From 0e2bca0744feaf74509818f950120dceff8e28d0 Mon Sep 17 00:00:00 2001 From: DRC Date: Fri, 15 Dec 2017 20:37:02 -0600 Subject: [PATCH] jdarith.c: Fix two signed integer overflows I guess I have to fix these, or Google Autofuzz is going to keep bugging me about them. Fixes #171 Fixes #197 Fixes #198 --- ChangeLog.md | 10 ++++++++++ jdarith.c | 6 +++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog.md b/ChangeLog.md index f5fe44bf8..e44ddc899 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,3 +1,13 @@ +1.5.4 +===== + +1. Fixed two signed integer overflows in the arithmetic decoder, detected by +the Clang undefined behavior sanitizer, that could be triggered by attempting +to decompress a specially-crafted malformed JPEG image. These issues did not +pose a security threat, but removing the warnings makes it easier to detect +actual security issues, should they arise in the future. + + 1.5.3 ===== diff --git a/jdarith.c b/jdarith.c index ce0f92095..0f560f65a 100644 --- a/jdarith.c +++ b/jdarith.c @@ -4,7 +4,7 @@ * This file was part of the Independent JPEG Group's software: * Developed 1997-2015 by Guido Vollbeding. * libjpeg-turbo Modifications: - * Copyright (C) 2015-2016, D. R. Commander. + * Copyright (C) 2015-2017, D. R. Commander. * For conditions of distribution and use, see the accompanying README.ijg * file. * @@ -306,7 +306,7 @@ decode_mcu_DC_first (j_decompress_ptr cinfo, JBLOCKROW *MCU_data) while (m >>= 1) if (arith_decode(cinfo, st)) v |= m; v += 1; if (sign) v = -v; - entropy->last_dc_val[ci] += v; + entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff; } /* Scale and output the DC coefficient (assumes jpeg_natural_order[0]=0) */ @@ -564,7 +564,7 @@ decode_mcu (j_decompress_ptr cinfo, JBLOCKROW *MCU_data) while (m >>= 1) if (arith_decode(cinfo, st)) v |= m; v += 1; if (sign) v = -v; - entropy->last_dc_val[ci] += v; + entropy->last_dc_val[ci] = (entropy->last_dc_val[ci] + v) & 0xffff; } if (block)