LibGfx: Bounds check component indices before using them in JPGLoader

With this, I don't see any crashes in 10 min of fuzzing (but still get OOMs).
2025-06-01 10:08:10 +00:00 · 2020-11-19 12:42:54 -05:00 · 2020-11-19 12:42:54 -05:00 · 7042490e41
commit 7042490e41
parent a8318b15a7
1 changed files with 6 additions and 0 deletions
--- a/Libraries/LibGfx/JPGLoader.cpp
+++ b/Libraries/LibGfx/JPGLoader.cpp
@ -296,6 +296,12 @@ static bool build_macroblocks(JPGLoadingContext& context, Vector<Macroblock>& ma
 {
    for (u32 cindex = 0; cindex < context.component_count; cindex++) {
        auto& component = context.components[cindex];
+
+        if (component.dc_destination_id >= context.dc_tables.size())
+            return false;
+        if (component.ac_destination_id >= context.ac_tables.size())
+            return false;
+
        for (u8 vfactor_i = 0; vfactor_i < component.vsample_factor; vfactor_i++) {
            for (u8 hfactor_i = 0; hfactor_i < component.hsample_factor; hfactor_i++) {
                u32 mb_index = (vcursor + vfactor_i) * context.mblock_meta.hpadded_count + (hfactor_i + hcursor);