From f457207b57d0e234cf7a174d20a7db424b82173d Mon Sep 17 00:00:00 2001 From: mancha Date: Fri, 22 Nov 2013 Subject: CVE-2013-6629 get_sos() in jdmarker.c does not check for duplication of component data while reading segments following Start Of Scan (SOS) JPEG markers. This allows remote attackers to obtain sensitive information from uninitialized memory locations via crafted JPEG images. Adapted from: https://codereview.chromium.org/download/issue31603002_1.diff --- jdmarker.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/jdmarker.c +++ b/jdmarker.c @@ -347,6 +347,12 @@ get_sos (j_decompress_ptr cinfo) TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc, compptr->dc_tbl_no, compptr->ac_tbl_no); + + /* This CSi (cc) should differ from the previous CSi */ + for (ci = 0; ci < i; ci++) { + if (cinfo->cur_comp_info[ci] == compptr) + ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc); + } } /* Collect the additional scan parameters Ss, Se, Ah/Al. */