From f1322acf6cdc8c25db0075d7d32dc2f25ed9d477 Mon Sep 17 00:00:00 2001
From: DRC <email@example.com>
Date: Tue, 12 Jun 2018 20:27:00 -0500
Subject: [PATCH] rdbmp.c: Fix FPE triggered by malformed BMP
In rdbmp.c, it is necessary to guard against 32-bit overflow/wraparound
when allocating the row buffer, because since BMP files have 32-bit
width and height fields, the value of biWidth can be up to 4294967295.
Specifically, high values of biWidth could cause the samplesperrow
argument in alloc_sarray() to wrap around to 0, triggering a division by
zero error at line 460 in jmemmgr.c, or to wrap around to a small
number, likely triggering a buffer overflow.
This fix is not documented in the change log for this branch, because
the bug was exposed using the tjLoadImage() function in the 2.0.x
branch. However, it is posited that the issue could be triggered using
TJBench in this branch.
rdbmp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/rdbmp.c b/rdbmp.c
index eaa7086..6b73f7c 100644
@@ -6,7 +6,7 @@
* Modified 2009-2010 by Guido Vollbeding.
* libjpeg-turbo Modifications:
* Modified 2011 by Siarhei Siamashka.
- * Copyright (C) 2015, D. R. Commander.
+ * Copyright (C) 2015, 2018, D. R. Commander.
* For conditions of distribution and use, see the accompanying README.ijg
@@ -434,6 +434,11 @@ start_input_bmp (j_compress_ptr cinfo, cjpeg_source_ptr sinfo)
progress->total_extra_passes++; /* count file input as separate pass */
+ /* Ensure that biWidth * 3 doesn't exceed the maximum value of the
+ JDIMENSION type. This is only a danger with BMP files, since their width
+ and height fields are 32-bit integers. */
+ if ((unsigned long long)biWidth * 3ULL > 0xFFFFFFFFULL)
+ ERREXIT(cinfo, JERR_WIDTH_OVERFLOW);
/* Allocate one-row buffer for returned data */
source->pub.buffer = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE,