Skip to content

Commit b12fffd

Browse files
cdmurph32scouten-adobe
cdmurph32
and
scouten-adobe
authored
fix: Update img-parts for jpeg segment underflow fix (#806)
Malformed JPEG could cause underflow panic. paolobarbolini/img-parts#14 Co-authored-by: Eric Scouten <scouten@adobe.com>
1 parent 7a87e11 commit b12fffd

File tree

3 files changed

+32
-3
lines changed

3 files changed

+32
-3
lines changed

Cargo.lock

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

sdk/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ fast-xml = "0.23.1"
9494
hex = "0.4.3"
9595
# Version 1.13.0 doesn't compile under Rust < 1.75, pinning to 1.12.0
9696
id3 = "=1.14.0"
97-
img-parts = "0.3.0"
97+
img-parts = "0.3.2"
9898
jfifdump = "0.6.0"
9999
log = "0.4.8"
100100
lopdf = { version = "0.31.0", optional = true }

sdk/src/asset_handlers/jpeg_io.rs

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1373,4 +1373,33 @@ pub mod tests {
13731373
let result = jpeg_io.get_object_locations_from_stream(&mut stream);
13741374
assert!(matches!(result, Err(Error::InvalidAsset(_))));
13751375
}
1376+
1377+
#[test]
1378+
fn test_crash_jpeg_segments() {
1379+
let data = [
1380+
0xff, 0xd8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x47,
1381+
0xd2, 0x00, 0x10, 0xff, 0x60, 0xff, 0xff, 0xeb, 0x00, 0x27, 0xc2, 0xb8, 0xff, 0xd8,
1382+
0xff, 0xff, 0x60, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1383+
0xff, 0xff, 0x60, 0xff, 0x4e, 0x4e, 0x4e, 0xff, 0x00, 0x00, 0x2b, 0xff, 0xff, 0xff,
1384+
0xff, 0xff, 0xff, 0xff, 0xff, 0x3d, 0xff, 0xff, 0x00, 0xff, 0x5c, 0xff, 0xff, 0xda,
1385+
0x00, 0x02, 0x00, 0x01, 0x00, 0xff, 0x0b, 0x50, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1386+
0xff, 0x10, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
1387+
0x00, 0x00, 0xdf, 0xdf, 0x52, 0x49, 0x46, 0x46, 0xff, 0xff, 0xff, 0xff, 0x3d, 0xff,
1388+
0xff, 0x00, 0xff, 0x5c, 0x4b, 0x4e, 0x60, 0xff, 0xff, 0x00, 0x00, 0x2b, 0xff, 0xff,
1389+
0x3d, 0xff, 0xff, 0x00, 0xff, 0x5c, 0xff, 0xff, 0xda, 0x00, 0x10, 0x00, 0x00, 0x59,
1390+
0x00, 0x00, 0x00, 0x00, 0xfd, 0x00, 0x00, 0x00, 0x07, 0x60, 0xff, 0xff, 0xff, 0xff,
1391+
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x60, 0xff, 0x4e, 0x4e, 0x4e,
1392+
0xff, 0x00, 0x00, 0x2b, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3d, 0xff,
1393+
0xff, 0x00, 0xff, 0x5c, 0xff, 0xff, 0xda, 0x00, 0x10, 0x00, 0x00, 0x59, 0x00, 0x00,
1394+
0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xdf, 0xdf, 0x52, 0x49, 0x46,
1395+
0x46, 0x25, 0x00, 0x00, 0xdf, 0xdf, 0x52, 0x49, 0x46, 0xad, 0x46, 0x6f, 0x00, 0x6f,
1396+
0x00,
1397+
];
1398+
1399+
let mut stream = Cursor::new(&data);
1400+
1401+
let jpeg_io = JpegIO {};
1402+
1403+
let _ = jpeg_io.get_object_locations_from_stream(&mut stream);
1404+
}
13761405
}

0 commit comments

Comments
 (0)