Merge pull request #653 from drewnoakes/validate-jpeg-length

Validate lengths before parsing JPEG data
drewnoakes · Feb 4, 2024 · 08a2b7c · 08a2b7c
2 parents 6aee7b3 + c1d3320
commit 08a2b7c
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/Source/com/drew/metadata/jpeg/JpegReader.java b/Source/com/drew/metadata/jpeg/JpegReader.java
@@ -77,6 +77,13 @@ public void extract(byte[] segmentBytes, Metadata metadata, JpegSegmentType segm
         // The value of TAG_COMPRESSION_TYPE is determined by the segment type found
         directory.setInt(JpegDirectory.TAG_COMPRESSION_TYPE, segmentType.byteValue - JpegSegmentType.SOF0.byteValue);
 
+        final int JPEG_HEADER_SIZE = 1 + 2 + 2 + 1;
+
+        if (segmentBytes.length < JPEG_HEADER_SIZE) {
+            directory.addError("Insufficient bytes for JPEG segment header.");
+            return;
+        }
+
         SequentialReader reader = new SequentialByteArrayReader(segmentBytes);
 
         try {
@@ -86,6 +93,13 @@ public void extract(byte[] segmentBytes, Metadata metadata, JpegSegmentType segm
             short componentCount = reader.getUInt8();
             directory.setInt(JpegDirectory.TAG_NUMBER_OF_COMPONENTS, componentCount);
 
+            final int JPEG_COMPONENT_SIZE = 1 + 1 + 1;
+
+            if (reader.available() < componentCount * JPEG_COMPONENT_SIZE) {
+                directory.addError("Insufficient bytes for JPEG the requested number of JPEG components.");
+                return;
+            }
+
             // for each component, there are three bytes of data:
             // 1 - Component ID: 1 = Y, 2 = Cb, 3 = Cr, 4 = I, 5 = Q
             // 2 - Sampling factors: bit 0-3 vertical, 4-7 horizontal