/files/unit_test/convert_test.cc index 41564351..3e2eea85 100644 --- a/files/unit_test/convert_test.cc +++ b/files/unit_test/convert_test.cc @@ -1274,6 +1274,7 @@ TEST_F(LibYUVConvertTest, ValidateJpeg) { // EOI, SOI. Expect pass. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. for (int times = 0; times < benchmark_iterations_; ++times) { @@ -1300,6 +1301,7 @@ TEST_F(LibYUVConvertTest, ValidateJpegLarge) { // EOI, SOI. Expect pass. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. for (int times = 0; times < benchmark_iterations_; ++times) { @@ -1333,6 +1335,7 @@ TEST_F(LibYUVConvertTest, InvalidateJpeg) { // SOI but no EOI. Expect fail. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; for (int times = 0; times < benchmark_iterations_; ++times) { EXPECT_FALSE(ValidateJpeg(orig_pixels, kSize)); } @@ -1357,6 +1360,7 @@ TEST_F(LibYUVConvertTest, FuzzJpeg) { // Add SOI so frame will be scanned. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - 1] = 0xff; ValidateJpeg(orig_pixels, kSize); // Failure normally expected. free_aligned_buffer_page_end(orig_pixels); @@ -1381,6 +1385,7 @@ TEST_F(LibYUVConvertTest, MJPGToI420) { memset(orig_pixels, 0, kSize); orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. @@ -1414,6 +1419,7 @@ TEST_F(LibYUVConvertTest, MJPGToARGB) { memset(orig_pixels, 0, kSize); orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. |