RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 22:57:44 +00:00
Code Issues Activity Actions

LibGfx: Bounds check component indices before using them in JPGLoader

Browse source 
With this, I don't see any crashes in 10 min of fuzzing (but still
get OOMs).
This commit is contained in:
Nico Weber 2020-11-19 12:42:54 -05:00 committed by Andreas Kling
parent a8318b15a7
commit 7042490e41
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Libraries/LibGfx/JPGLoader.cpp
View file

@ -296,6 +296,12 @@ static bool build_macroblocks(JPGLoadingContext& context, Vector<Macroblock>& ma
{ {
for (u32 cindex = 0; cindex < context.component_count; cindex++) { for (u32 cindex = 0; cindex < context.component_count; cindex++) {
auto& component = context.components[cindex]; auto& component = context.components[cindex];
if (component.dc_destination_id >= context.dc_tables.size())
return false;
if (component.ac_destination_id >= context.ac_tables.size())
return false;
for (u8 vfactor_i = 0; vfactor_i < component.vsample_factor; vfactor_i++) { for (u8 vfactor_i = 0; vfactor_i < component.vsample_factor; vfactor_i++) {
for (u8 hfactor_i = 0; hfactor_i < component.hsample_factor; hfactor_i++) { for (u8 hfactor_i = 0; hfactor_i < component.hsample_factor; hfactor_i++) {
u32 mb_index = (vcursor + vfactor_i) * context.mblock_meta.hpadded_count + (hfactor_i + hcursor); u32 mb_index = (vcursor + vfactor_i) * context.mblock_meta.hpadded_count + (hfactor_i + hcursor);