From 7042490e41fe822d2ce12e14cb655a0dddc6d345 Mon Sep 17 00:00:00 2001
From: Nico Weber <thakis@chromium.org>
Date: Thu, 19 Nov 2020 12:42:54 -0500
Subject: [PATCH] LibGfx: Bounds check component indices before using them in
 JPGLoader

With this, I don't see any crashes in 10 min of fuzzing (but still
get OOMs).
---
 Libraries/LibGfx/JPGLoader.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Libraries/LibGfx/JPGLoader.cpp b/Libraries/LibGfx/JPGLoader.cpp
index 69569322ff..0948bc2a44 100644
--- a/Libraries/LibGfx/JPGLoader.cpp
+++ b/Libraries/LibGfx/JPGLoader.cpp
@@ -296,6 +296,12 @@ static bool build_macroblocks(JPGLoadingContext& context, Vector<Macroblock>& ma
 {
     for (u32 cindex = 0; cindex < context.component_count; cindex++) {
         auto& component = context.components[cindex];
+
+        if (component.dc_destination_id >= context.dc_tables.size())
+            return false;
+        if (component.ac_destination_id >= context.ac_tables.size())
+            return false;
+
         for (u8 vfactor_i = 0; vfactor_i < component.vsample_factor; vfactor_i++) {
             for (u8 hfactor_i = 0; hfactor_i < component.hsample_factor; hfactor_i++) {
                 u32 mb_index = (vcursor + vfactor_i) * context.mblock_meta.hpadded_count + (hfactor_i + hcursor);