The only change follows what I described in my comment under the issue. To summarize, for 32 bit it is possible to purposefully tamper with certain jpg header fields leading to the size of a heap allocation to be miscalculated due to integer overflow.
All this change does is use the existing CImg::safe_size() to throw an exception in case the calculations performed using the relevant cinfo fields lead to an integer overflow. This will consequentially prevent the crash I was able to produce from happening with the provided use_jpeg_buffer.cpp example, and the possibility for heap corruption caused by out of bounds memory access.
dtschump
commented
3 weeks ago
Hello,
The only change follows what I described in my comment under the issue. To summarize, for 32 bit it is possible to purposefully tamper with certain jpg header fields leading to the size of a heap allocation to be miscalculated due to integer overflow.
All this change does is use the existing
CImg::safe_size()to throw an exception in case the calculations performed using the relevantcinfofields lead to an integer overflow. This will consequentially prevent the crash I was able to produce from happening with the provideduse_jpeg_buffer.cppexample, and the possibility for heap corruption caused by out of bounds memory access.Thanks!