From b1855b39dd01858bdffdc0637750f4605b151f73 Mon Sep 17 00:00:00 2001 From: Yiheng Cao <65160922+Crispy-fried-chicken@users.noreply.github.com> Date: Sat, 7 Sep 2024 21:06:03 +0800 Subject: [PATCH] Lossless decomp: Range-limit 12-bit samples 12-bit is the only data precision for which the range of the sample data type exceeds the valid sample range, so it is possible to craft a 12-bit lossless JPEG image that contains out-of-range 12-bit samples. Attempting to decompress such an image using color quantization or merged upsampling (NOTE: libjpeg-turbo cannot generate YCbCr or subsampled lossless JPEG images, but it can decompress them) caused segfaults or buffer overruns when those algorithms attempted to use the out-of-range sample values as array indices. This commit modifies the lossless decompressor so that it range-limits the output of the scaler when using 12-bit samples. --- src/3rdparty/libjpeg/src/jdlossls.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/3rdparty/libjpeg/src/jdlossls.c b/src/3rdparty/libjpeg/src/jdlossls.c index 4d15e6bbaf2..603e3ffb67a 100644 --- a/src/3rdparty/libjpeg/src/jdlossls.c +++ b/src/3rdparty/libjpeg/src/jdlossls.c @@ -216,8 +216,16 @@ METHODDEF(void) simple_upscale(j_decompress_ptr cinfo, JDIFFROW diff_buf, _JSAMPROW output_buf, JDIMENSION width) { - do { + do { +#if BITS_IN_JSAMPLE == 12 + /* 12-bit is the only data precision for which the range of the sample data + * type exceeds the valid sample range. Thus, we need to range-limit the + * samples, because other algorithms may try to use them as array indices. + */ + *output_buf++ = (_JSAMPLE)((*diff_buf++ << cinfo->Al) & 0xFFF); +#else *output_buf++ = (_JSAMPLE)(*diff_buf++ << cinfo->Al); +#endif } while (--width); } @@ -226,7 +234,11 @@ noscale(j_decompress_ptr cinfo, JDIFFROW diff_buf, _JSAMPROW output_buf, JDIMENSION width) { do { +#if BITS_IN_JSAMPLE == 12 + *output_buf++ = (_JSAMPLE)((*diff_buf++) & 0xFFF); +#else *output_buf++ = (_JSAMPLE)(*diff_buf++); +#endif } while (--width); }