Fail jpeg decodes on too many progressive scans

author Matt Sarett <msarett@google.com>

Tue, 8 Nov 2016 20:26:56 +0000 (15:26 -0500)

committer Skia Commit-Bot <skia-commit-bot@chromium.org>

Tue, 8 Nov 2016 21:39:15 +0000 (21:39 +0000)
author Matt Sarett <msarett@google.com>
Tue, 8 Nov 2016 20:26:56 +0000 (15:26 -0500)
committer Skia Commit-Bot <skia-commit-bot@chromium.org>
Tue, 8 Nov 2016 21:39:15 +0000 (21:39 +0000)
diff --git a/resources/invalid_images/many-progressive-scans.jpg b/resources/invalid_images/many-progressive-scans.jpg

new file mode 100644 (file)

index 0000000..05a1a00

Binary files /dev/null and b/resources/invalid_images/many-progressive-scans.jpg differ
diff --git a/src/codec/SkJpegDecoderMgr.cpp b/src/codec/SkJpegDecoderMgr.cpp

index 70401c0..c2837aa 100644 (file)
--- a/src/codec/SkJpegDecoderMgr.cpp
+++ b/src/codec/SkJpegDecoderMgr.cpp
@@ -25,6 +25,17 @@ static void output_message(j_common_ptr info) {
      print_message(info, "output_message");
  }
  
+static void progress_monitor(j_common_ptr info) {
+  int scan = ((j_decompress_ptr)info)->input_scan_number;
+  // Progressive images with a very large number of scans can cause the
+  // decoder to hang.  Here we use the progress monitor to abort on
+  // a very large number of scans.  100 is arbitrary, but much larger
+  // than the number of scans we might expect in a normal image.
+  if (scan >= 100) {
+      skjpeg_err_exit(info);
+  }
+}
+
  bool JpegDecoderMgr::returnFalse(const char caller[]) {
      print_message((j_common_ptr) &fDInfo, caller);
      return false;
@@ -71,6 +82,8 @@ void JpegDecoderMgr::init() {
      fInit = true;
      fDInfo.src = &fSrcMgr;
      fDInfo.err->output_message = &output_message;
+    fDInfo.progress = &fProgressMgr;
+    fProgressMgr.progress_monitor = &progress_monitor;
  }
  
  JpegDecoderMgr::~JpegDecoderMgr() {
diff --git a/src/codec/SkJpegDecoderMgr.h b/src/codec/SkJpegDecoderMgr.h

index 7bc422d..272c5b4 100644 (file)
--- a/src/codec/SkJpegDecoderMgr.h
+++ b/src/codec/SkJpegDecoderMgr.h
@@ -68,6 +68,7 @@ private:
      jpeg_decompress_struct fDInfo;
      skjpeg_source_mgr      fSrcMgr;
      skjpeg_error_mgr       fErrorMgr;
+    jpeg_progress_mgr      fProgressMgr;
      bool                   fInit;
  };
  
diff --git a/tests/CodecTest.cpp b/tests/CodecTest.cpp

index 32ad959..dacabca 100644 (file)
--- a/tests/CodecTest.cpp
+++ b/tests/CodecTest.cpp
@@ -1439,4 +1439,5 @@ DEF_TEST(Codec_InvalidImages, r) {
      // ASAN will complain if there is an issue.
      test_invalid_images(r, "invalid_images/int_overflow.ico", false);
      test_invalid_images(r, "invalid_images/skbug5887.gif", true);
+    test_invalid_images(r, "invalid_images/many-progressive-scans.jpg", false);
  }
author	Matt Sarett <msarett@google.com>
	Tue, 8 Nov 2016 20:26:56 +0000 (15:26 -0500)
committer	Skia Commit-Bot <skia-commit-bot@chromium.org>
	Tue, 8 Nov 2016 21:39:15 +0000 (21:39 +0000)
resources/invalid_images/many-progressive-scans.jpg	[new file with mode: 0644]	patch \| blob
src/codec/SkJpegDecoderMgr.cpp		patch \| blob \| history
src/codec/SkJpegDecoderMgr.h		patch \| blob \| history
tests/CodecTest.cpp		patch \| blob \| history