Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Prevent overread when decoding malformed JPEG
The accelerated Huffman decoder was previously invoked if there were > 128 bytes in the input buffer. However, it is possible to construct a JPEG image with Huffman blocks > 430 bytes in length (http://stackoverflow.com/questions/2734678/jpeg-calculating-max-size). While such images are pathological and could never be created by a JPEG compressor, it is conceivable that an attacker could use such an artifially-constructed image to trigger an input buffer overrun in the libjpeg-turbo decompressor and thus gain access to some of the data on the calling program's heap. This patch simply increases the minimum buffer size for the accelerated Huffman decoder to 512 bytes, which should (hopefully) accommodate any possible input. This addresses a major issue (LJT-01-005) identified in a security audit by Cure53.
- Loading branch information