Project

General

Profile

Actions
Copy link

Bug #970

closed

Incorrect handling of malformed JPEG bitstream

Added by Marco Eichelberg over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marco Eichelberg
Category:
Library
Target version:
3.6.7
Start date:
2021-03-04
Due date:
% Done:

0%

Estimated time:
2:00 h
Module:
dcmjpeg
Operating System:
Compiler:

Description

Apparently the IJG JPEG code embedded into DCMTK does not correctly handle certain invalid JPEG bitstreams that contain inconsistent start-of-scan (SOS) markers.
The issue is discussed in https://bugs.chromium.org/p/chromium/issues/detail?id=258723 and has been fixed in Chromium and libjpeg-turbo. The fix can be readily
applied to DCMTK as well:

diff --git a/dcmjpeg/libijg12/jdmarker.c b/dcmjpeg/libijg12/jdmarker.c
index 355835c7f..4d1e63f84 100644
--- a/dcmjpeg/libijg12/jdmarker.c
+++ b/dcmjpeg/libijg12/jdmarker.c
@@ -346,6 +346,12 @@ get_sos (j_decompress_ptr cinfo)
          compptr->dc_tbl_no, compptr->ac_tbl_no);
   }

+  /* This CSi (cc) should differ from the previous CSi */
+  for (ci = 0; ci < i; ci++) {
+    if (cinfo->cur_comp_info[ci] == compptr)
+      ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
+  }
+
   /* Collect the additional scan parameters Ss, Se, Ah/Al. */
   INPUT_BYTE(cinfo, c, return FALSE);
   cinfo->Ss = c;
diff --git a/dcmjpeg/libijg16/jdmarker.c b/dcmjpeg/libijg16/jdmarker.c
index f2b6188e8..381f58226 100644
--- a/dcmjpeg/libijg16/jdmarker.c
+++ b/dcmjpeg/libijg16/jdmarker.c
@@ -346,6 +346,12 @@ get_sos (j_decompress_ptr cinfo)
          compptr->dc_tbl_no, compptr->ac_tbl_no);
   }

+  /* This CSi (cc) should differ from the previous CSi */
+  for (ci = 0; ci < i; ci++) {
+    if (cinfo->cur_comp_info[ci] == compptr)
+      ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
+  }
+
   /* Collect the additional scan parameters Ss, Se, Ah/Al. */
   INPUT_BYTE(cinfo, c, return FALSE);
   cinfo->Ss = c;
diff --git a/dcmjpeg/libijg8/jdmarker.c b/dcmjpeg/libijg8/jdmarker.c
index 22f18e567..d7d4a1c37 100644
--- a/dcmjpeg/libijg8/jdmarker.c
+++ b/dcmjpeg/libijg8/jdmarker.c
@@ -346,6 +346,12 @@ get_sos (j_decompress_ptr cinfo)
          compptr->dc_tbl_no, compptr->ac_tbl_no);
   }

+  /* This CSi (cc) should differ from the previous CSi */
+  for (ci = 0; ci < i; ci++) {
+    if (cinfo->cur_comp_info[ci] == compptr)
+      ERREXIT1(cinfo, JERR_BAD_COMPONENT_ID, cc);
+  }
+
   /* Collect the additional scan parameters Ss, Se, Ah/Al. */
   INPUT_BYTE(cinfo, c, return FALSE);
   cinfo->Ss = c;

Reported 2021-03-04 by Christian Wetzel <>.

Files

issue_970.dcm (1.46 KB) issue_970.dcm Marco Eichelberg, 2021-03-04 11:05
Actions
Copy link

Also available in: Atom PDF