Merge branch 'fix_chromium_925269' into 'master'

OJPEG: avoid use of unintialized memory on corrupted files

See merge request libtiff/libtiff!86

1 files changed, 26 insertions, 0 deletions

diff --git a/libtiff/tif_ojpeg.c b/libtiff/tif_ojpeg.c
index c01d71a2..ad3e1e71 100644
--- a/libtiff/tif_ojpeg.c
+++ b/libtiff/tif_ojpeg.c
@@ -831,6 +831,32 @@ OJPEGDecodeRaw(TIFF* tif, uint8* buf, tmsize_t cc)
 	{
 		if (sp->subsampling_convert_state==0)
 		{
+			const jpeg_decompress_struct* cinfo = &sp->libjpeg_jpeg_decompress_struct;
+			int width = 0;
+			int last_col_width = 0;
+			int jpeg_bytes;
+			int expected_bytes;
+			int i;
+			if (cinfo->MCUs_per_row == 0)
+				return 0;
+			for (i = 0; i < cinfo->comps_in_scan; ++i)
+			{
+				const jpeg_component_info* info = cinfo->cur_comp_info[i];
+#if JPEG_LIB_VERSION >= 70
+				width += info->MCU_width * info->DCT_h_scaled_size;
+				last_col_width += info->last_col_width * info->DCT_h_scaled_size;
+#else
+				width += info->MCU_width * info->DCT_scaled_size;
+				last_col_width += info->last_col_width * info->DCT_scaled_size;
+#endif
+			}
+			jpeg_bytes = (cinfo->MCUs_per_row - 1) * width + last_col_width;
+			expected_bytes = sp->subsampling_convert_clinelenout * sp->subsampling_ver * sp->subsampling_hor;
+			if (jpeg_bytes != expected_bytes)
+			{
+				TIFFErrorExt(tif->tif_clientdata,module,"Inconsistent number of MCU in codestream");
+				return(0);
+			}
 			if (jpeg_read_raw_data_encap(sp,&(sp->libjpeg_jpeg_decompress_struct),sp->subsampling_convert_ycbcrimage,sp->subsampling_ver*8)==0)
 				return(0);
 		}