image/jpeg: reject invalid Ta and Td values.

Fixes #8693. LGTM=crawshaw R=crawshaw CC=golang-codereviews https://golang.org/cl/141470043
author: Nigel Tao <nigeltao@golang.org> 2014-09-15 08:41:59 +1000
committer: Nigel Tao <nigeltao@golang.org> 2014-09-15 08:41:59 +1000
commit: 8e77a7ef6bce15e81b9a6ce5cb2fcbe47cd7ab84 (patch)
tree: 5401675fc0bc626124d0338d9b5fe8ac3df59d67 /src
parent: d889f5f01efc9f8da8865f5987f6a8f3029928c0 (diff)
download: go-8e77a7ef6bce15e81b9a6ce5cb2fcbe47cd7ab84.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/src/image/jpeg/scan.go b/src/image/jpeg/scan.go
index 8d81b08080..2bd1d9d531 100644
--- a/src/image/jpeg/scan.go
+++ b/src/image/jpeg/scan.go
@@ -65,7 +65,13 @@ func (d *decoder) processSOS(n int) error {
 		}
 		scan[i].compIndex = uint8(compIndex)
 		scan[i].td = d.tmp[2+2*i] >> 4
+		if scan[i].td > maxTh {
+			return FormatError("bad Td value")
+		}
 		scan[i].ta = d.tmp[2+2*i] & 0x0f
+		if scan[i].ta > maxTh {
+			return FormatError("bad Ta value")
+		}
 	}
 
 	// zigStart and zigEnd are the spectral selection bounds.
author	Nigel Tao <nigeltao@golang.org>	2014-09-15 08:41:59 +1000
committer	Nigel Tao <nigeltao@golang.org>	2014-09-15 08:41:59 +1000
commit	8e77a7ef6bce15e81b9a6ce5cb2fcbe47cd7ab84 (patch)
tree	5401675fc0bc626124d0338d9b5fe8ac3df59d67 /src
parent	d889f5f01efc9f8da8865f5987f6a8f3029928c0 (diff)
download	go-8e77a7ef6bce15e81b9a6ce5cb2fcbe47cd7ab84.tar.xz