LibGfx: Bounds check component indices before using them in JPGLoader

With this, I don't see any crashes in 10 min of fuzzing (but still get OOMs).
author: Nico Weber <thakis@chromium.org> 2020-11-19 12:42:54 -0500
committer: Andreas Kling <kling@serenityos.org> 2020-11-19 21:21:45 +0100
commit: 7042490e41fe822d2ce12e14cb655a0dddc6d345 (patch)
tree: 92f417e8dc0353de9553f027296d8ba6f0305f5e
parent: a8318b15a70b12aa298a7fab264275dd1f41b256 (diff)
download: serenity-7042490e41fe822d2ce12e14cb655a0dddc6d345.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/Libraries/LibGfx/JPGLoader.cpp b/Libraries/LibGfx/JPGLoader.cpp
index 69569322ff..0948bc2a44 100644
--- a/Libraries/LibGfx/JPGLoader.cpp
+++ b/Libraries/LibGfx/JPGLoader.cpp
@@ -296,6 +296,12 @@ static bool build_macroblocks(JPGLoadingContext& context, Vector<Macroblock>& ma
 {
     for (u32 cindex = 0; cindex < context.component_count; cindex++) {
         auto& component = context.components[cindex];
+
+        if (component.dc_destination_id >= context.dc_tables.size())
+            return false;
+        if (component.ac_destination_id >= context.ac_tables.size())
+            return false;
+
         for (u8 vfactor_i = 0; vfactor_i < component.vsample_factor; vfactor_i++) {
             for (u8 hfactor_i = 0; hfactor_i < component.hsample_factor; hfactor_i++) {
                 u32 mb_index = (vcursor + vfactor_i) * context.mblock_meta.hpadded_count + (hfactor_i + hcursor);
author	Nico Weber <thakis@chromium.org>	2020-11-19 12:42:54 -0500
committer	Andreas Kling <kling@serenityos.org>	2020-11-19 21:21:45 +0100
commit	7042490e41fe822d2ce12e14cb655a0dddc6d345 (patch)
tree	92f417e8dc0353de9553f027296d8ba6f0305f5e
parent	a8318b15a70b12aa298a7fab264275dd1f41b256 (diff)
download	serenity-7042490e41fe822d2ce12e14cb655a0dddc6d345.zip