OpenSystemsDevelopment / qpdf

Commit 9ffa20142238c8b6e4a0b9fc3f95fd4750ee771b

Authored by m-holger
Committed by GitHub
2 parents 55216955 43004e33

Merge pull request #1234 from m-holger/dct_fuzz 

Fix Pl_DCT memory limit
Inline Side-by-side
Showing 1 changed file with 8 additions and 2 deletions
libqpdf/Pl_DCT.cc
  View file @9ffa201
@@ -320,12 +320,18 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b) @@ -320,12 +320,18 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b)
320 320
321 (void)jpeg_read_header(cinfo, TRUE); 321 (void)jpeg_read_header(cinfo, TRUE);
322 if (throw_on_corrupt_data && cinfo->err->num_warnings > 0) { 322 if (throw_on_corrupt_data && cinfo->err->num_warnings > 0) {
  323 + // err->num_warnings is the number of corrupt data warnings emitted.
  324 + // err->msg_code could also be the code of an informational message.
323 throw std::runtime_error("Pl_DCT::decompress: JPEG data is corrupt"); 325 throw std::runtime_error("Pl_DCT::decompress: JPEG data is corrupt");
324 } 326 }
325 (void)jpeg_calc_output_dimensions(cinfo); 327 (void)jpeg_calc_output_dimensions(cinfo);
326 unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components); 328 unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components);
327 - // err->num_warnings is the number of corrupt data warnings emitted.  
328 - // err->msg_code could also be the code of an informational message. 329 + if (memory_limit > 0 &&
  330 + width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) {
  331 + // Even if jpeglib does not run out of memory, qpdf will while buffering thye data before
  332 + // writing it.
  333 + throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit");
  334 + }
329 JSAMPARRAY buffer = 335 JSAMPARRAY buffer =
330 (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1); 336 (*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1);
331 337