From 594de9915346a87f67cd94e28c7933993efb5d3b Mon Sep 17 00:00:00 2001 From: sfan5 Date: Tue, 14 Sep 2021 20:02:40 +0200 Subject: [PATCH] CImageLoaderJPG: protect size calculation from overflow by rejecting huge dimensions --- source/Irrlicht/CImageLoaderJPG.cpp | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source/Irrlicht/CImageLoaderJPG.cpp b/source/Irrlicht/CImageLoaderJPG.cpp index 72ba4845..56acae4f 100644 --- a/source/Irrlicht/CImageLoaderJPG.cpp +++ b/source/Irrlicht/CImageLoaderJPG.cpp @@ -221,11 +221,15 @@ IImage* CImageLoaderJPG::loadImage(io::IReadFile* file) const cinfo.output_gamma=2.2; cinfo.do_fancy_upsampling=FALSE; + // reject unreasonable sizes (4 * 32000 * 32000 is just under U32_MAX) + if (cinfo.image_width > 32000 || cinfo.image_height > 32000) + longjmp(jerr.setjmp_buffer, 1); + // Start decompressor jpeg_start_decompress(&cinfo); // Get image data - u16 rowspan = cinfo.image_width * cinfo.out_color_components; + u32 rowspan = cinfo.image_width * cinfo.out_color_components; u32 width = cinfo.image_width; u32 height = cinfo.image_height;