2
1
mirror of https://github.com/qpdf/qpdf.git synced 2024-12-22 10:58:58 +00:00

Merge pull request #1234 from m-holger/dct_fuzz

Fix Pl_DCT memory limit
This commit is contained in:
m-holger 2024-07-09 00:46:14 +01:00 committed by GitHub
commit 9ffa201422
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -320,12 +320,18 @@ Pl_DCT::decompress(void* cinfo_p, Buffer* b)
(void)jpeg_read_header(cinfo, TRUE);
if (throw_on_corrupt_data && cinfo->err->num_warnings > 0) {
// err->num_warnings is the number of corrupt data warnings emitted.
// err->msg_code could also be the code of an informational message.
throw std::runtime_error("Pl_DCT::decompress: JPEG data is corrupt");
}
(void)jpeg_calc_output_dimensions(cinfo);
unsigned int width = cinfo->output_width * QIntC::to_uint(cinfo->output_components);
// err->num_warnings is the number of corrupt data warnings emitted.
// err->msg_code could also be the code of an informational message.
if (memory_limit > 0 &&
width > (static_cast<unsigned long>(memory_limit) / (2U * cinfo->output_height))) {
// Even if jpeglib does not run out of memory, qpdf will while buffering thye data before
// writing it.
throw std::runtime_error("Pl_DCT::decompress: JPEG data exceeds memory limit");
}
JSAMPARRAY buffer =
(*cinfo->mem->alloc_sarray)(reinterpret_cast<j_common_ptr>(cinfo), JPOOL_IMAGE, width, 1);