From ba7d24bf304bb898c3f20c98568700a27597bef7 Mon Sep 17 00:00:00 2001 From: Sebastian Parborg Date: Tue, 19 Sep 2023 15:54:22 +0200 Subject: [PATCH] escl: Fix crash in libjpeg when cropping the scanned image jpeg_crop_scanline will adjust the x offset and the width of the image to make it line up with the nearest iMCU boundary. Before, this was not taken into account and it would make SANE potentially allocate a too small buffer for the final image. This would lead to segfaults because libjpeg would try to write outside of the allocated memory region as it assumes that the buffer was allocated with the new cinfo.output_width size after cropping. --- backend/escl/escl_jpeg.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/backend/escl/escl_jpeg.c b/backend/escl/escl_jpeg.c index 1dd3ec918..62c20c09a 100644 --- a/backend/escl/escl_jpeg.c +++ b/backend/escl/escl_jpeg.c @@ -232,7 +232,13 @@ get_JPEG_data(capabilities_t *scanner, int *width, int *height, int *bps) y_off, w, h); - surface = malloc(w * h * cinfo.output_components); + jpeg_start_decompress(&cinfo); + if (x_off > 0 || w < cinfo.output_width) + jpeg_crop_scanline(&cinfo, &x_off, &w); + lineSize = w * cinfo.output_components; + if (y_off > 0) + jpeg_skip_scanlines(&cinfo, y_off); + surface = malloc(cinfo.output_width * cinfo.output_height * cinfo.output_components); if (surface == NULL) { jpeg_destroy_decompress(&cinfo); DBG( 1, "Escl Jpeg : Memory allocation problem\n"); @@ -242,12 +248,6 @@ get_JPEG_data(capabilities_t *scanner, int *width, int *height, int *bps) } return (SANE_STATUS_NO_MEM); } - jpeg_start_decompress(&cinfo); - if (x_off > 0 || w < cinfo.output_width) - jpeg_crop_scanline(&cinfo, &x_off, &w); - lineSize = w * cinfo.output_components; - if (y_off > 0) - jpeg_skip_scanlines(&cinfo, y_off); pos = 0; while (cinfo.output_scanline < (unsigned int)rh) { rowptr[0] = (JSAMPROW)surface + (lineSize * pos); // ..cinfo.output_scanline);