Merge pull request image-rs#70 from kaksmet/overflow-fix

Fix a possible integer overflow in derive_huffman_codes
wartmanm · Mar 18, 2017 · a2208c6 · a2208c6
2 parents 58f030c + e3d312e
commit a2208c6
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/src/huffman.rs b/src/huffman.rs
@@ -261,19 +261,19 @@ fn derive_huffman_codes(bits: &[u8; 16]) -> Result<(Vec<u16>, Vec<u8>)> {
  // Figure C.2
  let mut huffcode = vec![0u16; huffsize.len()];
  let mut code_size = huffsize[0];
- let mut code = 0u16;
+ let mut code = 0u32;
 
  for (i, &size) in huffsize.iter().enumerate() {
  while code_size < size {
  code <<= 1;
  code_size += 1;
  }
 
- if code as u32 >= (1u32 << size) {
+ if code >= (1u32 << size) {
  return Err(Error::Format("bad huffman code length".to_owned()));
  }
 
- huffcode[i] = code;
+ huffcode[i] = code as u16;
  code += 1;
  }
 

diff --git a/tests/crashtest/images/README.md b/tests/crashtest/images/README.md
@@ -3,4 +3,5 @@ File | Source
 --------------------------| ------
 imagetestsuite/ | The files in this directory were taken from https://code.google.com/p/imagetestsuite/
 dc-predictor-overflow.jpg | Found by Wim Looman (@Nemo157) while fuzzing
+derive-huffman-codes-overflow.jpg | Found by Pascal Hertleif (@killercup) while fuzzing
 missing-sof.jpg | Found by Corey Farwell (@frewsxcv) when fuzz testing
diff --git a/tests/crashtest/images/derive-huffman-codes-overflow.jpg b/tests/crashtest/images/derive-huffman-codes-overflow.jpg