Bug 2372 - Crash when processing 8-bit encoded JPEGs
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Video
Version: 1.33 SVN
Hardware: All All
: P3 major
Assignee: Ryan C. Gordon
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2005-09-07 13:49 EDT by Thilo Schulz
Modified: 2007-05-21 11:27:30 EDT
0 users

See Also:

Attachments
Fix 8-bit jpeg crash (1.06 KB, patch)
2005-09-07 13:51 EDT, Thilo Schulz
Example jpg triggering the crash (1.23 KB, image/jpeg)
2005-09-07 14:21 EDT, Thilo Schulz

Description Thilo Schulz 2005-09-07 13:49:57 EDT 
Hello,   
   
I have hunted down a crash that occurs when the quake3 engine is processing   
8-bit encoded jpegs. It could for example be triggered by some jackass 
installing some weird .pk3 file on his server that contains a bad .jpg in a 
map.   
Quake 3 seems to allocate buffer for the decoded image using:   
   
row_stride = cinfo.output_width * cinfo.output_components;   
out =   
ri.Malloc(cinfo.output_width*cinfo.output_height*cinfo.output_components);   
   
On 8 bit encoded jpegs, cinfo.output_components is 1, as opposed to normal   
24 bit jpegs having 4 in that variable (I checked with the debugger).  
Why would anyone want to do something like that? If cinfo.output_components is 
1, the loop where they set all alpha channel data to full occlusion overwrites 
parts of memory far out of the space of the actual image, as it uses the counts 
of pixels in the image to iterate through the image.  
The diff file attached will fix this crash, but not handling of 8bit encoded  
jpegs.  
  
The problem is, that the jpeg library does not seem to convert the image to the  
4 byte-per-pixel format but just returns exactly one byte per pixel (I checked  
with memset setting the buffer to 0, then looking at what pixels actually got  
written). I don't even know whether it decodes everything correctly, the gimp  
gives me a non-grayscale image, what would suggest that there actually are rgb  
values in that jpg. 
 
Could someone with more experience in jpeg file format please check this out 
and fix 8 bit jpeg rendering as well?
Comment 1 Thilo Schulz 2005-09-07 13:51:09 EDT 
Created attachment 777 [details]
Fix 8-bit jpeg crash
Comment 2 Thilo Schulz 2005-09-07 14:21:00 EDT 
Created attachment 778 [details]
Example jpg triggering the crash

I have added an example .jpg file that will trigger the crash I mentioned.
Comment 3 Ryan C. Gordon 2005-09-07 14:27:51 EDT 
Brief history:

- All Quake3 images were TGA files until hours before the game shipped. They
converted to jpg at the last moment when id discovered they were over the limit
for what a CD would hold.

- The .jpg decoder is cut-and-pasted from the libjpeg example code.  :)

- The only part that doesn't look like the libjpeg code is the part where they
fill in the alpha channel, so you're diagnosis of this bug is correct.

I'm checking in a fix.

--ryan.
Comment 4 Ryan C. Gordon 2005-09-07 14:29:23 EDT 
Fixed in svn revision #87, thanks Thilo!

--ryan.
Comment 5 Ryan C. Gordon 2007-05-21 11:27:30 EDT 
Setting a QA contact on all ioquake3 bugs, even resolved ones. Sorry if you get a flood of email from this, it should only happen once. Apologies for the incovenience.

--ryan.