Commit 43004e3399d24d45b3df0056b463ae9d9322a679
1 parent
e76d6682
Fix Pl_DCT memory limit
Showing
1 changed file
with
8 additions
and
2 deletions
libqpdf/Pl_DCT.cc
| ... | ... | @@ -320,12 +320,18 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b) |
| 320 | 320 | |
| 321 | 321 | (void)jpeg_read_header(cinfo, TRUE); |
| 322 | 322 | if (throw_on_corrupt_data && cinfo->err->num_warnings > 0) { |
| 323 | + // err->num_warnings is the number of corrupt data warnings emitted. | |
| 324 | + // err->msg_code could also be the code of an informational message. | |
| 323 | 325 | throw std::runtime_error("Pl_DCT::decompress: JPEG data is corrupt"); |
| 324 | 326 | } |
| 325 | 327 | (void)jpeg_calc_output_dimensions(cinfo); |
| 326 | 328 | unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components); |
| 327 | - // err->num_warnings is the number of corrupt data warnings emitted. | |
| 328 | - // err->msg_code could also be the code of an informational message. | |
| 329 | + if (memory_limit > 0 && | |
| 330 | + width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) { | |
| 331 | + // Even if jpeglib does not run out of memory, qpdf will while buffering thye data before | |
| 332 | + // writing it. | |
| 333 | + throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit"); | |
| 334 | + } | |
| 329 | 335 | JSAMPARRAY buffer = |
| 330 | 336 | (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1); |
| 331 | 337 | ... | ... |