From c98e5b315e089769c8950738568fc1aa3bb354df Mon Sep 17 00:00:00 2001 From: hjkim Date: Tue, 14 Jan 2025 15:24:56 +0900 Subject: [PATCH] Check error to prevent infinite loop [Issue] A crash occurred in while loop. Fix Fuzzing issue. Change-Id: If1da0937431454079f09d11456e28d5ce676933f --- jpeg/mm_util_jpeg.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/jpeg/mm_util_jpeg.c b/jpeg/mm_util_jpeg.c index 7e91378..a963f97 100644 --- a/jpeg/mm_util_jpeg.c +++ b/jpeg/mm_util_jpeg.c @@ -448,6 +448,12 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE int y = 0; while (dinfo.output_scanline < dinfo.output_height) { jpeg_read_scanlines(&dinfo, buffer, 1); + if (dinfo.err->msg_code != 0) { + mm_util_error("jpeg_read_scanlines failed"); + ret = MM_UTIL_ERROR_INVALID_OPERATION; + goto END; + } + for (i = 0; i < row_stride; i += 3) { image[i/3] = row[i]; if (i & 1) { @@ -466,6 +472,11 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE while (dinfo.output_scanline < dinfo.output_height) { /* jpeg_read_scanlines expects an array of pointers to scanlines. Here the array is only one element long, but you could ask formore than one scanline at a time if that's more convenient. */ jpeg_read_scanlines(&dinfo, buffer, 1); + if (dinfo.err->msg_code != 0) { + mm_util_error("jpeg_read_scanlines failed"); + ret = MM_UTIL_ERROR_INVALID_OPERATION; + goto END; + } memcpy(image_buffer + state, buffer[0], row_stride); state += row_stride; @@ -474,9 +485,10 @@ static int __mm_util_jpeg_decode(mm_util_jpeg_ctrl_format_e control_format, FILE } ret = mm_image_create_image(dinfo.output_width, dinfo.output_height, color_format, image_buffer, image_buffer_size, decoded); - g_free(image_buffer); END: + g_free(image_buffer); + /* Finish decompression */ jpeg_finish_decompress(&dinfo); mm_util_debug("jpeg_finish_decompress"); -- 2.34.1