Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix an integer overflow when decoding DC coefficients #64

Merged
merged 2 commits into from
Dec 29, 2016
Merged

Fix an integer overflow when decoding DC coefficients #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
81d7706
Update some comments
kaksmet Dec 29, 2016
b94d4ae
Fix an integer overflow when decoding DC coefficients
kaksmet Dec 29, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 16 additions & 17 deletions src/decoder.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,16 +430,15 @@ impl<R: Read> Decoder<R> {
};

if scan.successive_approximation_high == 0 {
let dc_diff = try!(decode_block(&mut self.reader,
coefficients,
&mut huffman,
self.dc_huffman_tables[scan.dc_table_indices[i]].as_ref(),
self.ac_huffman_tables[scan.ac_table_indices[i]].as_ref(),
scan.spectral_selection.clone(),
scan.successive_approximation_low,
&mut eob_run,
dc_predictors[i]));
dc_predictors[i] += dc_diff;
try!(decode_block(&mut self.reader,
coefficients,
&mut huffman,
self.dc_huffman_tables[scan.dc_table_indices[i]].as_ref(),
self.ac_huffman_tables[scan.ac_table_indices[i]].as_ref(),
scan.spectral_selection.clone(),
scan.successive_approximation_low,
&mut eob_run,
&mut dc_predictors[i]));
}
else {
try!(decode_block_successive_approximation(&mut self.reader,
Expand Down Expand Up @@ -526,11 +525,9 @@ fn decode_block<R: Read>(reader: &mut R,
spectral_selection: Range<u8>,
successive_approximation_low: u8,
eob_run: &mut u16,
dc_predictor: i16) -> Result<i16> {
dc_predictor: &mut i16) -> Result<()> {
debug_assert_eq!(coefficients.len(), 64);

let mut dc_diff = 0;

if spectral_selection.start == 0 {
// Section F.2.2.1
// Figure F.12
Expand All @@ -548,15 +545,17 @@ fn decode_block<R: Read>(reader: &mut R,
},
};

coefficients[0] = (dc_predictor + diff) << successive_approximation_low;
dc_diff = diff;
// Malicious JPEG files can cause this add to overflow, therefore we use wrapping_add.
// One example of such a file is tests/crashtest/images/dc-predictor-overflow.jpg
*dc_predictor = dc_predictor.wrapping_add(diff);
coefficients[0] = *dc_predictor << successive_approximation_low;
}

let mut index = cmp::max(spectral_selection.start, 1);

if index < spectral_selection.end && *eob_run > 0 {
*eob_run -= 1;
return Ok(dc_diff);
return Ok(());
}

// Section F.1.2.2.1
Expand Down Expand Up @@ -603,7 +602,7 @@ fn decode_block<R: Read>(reader: &mut R,
}
}

Ok(dc_diff)
Ok(())
}

fn decode_block_successive_approximation<R: Read>(reader: &mut R,
Expand Down
2 changes: 1 addition & 1 deletion src/idct.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// Malicious JPEG files can cause operations in the idct to overflow.
// One example is tests/crashtest/imagetestsuite/b0b8914cc5f7a6eff409f16d8cc236c5.jpg
// One example is tests/crashtest/images/imagetestsuite/b0b8914cc5f7a6eff409f16d8cc236c5.jpg
// That's why wrapping operators are needed.

// This is based on stb_image's 'stbi__idct_block'.
Expand Down
9 changes: 5 additions & 4 deletions tests/crashtest/images/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# File sources
File | Source
------------------| ------
imagetestsuite/ | The files in this directory were taken from https://code.google.com/p/imagetestsuite/
missing-sof.jpg | Found by frewsxcv when fuzz testing
File | Source
--------------------------| ------
imagetestsuite/ | The files in this directory were taken from https://code.google.com/p/imagetestsuite/
dc-predictor-overflow.jpg | Found by Wim Looman (@Nemo157) while fuzzing
missing-sof.jpg | Found by Corey Farwell (@frewsxcv) when fuzz testing
Binary file added tests/crashtest/images/dc-predictor-overflow.jpg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.