This repository was archived by the owner on Apr 18, 2026. It is now read-only.
Fix heap-buffer-overflow in BitReader and Huffman table#282
Open
sharadboni wants to merge 1 commit intogoogle:masterfrom
Open
Fix heap-buffer-overflow in BitReader and Huffman table#282sharadboni wants to merge 1 commit intogoogle:masterfrom
sharadboni wants to merge 1 commit intogoogle:masterfrom
Conversation
Bug A: In BitReaderState::GetNextByte(), when the last byte of entropy-coded data is 0xFF, pos_ is incremented to len_, and then data_[pos_] reads one byte past the buffer. Add a bounds check before reading the escape byte. Bug B: BuildJpegHuffmanTable() writes entries to a pre-allocated LUT buffer of kJpegHuffmanLutSize (758) entries, but never validates that total_size stays within bounds. Under-subscribed Huffman codes in a crafted JPEG can cause total_size to exceed the buffer, leading to heap-buffer-overflow. Add an overflow check in BuildJpegHuffmanTable() and validate the return value in the caller (ProcessDHT).
Author
|
@jan-wassenberg @jyrkialakuijala Could you review this security fix? It addresses a heap-buffer-overflow read in the JPEG bit reader (GetNextByte) and a Huffman table overflow from under-subscribed codes in BuildJpegHuffmanTable. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
BitReaderState::GetNextByte(), when the last byte of entropy-coded data is0xFF,pos_is incremented tolen_, and thendata_[pos_]reads one byte past the buffer. Added a bounds check before reading the escape byte.BuildJpegHuffmanTable()writes entries to a pre-allocated LUT buffer ofkJpegHuffmanLutSize(758) entries, but never validates thattotal_sizestays within bounds. Under-subscribed Huffman codes in a crafted JPEG can causetotal_sizeto exceed the buffer, leading to heap-buffer-overflow. Added an overflow check inBuildJpegHuffmanTable()and validated the return value in the caller (ProcessDHT).Both vulnerabilities can be triggered by crafted JPEG files and lead to heap-buffer-overflow reads/writes.
Test plan
g++ -std=c++11fuzz_target.cc