Prevent overread when decoding malformed JPEG
The accelerated Huffman decoder was previously invoked if there were
> 128 bytes in the input buffer. However, it is possible to construct a
JPEG image with Huffman blocks > 430 bytes in length
(http://stackoverflow.com/questions/2734678/jpeg-calculating-max-size).
While such images are pathological and could never be created by a
JPEG compressor, it is conceivable that an attacker could use such an
artifially-constructed image to trigger an input buffer overrun in the
libjpeg-turbo decompressor and thus gain access to some of the data on
the calling program's heap.
This patch simply increases the minimum buffer size for the accelerated
Huffman decoder to 512 bytes, which should (hopefully) accommodate any
possible input.
This addresses a major issue (LJT-01-005) identified in a security audit
by Cure53.
Cherry picked from upstream:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/0463f7c9aad060fcd56e98d025ce16185279e2bc
BUG:27494207
BUG:27480923
Change-Id: I94876fecafa8b7d7f31734cb21d2ca0f382802ec
diff --git a/ChangeLog.txt b/ChangeLog.txt
index 5f9db11..5648b50 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -422,6 +422,15 @@
libjpeg-turbo binary package for OS X, so that those libraries can be used to
build applications that leverage the faster CPUs in the iPhone 5 and iPad 4.
+[11] Fixed an issue in the accelerated Huffman decoder that could have caused
+the decoder to read past the end of the input buffer when a malformed,
+specially-crafted JPEG image was being decompressed. In prior versions of
+libjpeg-turbo, the accelerated Huffman decoder was invoked (in most cases) only
+if there were > 128 bytes of data in the input buffer. However, it is possible
+to construct a JPEG image in which a single Huffman block is over 430 bytes
+long, so this version of libjpeg-turbo activates the accelerated Huffman
+decoder only if there are > 512 bytes of data in the input buffer.
+
1.2.1
=====
diff --git a/README.android b/README.android
index 6d0c087..cdbf200 100644
--- a/README.android
+++ b/README.android
@@ -15,7 +15,11 @@
These have been cherry picked from upstream and will be included in the 1.5
release.
-(3) simd/jsimdext.inc
+(3) Security fix
+
+Cherry picked from upstream to address b/27494207.
+
+(4) simd/jsimdext.inc
The modification enables us to compile x86 SIMD.
diff --git a/jdhuff.c b/jdhuff.c
index e6bb081..39b8af7 100644
--- a/jdhuff.c
+++ b/jdhuff.c
@@ -3,8 +3,8 @@
*
* This file was part of the Independent JPEG Group's software:
* Copyright (C) 1991-1997, Thomas G. Lane.
- * libjpeg-turbo Modifications:
- * Copyright (C) 2009-2011, 2015, D. R. Commander.
+ * Modifications:
+ * Copyright (C) 2009-2011, 2016, D. R. Commander.
* For conditions of distribution and use, see the accompanying README file.
*
* This file contains Huffman entropy decoding routines.
@@ -749,7 +749,7 @@
* this module, since we'll just re-assign them on the next call.)
*/
-#define BUFSIZE (DCTSIZE2 * 2)
+#define BUFSIZE (DCTSIZE2 * 8)
METHODDEF(boolean)
decode_mcu (j_decompress_ptr cinfo, JBLOCKROW *MCU_data)
