From: Nigel Tao <nigeltao@golang.org>
Date: Sun, 14 Sep 2014 22:41:59 +0000 (+1000)
Subject: image/jpeg: reject invalid Ta and Td values.
X-Git-Tag: go1.4beta1~416
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=8e77a7ef6bce15e81b9a6ce5cb2fcbe47cd7ab84;p=gostls13.git

image/jpeg: reject invalid Ta and Td values.

Fixes #8693.

LGTM=crawshaw
R=crawshaw
CC=golang-codereviews
https://golang.org/cl/141470043
---

diff --git a/src/image/jpeg/scan.go b/src/image/jpeg/scan.go
index 8d81b08080..2bd1d9d531 100644
--- a/src/image/jpeg/scan.go
+++ b/src/image/jpeg/scan.go
@@ -65,7 +65,13 @@ func (d *decoder) processSOS(n int) error {
 		}
 		scan[i].compIndex = uint8(compIndex)
 		scan[i].td = d.tmp[2+2*i] >> 4
+		if scan[i].td > maxTh {
+			return FormatError("bad Td value")
+		}
 		scan[i].ta = d.tmp[2+2*i] & 0x0f
+		if scan[i].ta > maxTh {
+			return FormatError("bad Ta value")
+		}
 	}
 
 	// zigStart and zigEnd are the spectral selection bounds.