CImageLoaderJPG: protect size calculation from overflow by rejecting huge dimensions

This commit is contained in:
sfan5 2021-09-14 20:02:40 +02:00
parent 713471e9a2
commit 594de99153

@ -221,11 +221,15 @@ IImage* CImageLoaderJPG::loadImage(io::IReadFile* file) const
cinfo.output_gamma=2.2; cinfo.output_gamma=2.2;
cinfo.do_fancy_upsampling=FALSE; cinfo.do_fancy_upsampling=FALSE;
// reject unreasonable sizes (4 * 32000 * 32000 is just under U32_MAX)
if (cinfo.image_width > 32000 || cinfo.image_height > 32000)
longjmp(jerr.setjmp_buffer, 1);
// Start decompressor // Start decompressor
jpeg_start_decompress(&cinfo); jpeg_start_decompress(&cinfo);
// Get image data // Get image data
u16 rowspan = cinfo.image_width * cinfo.out_color_components; u32 rowspan = cinfo.image_width * cinfo.out_color_components;
u32 width = cinfo.image_width; u32 width = cinfo.image_width;
u32 height = cinfo.image_height; u32 height = cinfo.image_height;