mirror
/
sane-project-backends
kopia lustrzana https://gitlab.com/sane-project/backends
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

escl: Fix crash in libjpeg when cropping the scanned image 

jpeg_crop_scanline will adjust the x offset and the width of the image
to make it line up with the nearest iMCU boundary.

Before, this was not taken into account and it would make SANE
potentially allocate a too small buffer for the final image.

This would lead to segfaults because libjpeg would try to write outside
of the allocated memory region as it assumes that the buffer was
allocated with the new cinfo.output_width size after cropping.
707-xerox_mfp-scx-4521-fixes-are-not-merged
Sebastian Parborg 2023-09-19 15:54:22 +02:00
rodzic 9bf2415fe6
commit ba7d24bf30
1 zmienionych plików z 7 dodań i 7 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

14
backend/escl/escl_jpeg.c
Wyświetl plik

@ -232,7 +232,13 @@ get_JPEG_data(capabilities_t *scanner, int *width, int *height, int *bps)
y_off,
w,
h);
surface = malloc(w * h * cinfo.output_components);
jpeg_start_decompress(&cinfo);
if (x_off > 0 || w < cinfo.output_width)
jpeg_crop_scanline(&cinfo, &x_off, &w);
lineSize = w * cinfo.output_components;
if (y_off > 0)
jpeg_skip_scanlines(&cinfo, y_off);
surface = malloc(cinfo.output_width * cinfo.output_height * cinfo.output_components);
if (surface == NULL) {
jpeg_destroy_decompress(&cinfo);
DBG( 1, "Escl Jpeg : Memory allocation problem\n");
@ -242,12 +248,6 @@ get_JPEG_data(capabilities_t *scanner, int *width, int *height, int *bps)
}
return (SANE_STATUS_NO_MEM);
}
jpeg_start_decompress(&cinfo);
if (x_off > 0 || w < cinfo.output_width)
jpeg_crop_scanline(&cinfo, &x_off, &w);
lineSize = w * cinfo.output_components;
if (y_off > 0)
jpeg_skip_scanlines(&cinfo, y_off);
pos = 0;
while (cinfo.output_scanline < (unsigned int)rh) {
rowptr[0] = (JSAMPROW)surface + (lineSize * pos); // ..cinfo.output_scanline);