|
|
@@ -1063,6 +1063,23 @@ static void *stbi__malloc_mad4(int a, int b, int c, int d, int add)
|
|
|
}
|
|
|
#endif
|
|
|
|
|
|
+// returns 1 if the sum of two signed ints is valid (between -2^31 and 2^31-1 inclusive), 0 on overflow.
|
|
|
+static int stbi__addints_valid(int a, int b)
|
|
|
+{
|
|
|
+ if ((a >= 0) != (b >= 0)) return 1; // a and b have different signs, so no overflow
|
|
|
+ if (a < 0 && b < 0) return a >= INT_MIN - b; // same as a + b >= INT_MIN; INT_MIN - b cannot overflow since b < 0.
|
|
|
+ return a <= INT_MAX - b;
|
|
|
+}
|
|
|
+
|
|
|
+// returns 1 if the product of two signed shorts is valid, 0 on overflow.
|
|
|
+static int stbi__mul2shorts_valid(short a, short b)
|
|
|
+{
|
|
|
+ if (b == 0 || b == -1) return 1; // multiplication by 0 is always 0; check for -1 so SHRT_MIN/b doesn't overflow
|
|
|
+ if ((a >= 0) == (b >= 0)) return a <= SHRT_MAX/b; // product is positive, so similar to mul2sizes_valid
|
|
|
+ if (b < 0) return a <= SHRT_MIN / b; // same as a * b >= SHRT_MIN
|
|
|
+ return a >= SHRT_MIN / b;
|
|
|
+}
|
|
|
+
|
|
|
// stbi__err - error
|
|
|
// stbi__errpf - error returning pointer to float
|
|
|
// stbi__errpuc - error returning pointer to unsigned char
|
|
|
@@ -2135,6 +2152,7 @@ stbi_inline static int stbi__extend_receive(stbi__jpeg *j, int n)
|
|
|
unsigned int k;
|
|
|
int sgn;
|
|
|
if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
|
|
|
+ if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
|
|
|
|
|
|
sgn = j->code_buffer >> 31; // sign bit always in MSB; 0 if MSB clear (positive), 1 if MSB set (negative)
|
|
|
k = stbi_lrot(j->code_buffer, n);
|
|
|
@@ -2149,6 +2167,7 @@ stbi_inline static int stbi__jpeg_get_bits(stbi__jpeg *j, int n)
|
|
|
{
|
|
|
unsigned int k;
|
|
|
if (j->code_bits < n) stbi__grow_buffer_unsafe(j);
|
|
|
+ if (j->code_bits < n) return 0; // ran out of bits from stream, return 0s intead of continuing
|
|
|
k = stbi_lrot(j->code_buffer, n);
|
|
|
j->code_buffer = k & ~stbi__bmask[n];
|
|
|
k &= stbi__bmask[n];
|
|
|
@@ -2160,6 +2179,7 @@ stbi_inline static int stbi__jpeg_get_bit(stbi__jpeg *j)
|
|
|
{
|
|
|
unsigned int k;
|
|
|
if (j->code_bits < 1) stbi__grow_buffer_unsafe(j);
|
|
|
+ if (j->code_bits < 1) return 0; // ran out of bits from stream, return 0s intead of continuing
|
|
|
k = j->code_buffer;
|
|
|
j->code_buffer <<= 1;
|
|
|
--j->code_bits;
|
|
|
@@ -2197,8 +2217,10 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
|
|
|
memset(data,0,64*sizeof(data[0]));
|
|
|
|
|
|
diff = t ? stbi__extend_receive(j, t) : 0;
|
|
|
+ if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta","Corrupt JPEG");
|
|
|
dc = j->img_comp[b].dc_pred + diff;
|
|
|
j->img_comp[b].dc_pred = dc;
|
|
|
+ if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
|
|
|
data[0] = (short) (dc * dequant[0]);
|
|
|
|
|
|
// decode AC components, see JPEG spec
|
|
|
@@ -2212,6 +2234,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
|
|
|
if (r) { // fast-AC path
|
|
|
k += (r >> 4) & 15; // run
|
|
|
s = r & 15; // combined length
|
|
|
+ if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
|
|
|
j->code_buffer <<= s;
|
|
|
j->code_bits -= s;
|
|
|
// decode into unzigzag'd location
|
|
|
@@ -2251,8 +2274,10 @@ static int stbi__jpeg_decode_block_prog_dc(stbi__jpeg *j, short data[64], stbi__
|
|
|
if (t < 0 || t > 15) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
|
|
|
diff = t ? stbi__extend_receive(j, t) : 0;
|
|
|
|
|
|
+ if (!stbi__addints_valid(j->img_comp[b].dc_pred, diff)) return stbi__err("bad delta", "Corrupt JPEG");
|
|
|
dc = j->img_comp[b].dc_pred + diff;
|
|
|
j->img_comp[b].dc_pred = dc;
|
|
|
+ if (!stbi__mul2shorts_valid(dc, 1 << j->succ_low)) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
|
|
|
data[0] = (short) (dc * (1 << j->succ_low));
|
|
|
} else {
|
|
|
// refinement scan for DC coefficient
|
|
|
@@ -2287,8 +2312,8 @@ static int stbi__jpeg_decode_block_prog_ac(stbi__jpeg *j, short data[64], stbi__
|
|
|
if (r) { // fast-AC path
|
|
|
k += (r >> 4) & 15; // run
|
|
|
s = r & 15; // combined length
|
|
|
+ if (s > j->code_bits) return stbi__err("bad huffman code", "Combined length longer than code bits available");
|
|
|
j->code_buffer <<= s;
|
|
|
- if (s > j->code_bits) return stbi__err("bad huffman code","Combined length longer than code bits available");
|
|
|
j->code_bits -= s;
|
|
|
zig = stbi__jpeg_dezigzag[k++];
|
|
|
data[zig] = (short) ((r >> 8) * (1 << shift));
|
Neil Bickford