image/jpeg: reject bad Tq values in SOF data.

Fixes #10154

Change-Id: Ibb8ea9bcf512e7639c57a6f17afbe4495fa329cd
Reviewed-on: https://go-review.googlesource.com/7494
Reviewed-by: Minux Ma <minux@golang.org>

diff --git a/src/image/jpeg/reader.go b/src/image/jpeg/reader.go
index 12b20a6922c117fd7d36f45cb59d2772e1cfdf22..5c5465283af1134d74ec97d662a0bb7ae28d4903 100644 (file)
--- a/src/image/jpeg/reader.go
+++ b/src/image/jpeg/reader.go
@@ -331,6 +331,10 @@ func (d *decoder) processSOF(n int) error {
                }
 
                d.comp[i].tq = d.tmp[8+3*i]
+               if d.comp[i].tq > maxTq {
+                       return FormatError("bad Tq value")
+               }
+
                hv := d.tmp[7+3*i]
                h, v := int(hv>>4), int(hv&0x0f)
                if h < 1 || 4 < h || v < 1 || 4 < v {