Always skip over any additional, unexpected, RSTx (restart) markers in corrupt JPEG images (issue 11794)

2020-04-12 12:27:11 +02:00 · 2020-04-12 12:27:11 +02:00 · 06f6f8719f
commit 06f6f8719f
parent 26cffd03b0
3 changed files with 38 additions and 21 deletions
--- a/src/core/jpg.js
+++ b/src/core/jpg.js
@ -393,35 +393,42 @@ var JpegImage = (function JpegImageClosure() {
    }

    var h, v;
-    while (mcu < mcuExpected) {
+    while (mcu <= mcuExpected) {
      // reset interval stuff
      var mcuToRead = resetInterval
        ? Math.min(mcuExpected - mcu, resetInterval)
        : mcuExpected;
-      for (i = 0; i < componentsLength; i++) {
-        components[i].pred = 0;
-      }
-      eobrun = 0;

-      if (componentsLength === 1) {
-        component = components[0];
-        for (n = 0; n < mcuToRead; n++) {
-          decodeBlock(component, decodeFn, mcu);
-          mcu++;
+      // The `mcuToRead === 0` case should only occur when all of the expected
+      // MCU data has been already parsed, i.e. when `mcu === mcuExpected`, but
+      // some corrupt JPEG images contain more data than intended and we thus
+      // want to skip over any extra RSTx markers below (fixes issue11794.pdf).
+      if (mcuToRead > 0) {
+        for (i = 0; i < componentsLength; i++) {
+          components[i].pred = 0;
        }
-      } else {
-        for (n = 0; n < mcuToRead; n++) {
-          for (i = 0; i < componentsLength; i++) {
-            component = components[i];
-            h = component.h;
-            v = component.v;
-            for (j = 0; j < v; j++) {
-              for (k = 0; k < h; k++) {
-                decodeMcu(component, decodeFn, mcu, j, k);
+        eobrun = 0;
+
+        if (componentsLength === 1) {
+          component = components[0];
+          for (n = 0; n < mcuToRead; n++) {
+            decodeBlock(component, decodeFn, mcu);
+            mcu++;
+          }
+        } else {
+          for (n = 0; n < mcuToRead; n++) {
+            for (i = 0; i < componentsLength; i++) {
+              component = components[i];
+              h = component.h;
+              v = component.v;
+              for (j = 0; j < v; j++) {
+                for (k = 0; k < h; k++) {
+                  decodeMcu(component, decodeFn, mcu, j, k);
+                }
              }
            }
+            mcu++;
          }
-          mcu++;
        }
      }

@ -434,8 +441,9 @@ var JpegImage = (function JpegImageClosure() {
      if (fileMarker.invalid) {
        // Some bad images seem to pad Scan blocks with e.g. zero bytes, skip
        // past those to attempt to find a valid marker (fixes issue4090.pdf).
+        const partialMsg = mcuToRead > 0 ? "unexpected" : "excessive";
        warn(
-          `decodeScan - unexpected MCU data, current marker is: ${fileMarker.invalid}`
+          `decodeScan - ${partialMsg} MCU data, current marker is: ${fileMarker.invalid}`
        );
        offset = fileMarker.offset;
      }
--- a/test/pdfs/issue11794.pdf.link
+++ b/test/pdfs/issue11794.pdf.link
@ -0,0 +1 @@
+https://github.com/mozilla/pdf.js/files/4459214/test.pdf
--- a/test/test_manifest.json
+++ b/test/test_manifest.json
@ -2468,6 +2468,14 @@
      "link": true,
      "type": "eq"
    },
+    {  "id": "issue11794",
+       "file": "pdfs/issue11794.pdf",
+       "md5": "00d17b10a5fd7c06cddd7a0d2066ecdd",
+       "rounds": 1,
+       "link": true,
+       "lastPage": 1,
+       "type": "eq"
+    },
    {
      "id": "bug852992",
      "file": "pdfs/bug852992_reduced.pdf",
				`@ -0,0 +1 @@`
				`https://github.com/mozilla/pdf.js/files/4459214/test.pdf`