Memory read out of bounds on invalid jpg - Githubissues

packjpg / packJPG

A compression program for further compressing JPEG image files

http://packjpg.encode.ru/

GNU Lesser General Public License v3.0

165 stars 26 forks source link

Memory read out of bounds on invalid jpg #23

Open schnaader opened 5 years ago

schnaader commented 5 years ago

(Original issue and AdressSanitizer details here)

When processing this testfile (Google Drive Link), an invalid pointer will be assigned to qtable here:

https://github.com/packjpg/packJPG/blob/59e8d45d463cfab96155ffccb77b1207b18c614b/source/packjpg.cpp#L3779

The value of segment[hpos + 2] is 64 here which is way beyond the range 0..3 of the first dimension of qtables:

https://github.com/packjpg/packJPG/blob/59e8d45d463cfab96155ffccb77b1207b18c614b/source/packjpg.cpp#L547

The access to the pointer address happens here:

https://github.com/packjpg/packJPG/blob/59e8d45d463cfab96155ffccb77b1207b18c614b/source/packjpg.cpp#L3530

schnaader commented 5 years ago

In Precomp, I used this fix:

if (segment[hpos + 2] >= 0 && segment[hpos + 2] < 4) {
    cmpnfo[cmp].qtable = qtables[segment[hpos + 2]];
}

This leaves cmpnfo[cmp].qtable at NULL for invalid indices, so the header check will fail without reading from an invalid memory adress.