diff options
author | giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> | 2015-05-22 15:47:12 +0000 |
---|---|---|
committer | giraffedata <giraffedata@9d0c8265-081b-0410-96cb-a4ca84ce46f8> | 2015-05-22 15:47:12 +0000 |
commit | 8079674c11d6147276deec2ae2e22a10c7324ac2 (patch) | |
tree | a2e863c605ece88398be19fb0e8d260dc296b5f2 /converter/other/cameratopam/ljpeg.c | |
parent | 528ab2d612845d92ac5ae1e3b1d11349b89eff06 (diff) | |
download | netpbm-mirror-8079674c11d6147276deec2ae2e22a10c7324ac2.tar.gz netpbm-mirror-8079674c11d6147276deec2ae2e22a10c7324ac2.tar.xz netpbm-mirror-8079674c11d6147276deec2ae2e22a10c7324ac2.zip |
Fix arithmetic underflow
git-svn-id: http://svn.code.sf.net/p/netpbm/code/trunk@2512 9d0c8265-081b-0410-96cb-a4ca84ce46f8
Diffstat (limited to 'converter/other/cameratopam/ljpeg.c')
-rw-r--r-- | converter/other/cameratopam/ljpeg.c | 39 |
1 files changed, 24 insertions, 15 deletions
diff --git a/converter/other/cameratopam/ljpeg.c b/converter/other/cameratopam/ljpeg.c index a0e109b0..07791e25 100644 --- a/converter/other/cameratopam/ljpeg.c +++ b/converter/other/cameratopam/ljpeg.c @@ -23,7 +23,7 @@ int ljpeg_start(FILE * const ifP, struct jhead * const jhP) { - int i, tag, len; + int i, tag; unsigned char data[256], *dp; init_decoder(); @@ -32,22 +32,31 @@ ljpeg_start(FILE * const ifP, fread (data, 2, 1, ifP); if (data[0] != 0xff || data[1] != 0xd8) return 0; do { + unsigned int len; + fread (data, 2, 2, ifP); tag = data[0] << 8 | data[1]; - len = (data[2] << 8 | data[3]) - 2; - if (tag <= 0xff00 || len > 255) return 0; - fread (data, 1, len, ifP); - switch (tag) { - case 0xffc3: - jhP->bits = data[0]; - jhP->high = data[1] << 8 | data[2]; - jhP->wide = data[3] << 8 | data[4]; - jhP->clrs = data[5]; - break; - case 0xffc4: - for (dp = data; dp < data+len && *dp < 4; ) { - jhP->huff[*dp] = free_decode; - dp = make_decoder (++dp, 0); + len = data[2] << 8 | data[3]; + + if (len < 2) + pm_error("Length field is %u; must be at least 2", len); + else { + unsigned int const dataLen = len - 2; + + if (tag <= 0xff00 || dataLen > 255) return 0; + fread (data, 1, dataLen, ifP); + switch (tag) { + case 0xffc3: + jhP->bits = data[0]; + jhP->high = data[1] << 8 | data[2]; + jhP->wide = data[3] << 8 | data[4]; + jhP->clrs = data[5]; + break; + case 0xffc4: + for (dp = data; dp < data + dataLen && *dp < 4; ) { + jhP->huff[*dp] = free_decode; + dp = make_decoder (++dp, 0); + } } } } while (tag != 0xffda); |