CImageLoaderJPG: protect size calculation from overflow by rejecting huge dimensions

author sfan5 <sfan5@live.de>

Tue, 14 Sep 2021 18:02:40 +0000 (20:02 +0200)

committer sfan5 <sfan5@live.de>

Tue, 14 Sep 2021 18:07:44 +0000 (20:07 +0200)
author sfan5 <sfan5@live.de>
Tue, 14 Sep 2021 18:02:40 +0000 (20:02 +0200)
committer sfan5 <sfan5@live.de>
Tue, 14 Sep 2021 18:07:44 +0000 (20:07 +0200)
diff --git a/source/Irrlicht/CImageLoaderJPG.cpp b/source/Irrlicht/CImageLoaderJPG.cpp

index 72ba4845bb96828cba047b2ac882fdbc33834e2e..56acae4fba615101feba91d1506a3a75b2e50069 100644 (file)
--- a/source/Irrlicht/CImageLoaderJPG.cpp
+++ b/source/Irrlicht/CImageLoaderJPG.cpp
@@ -221,11 +221,15 @@ IImage* CImageLoaderJPG::loadImage(io::IReadFile* file) const
         cinfo.output_gamma=2.2;\r
         cinfo.do_fancy_upsampling=FALSE;\r
  \r
+       // reject unreasonable sizes (4 * 32000 * 32000 is just under U32_MAX)\r
+       if (cinfo.image_width > 32000 || cinfo.image_height > 32000)\r
+               longjmp(jerr.setjmp_buffer, 1);\r
+\r
         // Start decompressor\r
         jpeg_start_decompress(&cinfo);\r
  \r
         // Get image data\r
-       u16 rowspan = cinfo.image_width * cinfo.out_color_components;\r
+       u32 rowspan = cinfo.image_width * cinfo.out_color_components;\r
         u32 width = cinfo.image_width;\r
         u32 height = cinfo.image_height;\r
  \r
author	sfan5 <sfan5@live.de>
	Tue, 14 Sep 2021 18:02:40 +0000 (20:02 +0200)
committer	sfan5 <sfan5@live.de>
	Tue, 14 Sep 2021 18:07:44 +0000 (20:07 +0200)