image/jpeg: reject invalid Ta and Td values.

author Nigel Tao <nigeltao@golang.org>

Sun, 14 Sep 2014 22:41:59 +0000 (08:41 +1000)

committer Nigel Tao <nigeltao@golang.org>

Sun, 14 Sep 2014 22:41:59 +0000 (08:41 +1000)
author Nigel Tao <nigeltao@golang.org>
Sun, 14 Sep 2014 22:41:59 +0000 (08:41 +1000)
committer Nigel Tao <nigeltao@golang.org>
Sun, 14 Sep 2014 22:41:59 +0000 (08:41 +1000)
diff --git a/src/image/jpeg/scan.go b/src/image/jpeg/scan.go

index 8d81b080801fb0b7480f7de19eaad4a6b8737df7..2bd1d9d531d825f0cb33f0870e669d6b4f8522c1 100644 (file)
--- a/src/image/jpeg/scan.go
+++ b/src/image/jpeg/scan.go
@@ -65,7 +65,13 @@ func (d *decoder) processSOS(n int) error {
                 }
                 scan[i].compIndex = uint8(compIndex)
                 scan[i].td = d.tmp[2+2*i] >> 4
+               if scan[i].td > maxTh {
+                       return FormatError("bad Td value")
+               }
                 scan[i].ta = d.tmp[2+2*i] & 0x0f
+               if scan[i].ta > maxTh {
+                       return FormatError("bad Ta value")
+               }
         }
  
         // zigStart and zigEnd are the spectral selection bounds.
author	Nigel Tao <nigeltao@golang.org>
	Sun, 14 Sep 2014 22:41:59 +0000 (08:41 +1000)
committer	Nigel Tao <nigeltao@golang.org>
	Sun, 14 Sep 2014 22:41:59 +0000 (08:41 +1000)