[gdk-pixbuf] jpeg: Throw error when number of color components is unsupported

[Bastien Nocera <hadess src gnome org>]

commit c2a40a92fe3df4111ed9da51fe3368c079b86926
Author: Tobias Mueller <muelli cryptobitch de>
Date:   Wed Jul 12 20:36:11 2017 +0200

    jpeg: Throw error when number of color components is unsupported
    
    Explicitly check "3" or "4" output color components.
    
    gdk-pixbuf assumed that the value of output_components to be either
    3 or 4, but not an invalid value (9) or an unsupported value (1).
    
    The way the buffer size was deduced was using a naive "== 4" check,
    with a 1, 3 or 9 color component picture getting the same buffer size,
    a size just sufficient for 3 color components, causing invalid writes
    later when libjpeg-turbo was decoding the image.
    
    CVE-2017-2862
    
    Sent by from Marcin 'Icewall' Noga of Cisco Talos
    
    https://bugzilla.gnome.org/show_bug.cgi?id=784866

 gdk-pixbuf/io-jpeg.c |   23 +++++++++++++++++++----
 1 files changed, 19 insertions(+), 4 deletions(-)
---
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index dd88a35..1c0eba1 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
                if (!context->got_header) {
                        int rc;
                        gchar* comment;
+                       gboolean has_alpha;
                
                        jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
                        jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
                                }
                        }
                        jpeg_calc_output_dimensions (cinfo);
-                       
-                       context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, 
-                                                         cinfo->output_components == 4 ? TRUE : FALSE,
-                                                         8, 
+
+                       if (cinfo->output_components == 3) {
+                               has_alpha = FALSE;
+                       } else if (cinfo->output_components == 4) {
+                               has_alpha = TRUE;
+                       } else {
+                               g_set_error (error,
+                                            GDK_PIXBUF_ERROR,
+                                            GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                            _("Unsupported number of color components (%d)"),
+                                            cinfo->output_components);
+                               retval = FALSE;
+                               goto out;
+                       }
+
+                       context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+                                                         has_alpha,
+                                                         8,
                                                          cinfo->output_width,
                                                          cinfo->output_height);