blob: 37c267a1dfca2337ff1858ffdc8111ed5b3e5e22 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From f457207b57d0e234cf7a174d20a7db424b82173d Mon Sep 17 00:00:00 2001
From: mancha <mancha1@hush.com>
Date: Fri, 22 Nov 2013
Subject: CVE-2013-6629
get_sos() in jdmarker.c does not check for duplication of component data
while reading segments following Start Of Scan (SOS) JPEG markers. This
allows remote attackers to obtain sensitive information from uninitialized
memory locations via crafted JPEG images.
Adapted from:
https://codereview.chromium.org/download/issue31603002_1.diff
---
jdmarker.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/jdmarker.c
+++ b/jdmarker.c
@@ -347,6 +347,12 @@ get_sos (j_decompress_ptr cinfo)
TRACEMS3(cinfo, 1, JTRC_SOS_COMPONENT, cc,
compptr->dc_tbl_no, compptr->ac_tbl_no);
+
+ /* This CSi (cc) should differ from the previous CSi */
+ for (ci = 0; ci < i; ci++) {
+ if (cinfo->cur_comp_info[ci] == compptr)
+ ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
+ }
}
/* Collect the additional scan parameters Ss, Se, Ah/Al. */
|