From 9b73ecc32719a2a6e3c733d87aefd9ef5a0bf804 Mon Sep 17 00:00:00 2001
From: Nigel Tao <nigeltao@golang.org>
Date: Wed, 4 Mar 2015 17:42:39 +1100
Subject: [PATCH] image/jpeg: check for component uniqueness and total sampling
 factors.

Change-Id: I83de9d83708edc8d196bbcfdc7d2ba7ffaff50d2
Reviewed-on: https://go-review.googlesource.com/6586
Reviewed-by: Rob Pike <r@golang.org>
---
 src/image/jpeg/reader.go |  9 +++++++++
 src/image/jpeg/scan.go   | 18 ++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/src/image/jpeg/reader.go b/src/image/jpeg/reader.go
index 3e002e5e541..994c42232e0 100644
--- a/src/image/jpeg/reader.go
+++ b/src/image/jpeg/reader.go
@@ -318,7 +318,16 @@ func (d *decoder) processSOF(n int) error {
 	}
 	for i := 0; i < d.nComp; i++ {
 		d.comp[i].c = d.tmp[6+3*i]
+		// Section B.2.2 states that "the value of C_i shall be different from
+		// the values of C_1 through C_(i-1)".
+		for j := 0; j < i; j++ {
+			if d.comp[i].c == d.comp[j].c {
+				return FormatError("repeated component identifier")
+			}
+		}
+
 		d.comp[i].tq = d.tmp[8+3*i]
+
 		if d.nComp == 1 {
 			// If a JPEG image has only one component, section A.2 says "this data
 			// is non-interleaved by definition" and section A.2.2 says "[in this
diff --git a/src/image/jpeg/scan.go b/src/image/jpeg/scan.go
index da60023fb52..420326fc15b 100644
--- a/src/image/jpeg/scan.go
+++ b/src/image/jpeg/scan.go
@@ -63,6 +63,7 @@ func (d *decoder) processSOS(n int) error {
 		td        uint8 // DC table selector.
 		ta        uint8 // AC table selector.
 	}
+	totalHV := 0
 	for i := 0; i < nComp; i++ {
 		cs := d.tmp[1+2*i] // Component selector.
 		compIndex := -1
@@ -75,6 +76,18 @@ func (d *decoder) processSOS(n int) error {
 			return FormatError("unknown component selector")
 		}
 		scan[i].compIndex = uint8(compIndex)
+		// Section B.2.3 states that "the value of Cs_j shall be different from
+		// the values of Cs_1 through Cs_(j-1)". Since we have previously
+		// verified that a frame's component identifiers (C_i values in section
+		// B.2.2) are unique, it suffices to check that the implicit indexes
+		// into d.comp are unique.
+		for j := 0; j < i; j++ {
+			if scan[i].compIndex == scan[j].compIndex {
+				return FormatError("repeated component selector")
+			}
+		}
+		totalHV += d.comp[compIndex].h * d.comp[compIndex].v
+
 		scan[i].td = d.tmp[2+2*i] >> 4
 		if scan[i].td > maxTh {
 			return FormatError("bad Td value")
@@ -84,6 +97,11 @@ func (d *decoder) processSOS(n int) error {
 			return FormatError("bad Ta value")
 		}
 	}
+	// Section B.2.3 states that if there is more than one component then the
+	// total H*V values in a scan must be <= 10.
+	if d.nComp > 1 && totalHV > 10 {
+		return FormatError("total sampling factors too large")
+	}
 
 	// zigStart and zigEnd are the spectral selection bounds.
 	// ah and al are the successive approximation high and low values.