Skip to content

Fix off-by-one bounds check in jpegli_add_quant_table#245

Open
Mohdhsn-00 wants to merge 1 commit into
google:mainfrom
Mohdhsn-00:fix/quant-table-index-off-by-one
Open

Fix off-by-one bounds check in jpegli_add_quant_table#245
Mohdhsn-00 wants to merge 1 commit into
google:mainfrom
Mohdhsn-00:fix/quant-table-index-off-by-one

Conversation

@Mohdhsn-00

Copy link
Copy Markdown

Summary

jpegli_add_quant_table guarded its table index with which_tbl > NUM_QUANT_TBLS
instead of >= NUM_QUANT_TBLS. Since quant_tbl_ptrs is a fixed 4-element array
(JQUANT_TBL* quant_tbl_ptrs[NUM_QUANT_TBLS], NUM_QUANT_TBLS == 4), the check
accepted which_tbl == 4 — one past the end of the array.

Impact

which_tbl is a caller-supplied argument of a public, libjpeg-compatible API.
With which_tbl == 4:

  • cinfo->quant_tbl_ptrs[4] is read out of bounds (into the adjacent struct field).
  • If that reads as null, a freshly allocated pointer is written out of bounds into
    quant_tbl_ptrs[4].
  • If it reads as non-null, it is dereferenced and 64 quantval entries + sent_table
    are written through it.

This is an out-of-bounds read/write (CWE-193 → CWE-787/CWE-125) reachable through the
public API.

Fix

Change > to >=, rejecting the invalid index 4 with the existing JPEGLI_ERROR
path.

-  if (which_tbl < 0 || which_tbl > NUM_QUANT_TBLS) {
+  if (which_tbl < 0 || which_tbl >= NUM_QUANT_TBLS) {
     JPEGLI_ERROR("Invalid quant table index %d", which_tbl);
   }

@google-cla

google-cla Bot commented Jul 2, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant