From 8e77a7ef6bce15e81b9a6ce5cb2fcbe47cd7ab84 Mon Sep 17 00:00:00 2001
From: Nigel Tao <nigeltao@golang.org>
Date: Mon, 15 Sep 2014 08:41:59 +1000
Subject: [PATCH] image/jpeg: reject invalid Ta and Td values.

Fixes #8693.

LGTM=crawshaw
R=crawshaw
CC=golang-codereviews
https://golang.org/cl/141470043
---
 src/image/jpeg/scan.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/image/jpeg/scan.go b/src/image/jpeg/scan.go
index 8d81b08080..2bd1d9d531 100644
--- a/src/image/jpeg/scan.go
+++ b/src/image/jpeg/scan.go
@@ -65,7 +65,13 @@ func (d *decoder) processSOS(n int) error {
 		}
 		scan[i].compIndex = uint8(compIndex)
 		scan[i].td = d.tmp[2+2*i] >> 4
+		if scan[i].td > maxTh {
+			return FormatError("bad Td value")
+		}
 		scan[i].ta = d.tmp[2+2*i] & 0x0f
+		if scan[i].ta > maxTh {
+			return FormatError("bad Ta value")
+		}
 	}
 
 	// zigStart and zigEnd are the spectral selection bounds.
-- 
2.50.0