From 956052dd8b29293f117791e2c0d820ad5a6c55fd Mon Sep 17 00:00:00 2001 From: Chong Zhang Date: Tue, 4 Feb 2020 13:26:14 -0800 Subject: Cherry-pick security fix for skip_input_data Avoid complete roll of r1732 as there are fixes needed in other projects for that. Manually cherry-pick the security fix only. bug: 135532289 Change-Id: I8237fe185b45ba5054504114eef79a265768de4e Merged-In: Ibf05a0e54c7bc882788194862cdd94fccfba5ebf --- files/source/mjpeg_decoder.cc | 10 +++++++++- files/source/mjpeg_validate.cc | 3 ++- files/unit_test/convert_test.cc | 6 ++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/files/source/mjpeg_decoder.cc b/files/source/mjpeg_decoder.cc index b43c008b..3acf9563 100644 --- a/files/source/mjpeg_decoder.cc +++ b/files/source/mjpeg_decoder.cc @@ -427,7 +427,15 @@ boolean fill_input_buffer(j_decompress_ptr cinfo) { } void skip_input_data(j_decompress_ptr cinfo, long num_bytes) { // NOLINT - cinfo->src->next_input_byte += num_bytes; + jpeg_source_mgr* src = cinfo->src; + size_t bytes = static_cast(num_bytes); + if(bytes > src->bytes_in_buffer) { + src->next_input_byte = nullptr; + src->bytes_in_buffer = 0; + } else { + src->next_input_byte += bytes; + src->bytes_in_buffer -= bytes; + } } void term_source(j_decompress_ptr cinfo) { diff --git a/files/source/mjpeg_validate.cc b/files/source/mjpeg_validate.cc index 1a17dd72..cc38b99a 100644 --- a/files/source/mjpeg_validate.cc +++ b/files/source/mjpeg_validate.cc @@ -47,7 +47,8 @@ LIBYUV_BOOL ValidateJpeg(const uint8* sample, size_t sample_size) { // ERROR: Invalid jpeg size: sample_size return LIBYUV_FALSE; } - if (sample[0] != 0xff || sample[1] != 0xd8) { // SOI marker + // SOI marker + if (sample[0] != 0xff || sample[1] != 0xd8 || sample[2] != 0xff) { // ERROR: Invalid jpeg initial start code return LIBYUV_FALSE; } diff --git a/files/unit_test/convert_test.cc b/files/unit_test/convert_test.cc index 41564351..3e2eea85 100644 --- a/files/unit_test/convert_test.cc +++ b/files/unit_test/convert_test.cc @@ -1274,6 +1274,7 @@ TEST_F(LibYUVConvertTest, ValidateJpeg) { // EOI, SOI. Expect pass. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. for (int times = 0; times < benchmark_iterations_; ++times) { @@ -1300,6 +1301,7 @@ TEST_F(LibYUVConvertTest, ValidateJpegLarge) { // EOI, SOI. Expect pass. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. for (int times = 0; times < benchmark_iterations_; ++times) { @@ -1333,6 +1335,7 @@ TEST_F(LibYUVConvertTest, InvalidateJpeg) { // SOI but no EOI. Expect fail. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; for (int times = 0; times < benchmark_iterations_; ++times) { EXPECT_FALSE(ValidateJpeg(orig_pixels, kSize)); } @@ -1357,6 +1360,7 @@ TEST_F(LibYUVConvertTest, FuzzJpeg) { // Add SOI so frame will be scanned. orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - 1] = 0xff; ValidateJpeg(orig_pixels, kSize); // Failure normally expected. free_aligned_buffer_page_end(orig_pixels); @@ -1381,6 +1385,7 @@ TEST_F(LibYUVConvertTest, MJPGToI420) { memset(orig_pixels, 0, kSize); orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. @@ -1414,6 +1419,7 @@ TEST_F(LibYUVConvertTest, MJPGToARGB) { memset(orig_pixels, 0, kSize); orig_pixels[0] = 0xff; orig_pixels[1] = 0xd8; // SOI. + orig_pixels[2] = 0xff; orig_pixels[kSize - kOff + 0] = 0xff; orig_pixels[kSize - kOff + 1] = 0xd9; // EOI. -- cgit v1.2.3