Fail jpeg decodes on too many progressive scans
BUG:642462
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4560
Change-Id: I22891ce1e0b3a1bedefc34dadd5cf34dfc301b79
Reviewed-on: https://skia-review.googlesource.com/4560
Reviewed-by: Leon Scroggins <scroggo@google.com>
Commit-Queue: Matt Sarett <msarett@google.com>
diff --git a/src/codec/SkJpegDecoderMgr.cpp b/src/codec/SkJpegDecoderMgr.cpp
index 70401c0..c2837aa 100644
--- a/src/codec/SkJpegDecoderMgr.cpp
+++ b/src/codec/SkJpegDecoderMgr.cpp
@@ -25,6 +25,17 @@
print_message(info, "output_message");
}
+static void progress_monitor(j_common_ptr info) {
+ int scan = ((j_decompress_ptr)info)->input_scan_number;
+ // Progressive images with a very large number of scans can cause the
+ // decoder to hang. Here we use the progress monitor to abort on
+ // a very large number of scans. 100 is arbitrary, but much larger
+ // than the number of scans we might expect in a normal image.
+ if (scan >= 100) {
+ skjpeg_err_exit(info);
+ }
+}
+
bool JpegDecoderMgr::returnFalse(const char caller[]) {
print_message((j_common_ptr) &fDInfo, caller);
return false;
@@ -71,6 +82,8 @@
fInit = true;
fDInfo.src = &fSrcMgr;
fDInfo.err->output_message = &output_message;
+ fDInfo.progress = &fProgressMgr;
+ fProgressMgr.progress_monitor = &progress_monitor;
}
JpegDecoderMgr::~JpegDecoderMgr() {