Check DHT props. Touch #824

SixLabors · Feb 16, 2019 · af78ccf · af78ccf
1 parent 9722e81
commit af78ccf
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 4 deletions.
diff --git a/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs b/src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
@@ -815,6 +815,21 @@ private void ProcessDefineHuffmanTablesMarker(int remaining)
                 for (int i = 2; i < remaining;)
                 {
                     byte huffmanTableSpec = (byte)this.InputStream.ReadByte();
+                    int tableType = huffmanTableSpec >> 4;
+                    int tableIndex = huffmanTableSpec & 15;
+
+                    // Types 0..1 DC..AC
+                    if (tableType > 1)
+                    {
+                        JpegThrowHelper.ThrowImageFormatException("Bad Huffman Table type.");
+                    }
+
+                    // Max tables of each type
+                    if (tableIndex > 3)
+                    {
+                        JpegThrowHelper.ThrowImageFormatException("Bad Huffman Table index.");
+                    }
+
                     this.InputStream.Read(huffmanData.Array, 0, 16);
 
                     using (IManagedByteBuffer codeLengths = this.configuration.MemoryAllocator.AllocateManagedByteBuffer(17, AllocationOptions.Clean))
@@ -833,9 +848,6 @@ private void ProcessDefineHuffmanTablesMarker(int remaining)
 
                             i += 17 + codeLengthSum;
 
-                            int tableType = huffmanTableSpec >> 4;
-                            int tableIndex = huffmanTableSpec & 15;
-
                             this.BuildHuffmanTable(
                                 tableType == 0 ? this.dcHuffmanTables : this.acHuffmanTables,
                                 tableIndex,

diff --git a/tests/ImageSharp.Tests/Formats/Jpg/JpegDecoderTests.Images.cs b/tests/ImageSharp.Tests/Formats/Jpg/JpegDecoderTests.Images.cs
@@ -62,7 +62,8 @@ public partial class JpegDecoderTests
             TestImages.Jpeg.Issues.Fuzz.DivideByZeroException821,
             TestImages.Jpeg.Issues.Fuzz.DivideByZeroException822,
             TestImages.Jpeg.Issues.Fuzz.NullReferenceException823,
-            TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824A
+            TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824A,
+            TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824B
 
         };
 

diff --git a/tests/ImageSharp.Tests/TestImages.cs b/tests/ImageSharp.Tests/TestImages.cs
@@ -181,6 +181,7 @@ public static class Fuzz
                     public const string DivideByZeroException822 = "Jpg/issues/fuzz/Issue822-DivideByZeroException.jpg";
                     public const string NullReferenceException823 = "Jpg/issues/fuzz/Issue823-NullReferenceException.jpg";
                     public const string IndexOutOfRangeException824A = "Jpg/issues/fuzz/Issue824-IndexOutOfRangeException-A.jpg";
+                    public const string IndexOutOfRangeException824B = "Jpg/issues/fuzz/Issue824-IndexOutOfRangeException-B.jpg";
                 }
             }
 

diff --git a/tests/Images/Input/Jpg/issues/fuzz/Issue824-IndexOutOfRangeException-B.jpg b/tests/Images/Input/Jpg/issues/fuzz/Issue824-IndexOutOfRangeException-B.jpg