Skip to content

Jpeg ArgumentException fix #1924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JimBobSquarePants merged 3 commits into from
Jan 6, 2022
Merged

Jpeg ArgumentException fix #1924

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c682504
Fix
Jan 5, 2022
6b36d55
Added example image to the test suite
Jan 5, 2022
22ed6da
Moved 'unrecoverable image' to 'unsupported' test case
Jan 5, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion src/ImageSharp/Formats/Jpeg/JpegDecoderCore.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -472,7 +472,7 @@ private JpegColorSpace DeduceJpegColorSpace(byte componentCount)
: JpegColorSpace.Cmyk;
}

JpegThrowHelper.ThrowInvalidImageContentException($"Unsupported color mode. Supported component counts 1, 3, and 4; found {componentCount}");
JpegThrowHelper.ThrowNotSupportedComponentCount(componentCount);
return default;
}

Expand Down Expand Up @@ -998,6 +998,14 @@ private void ProcessStartOfFrameMarker(BufferedReadStream stream, int remaining,
// 1 byte: Number of components
byte componentCount = this.temp[5];

// Validate: componentCount more than 4 can lead to a buffer overflow during stream
// reading so we must limit it to 4
// We do not support jpeg images with more than 4 components anyway
if (componentCount > 4)
{
JpegThrowHelper.ThrowNotSupportedComponentCount(componentCount);
}

this.Frame = new JpegFrame(frameMarker, precision, frameWidth, frameHeight, componentCount);

remaining -= length;
Expand Down
3 changes: 3 additions & 0 deletions src/ImageSharp/Formats/Jpeg/JpegThrowHelper.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,8 @@ internal static class JpegThrowHelper

[MethodImpl(InliningOptions.ColdPath)]
public static void ThrowDimensionsTooLarge(int width, int height) => throw new ImageFormatException($"Image is too large to encode at {width}x{height} for JPEG format.");

[MethodImpl(InliningOptions.ColdPath)]
public static void ThrowNotSupportedComponentCount(int componentCount) => throw new NotSupportedException($"Images with {componentCount} components are not supported.");
}
}
150 changes: 81 additions & 69 deletions tests/ImageSharp.Tests/Formats/Jpg/JpegDecoderTests.Images.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,58 +10,72 @@ namespace SixLabors.ImageSharp.Tests.Formats.Jpg
public partial class JpegDecoderTests
{
public static string[] BaselineTestJpegs =
{
TestImages.Jpeg.Baseline.Calliphora,
TestImages.Jpeg.Baseline.Cmyk,
TestImages.Jpeg.Baseline.Ycck,
TestImages.Jpeg.Baseline.Jpeg400,
TestImages.Jpeg.Baseline.Turtle420,
TestImages.Jpeg.Baseline.Testorig420,
TestImages.Jpeg.Baseline.Jpeg420Small,
TestImages.Jpeg.Issues.Fuzz.AccessViolationException922,
TestImages.Jpeg.Baseline.Jpeg444,
TestImages.Jpeg.Baseline.Jpeg422,
TestImages.Jpeg.Baseline.Bad.BadEOF,
TestImages.Jpeg.Baseline.MultiScanBaselineCMYK,
TestImages.Jpeg.Baseline.YcckSubsample1222,
TestImages.Jpeg.Baseline.Bad.BadRST,
TestImages.Jpeg.Issues.MultiHuffmanBaseline394,
TestImages.Jpeg.Issues.ExifDecodeOutOfRange694,
TestImages.Jpeg.Issues.InvalidEOI695,
TestImages.Jpeg.Issues.ExifResizeOutOfRange696,
TestImages.Jpeg.Issues.InvalidAPP0721,
TestImages.Jpeg.Issues.ExifGetString750Load,
TestImages.Jpeg.Issues.ExifGetString750Transform,
TestImages.Jpeg.Issues.BadSubSampling1076,
{
TestImages.Jpeg.Baseline.Calliphora,
TestImages.Jpeg.Baseline.Cmyk,
TestImages.Jpeg.Baseline.Ycck,
TestImages.Jpeg.Baseline.Jpeg400,
TestImages.Jpeg.Baseline.Turtle420,
TestImages.Jpeg.Baseline.Testorig420,
TestImages.Jpeg.Baseline.Jpeg420Small,
TestImages.Jpeg.Issues.Fuzz.AccessViolationException922,
TestImages.Jpeg.Baseline.Jpeg444,
TestImages.Jpeg.Baseline.Jpeg422,
TestImages.Jpeg.Baseline.Bad.BadEOF,
TestImages.Jpeg.Baseline.MultiScanBaselineCMYK,
TestImages.Jpeg.Baseline.YcckSubsample1222,
TestImages.Jpeg.Baseline.Bad.BadRST,
TestImages.Jpeg.Issues.MultiHuffmanBaseline394,
TestImages.Jpeg.Issues.ExifDecodeOutOfRange694,
TestImages.Jpeg.Issues.InvalidEOI695,
TestImages.Jpeg.Issues.ExifResizeOutOfRange696,
TestImages.Jpeg.Issues.InvalidAPP0721,
TestImages.Jpeg.Issues.ExifGetString750Load,
TestImages.Jpeg.Issues.ExifGetString750Transform,
TestImages.Jpeg.Issues.BadSubSampling1076,

// LibJpeg can open this despite the invalid density units.
TestImages.Jpeg.Issues.Fuzz.ArgumentOutOfRangeException825B,
// LibJpeg can open this despite the invalid density units.
TestImages.Jpeg.Issues.Fuzz.ArgumentOutOfRangeException825B,

// LibJpeg can open this despite incorrect colorspace metadata.
TestImages.Jpeg.Issues.IncorrectColorspace855,
// LibJpeg can open this despite incorrect colorspace metadata.
TestImages.Jpeg.Issues.IncorrectColorspace855,

// High depth images
TestImages.Jpeg.Baseline.Testorig12bit,
};
// High depth images
TestImages.Jpeg.Baseline.Testorig12bit,
};

public static string[] ProgressiveTestJpegs =
{
TestImages.Jpeg.Progressive.Fb,
TestImages.Jpeg.Progressive.Progress,
TestImages.Jpeg.Progressive.Festzug,
TestImages.Jpeg.Progressive.Bad.BadEOF,
TestImages.Jpeg.Issues.BadCoeffsProgressive178,
TestImages.Jpeg.Issues.MissingFF00ProgressiveGirl159,
TestImages.Jpeg.Issues.MissingFF00ProgressiveBedroom159,
TestImages.Jpeg.Issues.BadZigZagProgressive385,
TestImages.Jpeg.Progressive.Bad.ExifUndefType,
TestImages.Jpeg.Issues.NoEoiProgressive517,
TestImages.Jpeg.Issues.BadRstProgressive518,
TestImages.Jpeg.Issues.DhtHasWrongLength624,
TestImages.Jpeg.Issues.OrderedInterleavedProgressive723A,
TestImages.Jpeg.Issues.OrderedInterleavedProgressive723B,
TestImages.Jpeg.Issues.OrderedInterleavedProgressive723C
};
{
TestImages.Jpeg.Progressive.Fb,
TestImages.Jpeg.Progressive.Progress,
TestImages.Jpeg.Progressive.Festzug,
TestImages.Jpeg.Progressive.Bad.BadEOF,
TestImages.Jpeg.Issues.BadCoeffsProgressive178,
TestImages.Jpeg.Issues.MissingFF00ProgressiveGirl159,
TestImages.Jpeg.Issues.MissingFF00ProgressiveBedroom159,
TestImages.Jpeg.Issues.BadZigZagProgressive385,
TestImages.Jpeg.Progressive.Bad.ExifUndefType,
TestImages.Jpeg.Issues.NoEoiProgressive517,
TestImages.Jpeg.Issues.BadRstProgressive518,
TestImages.Jpeg.Issues.DhtHasWrongLength624,
TestImages.Jpeg.Issues.OrderedInterleavedProgressive723A,
TestImages.Jpeg.Issues.OrderedInterleavedProgressive723B,
TestImages.Jpeg.Issues.OrderedInterleavedProgressive723C
};

public static string[] UnsupportedTestJpegs =
{
// Invalid componentCount value (2 or > 4)
TestImages.Jpeg.Issues.Fuzz.NullReferenceException823,
TestImages.Jpeg.Issues.MalformedUnsupportedComponentCount,

// Arithmetic coding
TestImages.Jpeg.Baseline.ArithmeticCoding,
TestImages.Jpeg.Baseline.ArithmeticCodingProgressive,

// Lossless jpeg
TestImages.Jpeg.Baseline.Lossless
};

public static string[] UnrecoverableTestJpegs =
{
Expand All @@ -70,7 +84,6 @@ public partial class JpegDecoderTests
TestImages.Jpeg.Issues.Fuzz.AccessViolationException798,
TestImages.Jpeg.Issues.Fuzz.DivideByZeroException821,
TestImages.Jpeg.Issues.Fuzz.DivideByZeroException822,
TestImages.Jpeg.Issues.Fuzz.NullReferenceException823,
TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824A,
TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824B,
TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824D,
Expand All @@ -91,28 +104,27 @@ public partial class JpegDecoderTests
TestImages.Jpeg.Issues.Fuzz.IndexOutOfRangeException824C,
};

private static readonly Dictionary<string, float> CustomToleranceValues =
new Dictionary<string, float>
{
// Baseline:
[TestImages.Jpeg.Baseline.Calliphora] = 0.00002f / 100,
[TestImages.Jpeg.Baseline.Bad.BadEOF] = 0.38f / 100,
[TestImages.Jpeg.Baseline.Bad.BadRST] = 0.0589f / 100,
private static readonly Dictionary<string, float> CustomToleranceValues = new()
{
// Baseline:
[TestImages.Jpeg.Baseline.Calliphora] = 0.00002f / 100,
[TestImages.Jpeg.Baseline.Bad.BadEOF] = 0.38f / 100,
[TestImages.Jpeg.Baseline.Bad.BadRST] = 0.0589f / 100,

[TestImages.Jpeg.Baseline.Jpeg422] = 0.0013f / 100,
[TestImages.Jpeg.Baseline.Testorig420] = 0.38f / 100,
[TestImages.Jpeg.Baseline.Jpeg420Small] = 0.287f / 100,
[TestImages.Jpeg.Baseline.Turtle420] = 1.0f / 100,
[TestImages.Jpeg.Baseline.Jpeg422] = 0.0013f / 100,
[TestImages.Jpeg.Baseline.Testorig420] = 0.38f / 100,
[TestImages.Jpeg.Baseline.Jpeg420Small] = 0.287f / 100,
[TestImages.Jpeg.Baseline.Turtle420] = 1.0f / 100,

// Progressive:
[TestImages.Jpeg.Issues.MissingFF00ProgressiveGirl159] = 0.34f / 100,
[TestImages.Jpeg.Issues.BadCoeffsProgressive178] = 0.38f / 100,
[TestImages.Jpeg.Progressive.Bad.BadEOF] = 0.3f / 100,
[TestImages.Jpeg.Progressive.Festzug] = 0.02f / 100,
[TestImages.Jpeg.Progressive.Fb] = 0.16f / 100,
[TestImages.Jpeg.Progressive.Progress] = 0.31f / 100,
[TestImages.Jpeg.Issues.BadZigZagProgressive385] = 0.23f / 100,
[TestImages.Jpeg.Progressive.Bad.ExifUndefType] = 0.011f / 100,
};
// Progressive:
[TestImages.Jpeg.Issues.MissingFF00ProgressiveGirl159] = 0.34f / 100,
[TestImages.Jpeg.Issues.BadCoeffsProgressive178] = 0.38f / 100,
[TestImages.Jpeg.Progressive.Bad.BadEOF] = 0.3f / 100,
[TestImages.Jpeg.Progressive.Festzug] = 0.02f / 100,
[TestImages.Jpeg.Progressive.Fb] = 0.16f / 100,
[TestImages.Jpeg.Progressive.Progress] = 0.31f / 100,
[TestImages.Jpeg.Issues.BadZigZagProgressive385] = 0.23f / 100,
[TestImages.Jpeg.Progressive.Bad.ExifUndefType] = 0.011f / 100,
};
}
}
4 changes: 1 addition & 3 deletions tests/ImageSharp.Tests/Formats/Jpg/JpegDecoderTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,9 +190,7 @@ public async Task Identify_IsCancellable()
}

[Theory]
[WithFile(TestImages.Jpeg.Baseline.ArithmeticCoding, PixelTypes.Rgba32)]
[WithFile(TestImages.Jpeg.Baseline.ArithmeticCodingProgressive, PixelTypes.Rgba32)]
[WithFile(TestImages.Jpeg.Baseline.Lossless, PixelTypes.Rgba32)]
[WithFileCollection(nameof(UnsupportedTestJpegs), PixelTypes.Rgba32)]
public void ThrowsNotSupported_WithUnsupportedJpegs<TPixel>(TestImageProvider<TPixel> provider)
where TPixel : unmanaged, IPixel<TPixel>
{
Expand Down
1 change: 1 addition & 0 deletions tests/ImageSharp.Tests/TestImages.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,7 @@ public static class Issues
public const string BadSubSampling1076 = "Jpg/issues/issue-1076-invalid-subsampling.jpg";
public const string IdentifyMultiFrame1211 = "Jpg/issues/issue-1221-identify-multi-frame.jpg";
public const string WrongColorSpace = "Jpg/issues/Issue1732-WrongColorSpace.jpg";
public const string MalformedUnsupportedComponentCount = "Jpg/issues/issue-1900-malformed-unsupported-255-components.jpg";

public static class Fuzz
{
Expand Down
3 changes: 3 additions & 0 deletions tests/Images/Input/Jpg/issues/issue-1900-malformed-unsupported-255-components.jpg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.