From f9273f24736968bae41d7405edede2e83873a7f3 Mon Sep 17 00:00:00 2001 From: "jiyong.min" Date: Fri, 23 Sep 2022 09:49:13 +0900 Subject: [PATCH] Fix potential buffer overflow - The 'jpeg_write_raw_data()' write 16 lines(heights) due to DCT size. - If the height is not a multiple of 16, use rounddown of a multiple of 16 and remaining height. Change-Id: Ic4a747817fb543e0d77ec7c764d4c8ad99e4411c --- jpeg/mm_util_jpeg.c | 7 ++++--- packaging/libmm-utility.spec | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/jpeg/mm_util_jpeg.c b/jpeg/mm_util_jpeg.c index 35a4873..8b638d3 100644 --- a/jpeg/mm_util_jpeg.c +++ b/jpeg/mm_util_jpeg.c @@ -229,15 +229,16 @@ static int __jpeg_encode_yuv(j_compress_ptr cinfo, unsigned int width, unsigned unsigned int i = 0, j = 0; void *large_rect = NULL; void *small_rect= NULL; + unsigned int rounddown_h = MM_UTIL_ROUND_DOWN_16(height); - if (cinfo->image_height - MM_UTIL_ROUND_DOWN_16(height)) { + if (cinfo->image_height != rounddown_h) { large_rect = g_malloc0(width); small_rect = g_malloc0(width); memset(large_rect, 0x10, width); memset(small_rect, 0x80, width); - for (j = 0; j < height; j += 16) { + for (j = 0; j < rounddown_h; j += 16) { for (i = 0; i < 16; i++) { y[i] = (JSAMPROW)decoded->data + width * (i + j); if (i % 2 == 0) { @@ -247,7 +248,7 @@ static int __jpeg_encode_yuv(j_compress_ptr cinfo, unsigned int width, unsigned } jpeg_write_raw_data(cinfo, data, 16); } - for (i = 0; i < cinfo->image_height - MM_UTIL_ROUND_DOWN_16(height); i++) { + for (i = 0; i < cinfo->image_height - rounddown_h; i++) { y[i] = (JSAMPROW)decoded->data + width * (i + j); if (i % 2 == 0) { cb[i / 2] = (JSAMPROW)decoded->data + width * height + width / 2 * ((i + j) / 2); diff --git a/packaging/libmm-utility.spec b/packaging/libmm-utility.spec index 62c5f8a..107c053 100644 --- a/packaging/libmm-utility.spec +++ b/packaging/libmm-utility.spec @@ -1,6 +1,6 @@ Name: libmm-utility Summary: Multimedia Framework Utility Library -Version: 0.4.7 +Version: 0.4.8 Release: 0 Group: System/Libraries License: Apache-2.0 -- 2.7.4